FTL 2 Posted August 9 Posted August 9 (edited) Hi My Ubuntu 22.04 server (hosting just wordpress sites) is being bombarded with alerts from ESET about Malicious file PHP/Webshell.NHF Real time scanner is deleting it from /tmp (randomly named phpXXXXXXXX) Opening 1 of the quarantined files and this is the content <!doctype html> <html lang="en" dir="ltr" style="height: 100%"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <meta name="theme-color" content="#000000" /> <!-- manifest.json provides metadata used when your web app is added to the homescreen on Android. See https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/ --> <link rel="manifest" href="/manifest.json" /> <link rel="shortcut icon" href="/favicon.ico" /> <!-- Notice the use of %PUBLIC_URL% in the tags above. It will be replaced with the URL of the `public` folder during the build. Only files inside the `public` folder can be referenced from the HTML. Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will work correctly both with client-side routing and a non-root public URL. Learn how to configure a non-root public URL by running `npm run build`. --> <title></title> <_script type="module" crossorigin src="/assets/index-jXnLowXT.js"></script> <link rel="modulepreload" crossorigin href="/assets/vendor-Dml4Jn7E.js"> <link rel="modulepreload" crossorigin href="/assets/zui-BB4IjATp.js"> <link rel="stylesheet" crossorigin href="/assets/vendor-DaeRQUQV.css"> <link rel="stylesheet" crossorigin href="/assets/index-5V94rzNu.css"> </head> <body style="font-family: 'Segoe UI', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px; height: 100%"> <noscript> You need to enable JavaScript to run this app. </noscript> <div id="root" style="height: 100%"></div> <div id="modal-root"></div> </body> </html> File Hash B170A6242D5211F9333CA093DE2FB4E05A9003EB Those JS and CSS files appear to belong to ESET xxx@yyy:/$ sudo find / -name vendor-Dml4Jn7E.js /opt/eset/efs/lib/webd/frontend/assets/vendor-Dml4Jn7E.js xxx@yyy:/$ sudo find / -name index-jXnLowXT.js /opt/eset/efs/lib/webd/frontend/assets/index-jXnLowXT.js xxx@yyy:/$ sudo find / -name zui-BB4IjATp.js /opt/eset/efs/lib/webd/frontend/assets/zui-BB4IjATp.js find: ‘/proc/542786’: No such file or directory find: ‘/proc/542787’: No such file or directory xxx@yyy:/$ sudo find / -name vendor-DaeRQUQV.css /opt/eset/efs/lib/webd/frontend/assets/vendor-DaeRQUQV.css xxx@yyy:/$ sudo find / -name index-5V94rzNu.css /opt/eset/efs/lib/webd/frontend/assets/index-5V94rzNu.css Server and all wordpress sites are pully patched an up to date Am i infected with something or has EFS just gone loopy? Edited August 9 by FTL
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 The detection seems to be correct. Even the title is encrypted, after decryption it reads "WAF BYPASS UPLOADER".
FTL 2 Posted August 9 Author Posted August 9 What title is this please Marcos? The file it says it quarantines has the hash B170A6242D5211F9333CA093DE2FB4E05A9003EB Howvever the file that i download from quarantine is the code above and ESET doesnt find that file as malicious when it sits on my laptop and open in Notepad?
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 It looks like as follows. Commences with the GIF header to fool AV scanners:
FTL 2 Posted August 9 Author Posted August 9 Where did you find that data from? The file hash? Im a little lost
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 It's the content of the file that was detected by ESET and quarantined.
FTL 2 Posted August 9 Author Posted August 9 What then is the content of the file in my code tags in OP that is downloaded from quarantine and opened in Notepad?
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 I have no clue but the file with the hash you provided contains the code I posted above.
FTL 2 Posted August 9 Author Posted August 9 (edited) I dont understand whats happening then Marcos. Here is the output of the Linux Security Agent Running When i download any of them from the quarantine on the agent this is what gets downloaded (i have changed it to .txt so its an allowed file type to upload) When i run that file from quarantine through virus total it comes up with hash 0623212b33901c71cc0b1b0e0e55ffe4059b8767 and doesnt get detected by ENdpoint Security running on my laptop Is there some logs I can pull that will show historically whats gone on? phpuzJRMG.txt Edited August 9 by FTL
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 Perhaps a clean file with the same name but a different hash was created after the malicious one was detected and cleaned.
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 You seem to have PHP 8.2 installed, the latest version is 8.3.10. Please consider upgrading it. Also post a screenshot where the content of the Circumstances column is visible completely.
Administrators Marcos 5,446 Posted August 9 Administrators Posted August 9 Is the threat detected even after upgrading PHP to the latest version? What PHP applications are on the server? Did you try to harden PHP according to general recommendations, e.g. https://www.tecmint.com/linux-php-hardening-security-tips/?
FTL 2 Posted August 9 Author Posted August 9 i do already have php 8.3.10 installed, all the sites are currently running php-fpm socket 8.2 though as they are all currently compatable with 8.2 I will try changing them to 8.3 and hope none of them break Server just runs 9 wordpress sites thats it in a LEMP stack
FTL 2 Posted August 9 Author Posted August 9 Ok i have flicked all sites over to php-fpm 8.3.10 socket Hadnt realised but the older php8.0-fpm was still running and active Have disbaled 8.0 and 8.2 from starting at boot. Will monitor over next few hours for any new shell creations
FTL 2 Posted August 9 Author Posted August 9 No joy @Marcos still getting them. Wordpress and all plugins on all sites updated Ubuntu 22.04 all updated I am now shutting websites down 1 by 1 to see which one has whatever vulnerability is casuing this. Also that HTML contect in the files that are being downloaded from quarantine that isnt the original content must be something ESET has changed with EFS for Linux, as there are previous detections in Quarantine from back earlier this year due to a vulnerable plugin that i know 100% i downloaded and opened and saw the original content has now been replaced with the same HTML content as in the OP.
FTL 2 Posted August 12 Author Posted August 12 @Marcos - the html message in the OP thats in the file in quarantine on the Linux FS Agent is the same message for any infection that gets quarantined. Have just confirmed this by downloading EICAR and opening the quarantined file. Are you able to advise here on whats changed and why the original content is not going to quarantine anymore? Or shall i open a support ticket? Thanks
FTL 2 Posted August 16 Author Posted August 16 (edited) Update: Support have confirmed the issue as a bug - the HTML code being displayed is the agents actual quarantine page html - verfiied by looking at page source. Its been passed to the devs and am awaiting an update on any potential fixes Edited August 16 by FTL
Recommended Posts