Something is renaming php files to .php.suspected; I'm trying to find out what

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite
1












Related:



  • https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected


  • https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected


I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.



We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.



Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...






php malware clamav







share|improve this question



























    up vote
    3
    down vote

    favorite
    1












    Related:



    • https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected


    • https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected


    I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.



    We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.



    Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...






    php malware clamav







    share|improve this question

























      up vote
      3
      down vote

      favorite
      1









      up vote
      3
      down vote

      favorite
      1






      1





      Related:



      • https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected


      • https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected


      I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.



      We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.



      Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...






      php malware clamav







      share|improve this question















      Related:



      • https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected


      • https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected


      I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.



      We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.



      Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...






      php malware clamav




      php malware clamav






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 23 '17 at 12:40









      Community

      1




      1










      asked Mar 13 '17 at 10:37









      Shadur

      19.2k64357




      19.2k64357




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...



          Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:



          auditctl -a exit,always -S rename -F dir=/var/www


          The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:



          type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
          type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
          type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
          type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
          type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
          type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE





          share|improve this answer






















          • I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
            – Shadur
            Mar 14 '17 at 9:57










          • @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
            – Gilles
            Mar 14 '17 at 21:55










          • Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
            – Shadur
            Mar 15 '17 at 12:42










          • @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
            – Gilles
            Mar 15 '17 at 13:18

















          up vote
          0
          down vote













          I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:



          find <web site root> -name '*.suspected' -print
          find <web site root> -name '.*.ico' -print


          In the case I have seen, the infected files could be located with the following commands:



          cd <web site root>
          egrep -Rl '$GLOBALS.*\x'
          egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
          egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'


          I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.






          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f351085%2fsomething-is-renaming-php-files-to-php-suspected-im-trying-to-find-out-what%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote



            accepted










            Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...



            Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:



            auditctl -a exit,always -S rename -F dir=/var/www


            The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:



            type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
            type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
            type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
            type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE





            share|improve this answer






















            • I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
              – Shadur
              Mar 14 '17 at 9:57










            • @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
              – Gilles
              Mar 14 '17 at 21:55










            • Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
              – Shadur
              Mar 15 '17 at 12:42










            • @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
              – Gilles
              Mar 15 '17 at 13:18














            up vote
            2
            down vote



            accepted










            Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...



            Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:



            auditctl -a exit,always -S rename -F dir=/var/www


            The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:



            type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
            type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
            type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
            type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE





            share|improve this answer






















            • I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
              – Shadur
              Mar 14 '17 at 9:57










            • @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
              – Gilles
              Mar 14 '17 at 21:55










            • Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
              – Shadur
              Mar 15 '17 at 12:42










            • @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
              – Gilles
              Mar 15 '17 at 13:18












            up vote
            2
            down vote



            accepted







            up vote
            2
            down vote



            accepted






            Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...



            Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:



            auditctl -a exit,always -S rename -F dir=/var/www


            The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:



            type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
            type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
            type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
            type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE





            share|improve this answer














            Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...



            Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:



            auditctl -a exit,always -S rename -F dir=/var/www


            The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:



            type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
            type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
            type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
            type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
            type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 15 '17 at 13:17

























            answered Mar 14 '17 at 1:40









            Gilles

            524k12610471577




            524k12610471577











            • I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
              – Shadur
              Mar 14 '17 at 9:57










            • @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
              – Gilles
              Mar 14 '17 at 21:55










            • Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
              – Shadur
              Mar 15 '17 at 12:42










            • @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
              – Gilles
              Mar 15 '17 at 13:18
















            • I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
              – Shadur
              Mar 14 '17 at 9:57










            • @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
              – Gilles
              Mar 14 '17 at 21:55










            • Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
              – Shadur
              Mar 15 '17 at 12:42










            • @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
              – Gilles
              Mar 15 '17 at 13:18















            I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
            – Shadur
            Mar 14 '17 at 9:57




            I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
            – Shadur
            Mar 14 '17 at 9:57












            @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
            – Gilles
            Mar 14 '17 at 21:55




            @Shadur Works for me (test scenario: touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?
            – Gilles
            Mar 14 '17 at 21:55












            Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
            – Shadur
            Mar 15 '17 at 12:42




            Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
            – Shadur
            Mar 15 '17 at 12:42












            @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
            – Gilles
            Mar 15 '17 at 13:18




            @Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
            – Gilles
            Mar 15 '17 at 13:18












            up vote
            0
            down vote













            I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:



            find <web site root> -name '*.suspected' -print
            find <web site root> -name '.*.ico' -print


            In the case I have seen, the infected files could be located with the following commands:



            cd <web site root>
            egrep -Rl '$GLOBALS.*\x'
            egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
            egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'


            I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.






            share|improve this answer
























              up vote
              0
              down vote













              I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:



              find <web site root> -name '*.suspected' -print
              find <web site root> -name '.*.ico' -print


              In the case I have seen, the infected files could be located with the following commands:



              cd <web site root>
              egrep -Rl '$GLOBALS.*\x'
              egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
              egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'


              I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:



                find <web site root> -name '*.suspected' -print
                find <web site root> -name '.*.ico' -print


                In the case I have seen, the infected files could be located with the following commands:



                cd <web site root>
                egrep -Rl '$GLOBALS.*\x'
                egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
                egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'


                I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.






                share|improve this answer












                I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:



                find <web site root> -name '*.suspected' -print
                find <web site root> -name '.*.ico' -print


                In the case I have seen, the infected files could be located with the following commands:



                cd <web site root>
                egrep -Rl '$GLOBALS.*\x'
                egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
                egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'


                I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 27 at 17:31









                Javier Elices

                1012




                1012



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f351085%2fsomething-is-renaming-php-files-to-php-suspected-im-trying-to-find-out-what%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown






                    -

                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
                    Read more

                    Bahrain

                    Image
                    For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
                    Read more

                    Postfix configuration issue with fips on centos 7; mailgun relay

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
                    Read more