Is my webserver compromised ?

  • My antivirus has been detecting quite a few viruses/trojans lately.

    Mainly

    • Backdoor:PHP/Shell.P
    • Backdoor:PHP/WebShell.J

    I have been trying to identify the source of these files with no luck so far. The files are located at C:\Windows\Temp\ with a filename phpXXXX.tmp which indicates that they have been uploaded/created through a PHP file.

    Sadly, going through the IIS logs I could not find anything that indicates that something has been posted around the time that the detection occurred. I went through all the logs for all the sites for those specific days.

    In addition to the above, I took a look at the PHP error logs in case there was something that might have hinted the source of these files but there wasn’t much information to work with in those logs.

    I have reversed one of the detected files to ensure it wasn’t a false positive and I can confirm that the code could be used for malicious reasons.

    I’ve spent more than 2 weeks currently looking inside files/logs for specific keywords but no luck so far. There is no visual indication that the websites are compromised (from what I can see at least) so I have nothing to work with apart from those detections.

    Is there anything else I can do in order to figure out what triggers those files to be generated ?

    Thanks in advance.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    files are located at C:\Windows\Temp\

    Is your website on this machine? I wouldn’t expect a backdoor to be placed on a home computer if a website was hosted elsewhere.

    Thread Starter CooLMinE

    (@coolmine)

    Yes, my website is on this machine. It is a dedicated server running Windows Server 2012 R2.

    By default when something is uploaded or created using PHP, the file is created in the temp folder (based on my understanding), then moved to the upload location as soon as the file is fully uploaded.

    By the looks of it the antivirus detects the upload/file creation before it is fully finished.

    Thread Starter CooLMinE

    (@coolmine)

    Extra information from the event log:

    Name: Backdoor:PHP/WebShell.J
ID: 2147683134
Severity: Severe
Category: Backdoor
Path: containerfile:_C:\Windows\Temp\php99EB.tmp;containerfile:_C:\Windows\Temp\phpDC36.tmp;file:_C:\Windows\Temp\php99EB.tmp->revslider/error.php;file:_C:\Windows\Temp\phpDC36.tmp->revslider/error.php
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\NETWORK SERVICE
Process Name: Unknown
Signature Version: AV: 1.191.4893.0, AS: 1.191.4893.0, NIS: 113.69.0.0
Engine Version: AM: 1.1.11302.0, NIS: 2.1.11005.0
    Name: Backdoor:PHP/WebShell.J
ID: 2147683134
Severity: Severe
Category: Backdoor
Path: file:_C:\Windows\Temp\php9CBA.tmp
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: NT AUTHORITY\IUSR
Process Name: C:\Program Files (x86)\PHP\v5.4\php-cgi.exe
Signature Version: AV: 1.191.4552.0, AS: 1.191.4552.0, NIS: 113.67.0.0
Engine Version: AM: 1.1.11302.0, NIS: 2.1.11005.0

    Hi CooLMinE,

    Are you using the latest version of RevSlider? There’s been multiple vulnerabilities in that plugin discovered and exploited over the past year. For example:

    https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html

    This could be how they’re getting in!

    Make sure to look in all of your themes. Many themes ship with this plugin and they don’t have a way to notify you of updates, I see this all the time.

    Thread Starter CooLMinE

    (@coolmine)

    Hello octalmage,

    I am not using RevSlider, neither is my theme referencing it (at least from what I am aware).

    I don’t have the RevSlider plugin, I’ve searched through all the files for RevSlider references (TotalCommander, find text feature) as well as all the web server logs to see if anyone called a URL that had to do with RevSlider. I couldn’t find anything related to RevSlider.

    My guess at the moment (shot in the dark) is that the website might been have a malicious cron job, since this triggers every 2~ days. I’ve used WP Crontrol to view all the scheduled cron jobs but nothing looked suspicious since there was nothing that was running every 2 days.

    I too have been hit by this. I’m running a windows server box with iis. I am using a child theme of twenty fourteen so am thinking hey what plugins could possibly be using this rev slider stuff.

    But I don’t think it is in this list: ( correct me if I am wrong )

    Akismet
    All In One WP Security
    Ban Hammer
    Custom Login
    Custom Meta Widget
    Hello Dolly
    Jigoshop
    Redirect To Homepage
    Responsive Lightbox
    Wolf jPlayer
    WordPress HTTPS
    WP-Mail-SMTP
    WP Hide Dashboard

    Here are some of my log files.

    GET /wp-login.php – 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 1171
    GET /wp-admin/admin-ajax.php – 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 890
    POST /wp-admin/admin-ajax.php – 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 1968
    GET /wp-content/plugins/revslider/temp/update_extract/revslider/info.php – 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 404 0 0 1031
    POST / – 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 812
    POST / – 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 796

    GET /wp-admin/includes/uploader.php – 80 – (Offending IP) Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 404 0 2 359

    lots of this, scanning for stuff.. they get something here and run with it, I’ve seen in my logs revslider referenced here and yet I am not sure if it is in my word press dir or not? I have seen a 200 with an upload request. Hence my infections, So I shut everything down.

    GET /wp-admin/admin-ajax.php action=nm_webcontact_upload_file 80 – (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:26.0)+Gecko/20100101+Firefox/26.0 404 0 2 2109

    Even with a 404 I had infections. Microsoft security essentials caught it. I have shut down my sites in the mean time.

    More log stuff:

    GET /wp-admin/admin-ajax.php action=nm_webcontact_upload_file 80 – Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:26.0)+Gecko/20100101+Firefox/26.0 404 0 2 2109

    GET /wp-login.php – 80 – Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 404 0 2 343
    GET / – 80 – Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 343

    GET /wp-admin/includes/uploader.php – 80 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 404 0 2 359

    But more like this before infection:

    GET /wp-admin/admin-ajax.php action=revslider_show_image&img=../wp-config.php 80 – Mozilla/5.0+(Windows+NT+5.2;+rv:2.0.1) 403 4 5 187

    Always infected after admin-ajax.php and anything following..

    Even with a 404 I had infections. Microsoft security essentials caught it.

    Not possible.

    I have found where in my logs that they have been gaining access. Sadly and I think perhaps its confusing because it took a couple of scans to clear everything away.

    GET /wp-admin/admin-ajax.php action=revslider_show_image&img=../wp-config.php 80 – ( IP ) Mozilla/5.0+(Windows+NT+6.1;+rv:34.0)+Gecko/20100101+Firefox/34.0 200 0 0 1062 ( always starts with this to gain access to the wp-config.php file )

    But hey once compromised I have no idea how far they gained access to my server and whether or not my database has been messed with. It is not really helpful to just come along and say something is not possible, you can’t say for certain how they are getting in or what they are doing once they are there. I saw 404 errors with attempts and re-infections, I shut it down at that point. I also don’t feel IIS logs things very well, I have personally seen things not logged fully so it is most likely there were 200 codes that never made it to the log? Something for which I need to address on the server side of things.

    But it still remains unanswered for me. I don’t think I have the revslider plugin in any of my files. I’m using my own child theme, so if anyone can point out what plugin may have it I am all ears and I am sure the original thread owner would like to know as well what exactly is vulnerable here. I am thinking I have to sanitize my sites with fresh wordpress files and plugins and get a clean database with new passwords. Then go about check listing and hardening everything. Not something I am looking forward to.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Is my webserver compromised ?’ is closed to new replies.