php.suspected Hack

回覆文章
yehlu
Site Admin
文章: 3245
註冊時間: 2004-04-15 17:20:21
來自: CodeCharge Support Engineer

php.suspected Hack

文章 yehlu »

http://www.devinyoungweb.com/blog/php-suspected-hack/

Recently I began getting strange errors on one of my PHP sites claiming that a file could not be found for a ‘require’. When looking deeper into the issue, I noticed the file had actually been renamed to filename.php.suspected. What??

As it turns out, this is happening to a lot of people. This is not just limited to Wordpress, but it appears Wordpress sites have been targeted more than others. Using the following grep command I found over 25 malware files on the server:

代碼: 選擇全部

egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset|isset.*eval' /path/to/webserver
There were a few false positives, but I had a ~90% success rate with that command. I dug deeper and found the reason these hackers want the server–spam mail. A PHP mailer script was installed on the server and the hackers were POSTing to it to send (lovely) spam messages.

After shutting down the mail server and setting up a honeypot to trick the hackers, I halted their activities for the time being.

Have you experienced this hack? If you need help resolving this issue on your site, contact me today.
回覆文章

回到「PHP」