Rogue PHP Spam Scripts - Revision history

Scott: /* Wordpress (or other CMS) Maintenance */

2022-03-27T17:39:26Z

Wordpress (or other CMS) Maintenance

← Older revision		Revision as of 17:39, 27 March 2022
Line 72:		Line 72:


	=== ~~Wordpress~~ (or other CMS) Maintenance ===		=== WordPress (or other CMS) Maintenance ===
	This is a great opportunity to update your ~~Wordpress~~ install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.		This is a great opportunity to update your WordPress install and check your [[WordPress Setup]] settings in WordPress Toolkit. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.

Scott: /* Solutions */

2022-03-27T17:37:51Z

Solutions

← Older revision		Revision as of 17:37, 27 March 2022
Line 43:		Line 43:
	== Solutions ==		== Solutions ==
	We recommend a multi pronged approach to remove the issue.		We recommend a multi pronged approach to remove the issue.


			=== Imunify+ ===
			This runs regularly on all our servers, but it is important to review the detections and clean any infected files regularly.


	=== ClamAV ===		=== ClamAV ===

Scott at 00:44, 25 March 2018

2018-03-25T00:44:09Z

← Older revision		Revision as of 00:44, 25 March 2018
Line 60:		Line 60:
	=== Adjusting Mail Limits ===		=== Adjusting Mail Limits ===
	If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.		If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

			There are details on setting email limits on cPanel [https://documentation.cpanel.net/display/CKB/How+to+Set+Email+Send+Limits here].
			* To manage domain-level limits, you must manually edit /var/cpanel/users/username.
			* To manage account-level limits, set the “Maximum Hourly Email by Domain Relayed” field in the Modify an Account interface in WHM.
			* To manage global limits, set the “Max hourly emails per domain” option in the Tweak Settings interface in WHM.


	=== Wordpress (or other CMS) Maintenance ===		=== Wordpress (or other CMS) Maintenance ===
	This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.		This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.

Scott: Created page with "One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email..."

2018-03-24T22:36:09Z

Created page with "One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email..."

New page

One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email, but occasionally they are mining crypto currency.

== Identification ==
Usually the SPAM variety of these scripts first shows via the mail queue or a notification of an account exceeding its hourly send limit. On occasion you will notice the email script via processor usage, but more often, that is a symptom of the crypto mining scripts. These scripts are often surprisingly smart. They usually limit themselves to a fairly reasonable amount of processor utilization to avoid detection.

== Troubleshooting ==
Once you've determined you have an infection, you need to find where the scripts are. We've found a few ways to locate the scripts in question.

=== Email Headers ===
This is the easiest and most obvious way to find the source. The email server inserts <code>X-</code> headers that provide the script location.

'''For example:'''
'''X-Mailer:''' PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
'''X-PHP-Originating-Script:''' 1010:bwqgvgbw.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
'''X-PHP-Script:''' domain.com/wp-content/gallery/government/thumbs/bwqgvgbw.php for 198.100.100.100

* <code>X-Mailer</code> describes the engine used to process the emails from the script.
* <code>X-PHP-Originating-Script</code> provides the file name of the script, in this case <code>bwqgvgbw.php</code>. This is a common type of name for these scripts. They will usually be a seemingly random set of characters. Sometimes they will be a .php script in a folder where .php files tend not to be. I've found most of the scripts that do the actual heavy lifting are about the same size as well (which is why the <code>find</code> command can be useful to find scripts that aren't yet active.
* <code>X-PHP-Script</code> provides the full path of the script. In this case it was hiding within the gallery folders in the Wordpress installation.

=== maldet ===
[https://github.com/rfxn/linux-malware-detect maldet] tends not to detect these sorts of issues, but is good to run occasionally in any case.

=== find ===
The [https://kb.iu.edu/d/admm find] command can be useful once you've identified the characteristics of your infection. You can use it to search for similar files based on type, size, and even modification date.

==== Size ====
The find command I've used to fins a particular size file is:
find /home/ -type f -ipath *.php -size 85k -exec ls -lh {} \;

This looks for '''85 K''' '''php''' files in all subdirectories of the '''home''' directory.

==== Date ====
A similar find command for dates is:
find /home/ -type f -ipath *.php -newermt 2018-01-28 ! -newermt 2018-01-29 -exec ls -lh {} \;

This looks for '''php''' files that were modified between '''2018-01-28''' and '''2018-01-29''' (really after '''2018-01-28''' but not after '''2018-01-29''') in all subdirectories of the '''home''' directory.

== Solutions ==
We recommend a multi pronged approach to remove the issue.

=== ClamAV ===
You should run this regularly anyway, but especially now. If you've been compromised by something that can upload a php script, it's probable that isn't the only thing that's been uploaded to your server.

Simply go to your cPanel and run the Virus Scanner.

=== Deleting Identified Scripts ===
Once you have identified the <code>php</code> files that are causing issues, simply delete them. I tend to just use the built in file manager in cPanel, but you can do it all via SSH or sFTP as well.

=== Change your Passwords! ===
I would change your cPanel account passwords '''and''' the Admin & user passwords for your CMS.

=== Adjusting Mail Limits ===
If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

=== Wordpress (or other CMS) Maintenance ===
This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.