Page 1 of 1

Malicious script found on one node

Posted: Fri Jan 20, 2017 9:18 am
by mike08
Hello there,

So, I have terminated an user today due to the fact that he/she ran a malicious php/trojan script on one of my vestacp nodes, this said user was able to create a symbolik link under his public_html with the following syntax:

Code: Select all

/home/stzztk/web/st4zz.tk/public_html/dm/
<-- Be aware of such unregistered domain

Code: Select all

ls -la /home/stzztk/web/st4zz.tk/public_html/dm/
total 12
drwxr-xr-x  2 stzztk   stzztk 4096 Feb 19  2016 .
drwxr-xr-x 10 stzztk   stzztk   4096 Feb 19  2016 ..
-rw-r--r--  1 stzztk   stzztk  228 Feb 19  2016 .htaccess
lrwxrwxrwx  1 stzztk   stzztk    1 Sep  4 18:30 dm.txt -> /
He was able to see the folders structure on that node (But not able to view the content of each config file or db files)

The scripts I found while going through the apache logs were: http://pastebin.com/wJNXHprE and http://pastebin.com/raw/5S87iwwV however I wasn't able to reproduce it on my own to understand how this works

Has any of you experienced this before?
As far as I was able to investigate/determine, he/she was only able to view the root directory sctructure but not each files content, would there be high security risk that I'm missing here?

Any advice would be greatly appreciated!

Re: Malicious script found on one node

Posted: Fri Jan 20, 2017 4:34 pm
by mehargags
pretty common to have a php-shell trojan script these days if you run an outdated Wordpress or use shady, not verified plugins. These scripts are backdoor-agents and open a remote host forming a bridge for the attacker and then shell commands are passed through it.

Maldet your whole server and also make sure to check other websites of the same VestaCP user, the shell access "crawls" through the file system and replicates itself with various names: backup.php/article.php/email.php or similar. Please double check your basedir setting, Newer VestaCP restricts every site to its own public_html, the older sites configured have access to "user" dir.

You can also upload site's zip (without images) to virustotal.com and scan it for any malicious inclusions.