mrmicrotech

It’s an infection. My client’s website just got hit with this. Vector of entry was through an old version of Revolution Slider, in my opinion, as I’m not 100% sure. The infected index.php files are scattered throughout the web hosting account’s file tree in directories named vim and patior. Here’s the two responses I got when I posted the code to a Facebook IT Tech’s Tech group.

“They disabled the Cross origin scripting (CSP) protection in the headers. The array is just the hex value they rebuild to avoid malware detection. But this a classic example of defacement.
But they gain backdoor shell access to over-write the main file to do other things.
This was basically through bad configuration. Stuff like POST/PUT to allow remote uploads needs to be in check. This is why CDNs block that by default. And the web permission to allow it run privilege is another mistake. The script is very badly written but I can see what it is doing.
This is why I dont do PHP anymore.”

and

“I looked at this some more. Your server is f***ed. The array is a list of PHP filesystem commands, each operations can either open, create files, read files (passwd), and traverse the entire root filesystem. It is hexed (obfuscated) so it doesnt get detected by malware scanner. But it is each array element is a command like unlink(delete), read file content, change permissions, etc…
The commands are in the screenshot going down the array. The part in green is the web interface where you can browse files, upload, delete, change permissions.
Even the directory paths are obfuscated. So the 2d2f6…. = /etc/apache2
I had it in a Docker container and blocked everything with an NGINX proxy; disabling all their clickjacking.
Redeploy. redeploy.”

I’m taking his advice. I can delete these nefarious index.php files but the only way to be sure the server is clean, is to nuke from orbit and redeploy from a backup.

• This reply was modified 3 years, 1 month ago by mrmicrotech.