Rogue PHP Spam Scripts

From Montebello Park Hosting Support
Jump to: navigation, search

One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email, but occasionally they are mining crypto currency.

Identification

Usually the SPAM variety of these scripts first shows via the mail queue or a notification of an account exceeding its hourly send limit. On occasion you will notice the email script via processor usage, but more often, that is a symptom of the crypto mining scripts. These scripts are often surprisingly smart. They usually limit themselves to a fairly reasonable amount of processor utilization to avoid detection.

Troubleshooting

Once you've determined you have an infection, you need to find where the scripts are. We've found a few ways to locate the scripts in question.

Email Headers

This is the easiest and most obvious way to find the source. The email server inserts X- headers that provide the script location.

For example:

X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
X-PHP-Originating-Script: 1010:bwqgvgbw.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
X-PHP-Script: domain.com/wp-content/gallery/government/thumbs/bwqgvgbw.php for 198.100.100.100
  • X-Mailer describes the engine used to process the emails from the script.
  • X-PHP-Originating-Script provides the file name of the script, in this case bwqgvgbw.php. This is a common type of name for these scripts. They will usually be a seemingly random set of characters. Sometimes they will be a .php script in a folder where .php files tend not to be. I've found most of the scripts that do the actual heavy lifting are about the same size as well (which is why the find command can be useful to find scripts that aren't yet active.
  • X-PHP-Script provides the full path of the script. In this case it was hiding within the gallery folders in the Wordpress installation.


maldet

maldet tends not to detect these sorts of issues, but is good to run occasionally in any case.


find

The find command can be useful once you've identified the characteristics of your infection. You can use it to search for similar files based on type, size, and even modification date.

Size

The find command I've used to fins a particular size file is:

find /home/ -type f -ipath *.php -size 85k -exec ls -lh {} \;

This looks for 85 K php files in all subdirectories of the home directory.

Date

A similar find command for dates is:

find /home/ -type f -ipath *.php -newermt 2018-01-28 ! -newermt 2018-01-29 -exec ls -lh {} \;

This looks for php files that were modified between 2018-01-28 and 2018-01-29 (really after 2018-01-28 but not after 2018-01-29) in all subdirectories of the home directory.


Solutions

We recommend a multi pronged approach to remove the issue.

ClamAV

You should run this regularly anyway, but especially now. If you've been compromised by something that can upload a php script, it's probable that isn't the only thing that's been uploaded to your server.

Simply go to your cPanel and run the Virus Scanner.


Deleting Identified Scripts

Once you have identified the php files that are causing issues, simply delete them. I tend to just use the built in file manager in cPanel, but you can do it all via SSH or sFTP as well.


Change your Passwords!

I would change your cPanel account passwords and the Admin & user passwords for your CMS.


Adjusting Mail Limits

If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

There are details on setting email limits on cPanel here.

  • To manage domain-level limits, you must manually edit /var/cpanel/users/username.
  • To manage account-level limits, set the “Maximum Hourly Email by Domain Relayed” field in the Modify an Account interface in WHM.
  • To manage global limits, set the “Max hourly emails per domain” option in the Tweak Settings interface in WHM.


Wordpress (or other CMS) Maintenance

This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.