发表新帖
发表新帖

php file automatically renamed to php.suspected

后端 未结
关注
4 1894
终归单人心
终归单人心 2021-01-02 00:19

Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

Issue is /home/site_f

相关标签:
4条回答
  • 轮回少年
    2021-01-02 00:45

    Renaming php files to php.suspected is usually intended and done by hacker's script. They change file extension to give the impression that the file was checked by some antimalware software, is secure and can't be executed. But, in fact, isn't. They change extension to "php" anytime they want to invoke the script and after it, they change the extension back to "suspected". You can read about it on Securi Research Labs

    Maybe this post is old but the topic is still alive. Especially according to June 2019 malware campaign targeting WordPress plugins. I found a few "suspected" files in my client's WordPress subdirectories (e.g. wp-content)

    0 讨论(0)
  • 误落风尘
    2021-01-02 00:52

    It's somewhat obfuscated, but I've de-obfuscated it.The function flnftovr takes a string and an array as arguments. It creates a new string $ggy using the formula 

    isset($array[$string[$i]]) ? $array[$string[$i]] : $string[$i];}

    It then preppends base64_decode to the string.

    The string is $s, the array is $koicev. It then evals the result of this manipulation. So eventually a string gets created:

    base64_decode(QGluaV9zZXQoJ2Vycm9yX2xvZycsIE5VTEwpOwpAaW5pX3NldCgnbG9nX2Vycm9ycycsIDApOwpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmlmKGlzc2V0KCRfU0VSVkVSKfZW5jb2RlKHNlcmlhbGl6ZSgkcmVzKSk7Cn0=)

    So what actually gets run on your server is:

    @ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);

if(isset($_SERVER)
encode(serialize($res));
}

    If you didn't create this and you suspect your site has been hacked, I'd suggest you wipe the server, and create a new installation of whatever apps are running on your server.

    0 讨论(0)
  • 轻奢々
    2021-01-02 01:02

    The renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:

    find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print

    In my case, the infected files could be located with the following commands:

    cd <web site root>
egrep -Rl '\$GLOBALS.*\\x'
egrep -Rl -Ezo '/\*(\w+)\*/\s*@include\s*[^;]+;\s*/\*'
egrep -Rl -E '^.+(\$_COOKIE|\$_POST).+eval.+$'

    I have prepared a longer description of the problem and how to deal with it at GitHub.

    0 讨论(0)
  • 南笙
    2021-01-02 01:05

    Posting this answer, it may help others.

    1. Create a file with '.sh' extension at your convenient location.
    2. Add following code in it.

    #Rename your_file_name.php.suspected to your_file_name.php mv /<path_to_your_file>/your_file_name.php.suspected /<path_to_your_file>/your_file_name.php

    1. Save this file.
    2. Set cron for every 10 minute (or whatever interval you need), using following line in crontab

    */10 * * * * path_to_cron_file.sh

    1. Restart crontab service.

    You will get lot of documentation on creating cron on Google.

    0 讨论(0)
 看不清?
提交回复
热议问题