[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

robots.txt (revaluation)
Many of my websites contain robots.txt files that appear to be used to expose compromised websites (when you open it, it notifies the attacker). These files include a reference to a “sitemap” that actually points to an exploited file (index.php). If Googlebot or another search-bot fetches that sitemap, it could automatically reveal the infected website to the attacker. The attacker have put search bots in work for him (smart, I must say).

Every index.php file referenced by these robots.txt files appears to be infected at the top. Below the infection lies your original code (but double check it!!!).
Note that simply deleting the robots.txt files is not enough! You also must carefully inspect and clean every affected index.php file. Make sure to thoroughly check each robots.txt file, as the infection may vary between them and you might end up losing the infected index.php file.

An infected index.php file is still useful to the attacker! The robots.txt is just a complement.

SSH command to search all robots.txt files:

find /home -type f -name "robots.txt"

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

How did you mass remove them? Do you have a script that you could share?

I mass removed them, every part of the malicious code, backup.c, licelic.c etc with rm find. Buy maybe i can find them from backups.

As far as I understand from the context of the malicious code, they are trying trick the visitors to make payment with a credit card. Because the attacker needs to be notified every time a visitor runs the code and in defauit.php there are classes about making payment.
So the attacker takes the information of the credit card provided by the visitor, and uses it on another website.

Oh i found one image file from a backup.

How did you mass remove them? Do you have a script that you could share?

You dont need a script to remove them. This will remove all of the malicious code except for index.php.

Code: [Select]

find /home/ -type f \( -name "licelic.c" -o -name "backup.c" -o -name "defauit.php" -o -name "defauIt.php" -o -name ".c" \) -exec rm -f {} \;Edit: You can remove "-f" if you need to check which file is being removed.
If you have two examples of infected index.php file, i can try to make a script that will auto remove them.