maldet finds malware in phptmp folders of several customers

**gpeter73** · Mar 11th 2014

Hi,

everynight I run maldet / f-secure antivirus on my complete server.
Today I got an report that maldet found several malware at some customers phptmp folders:

Code

FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpWnT6WN.virus => /usr/local/maldetect/quarantine/phpWnT6WN.virus.9407
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpADqTDp.virus => /usr/local/maldetect/quarantine/phpADqTDp.virus.6573
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpFtVhKW.virus => /usr/local/maldetect/quarantine/phpFtVhKW.virus.13864
{CAV}PHP.Hide : /var/www/virtual/xxxxx.com/phptmp/phpqOMGqf.virus => /usr/local/maldetect/quarantine/phpqOMGqf.virus.11505
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpKe5Od8.virus => /usr/local/maldetect/quarantine/phpKe5Od8.virus.14923
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpti6qMm.virus => /usr/local/maldetect/quarantine/phpti6qMm.virus.7189
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/php4RXdcm.virus => /usr/local/maldetect/quarantine/php4RXdcm.virus.10784
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpZheZh1.virus => /usr/local/maldetect/quarantine/phpZheZh1.virus.9074
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpgqjhIN.virus => /usr/local/maldetect/quarantine/phpgqjhIN.virus.5326
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpEX7uHC.virus => /usr/local/maldetect/quarantine/phpEX7uHC.virus.28417
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpVeJUmr.virus => /usr/local/maldetect/quarantine/phpVeJUmr.virus.23759
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/php5fqv8r.virus => /usr/local/maldetect/quarantine/php5fqv8r.virus.17440
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpjCSsUm.virus => /usr/local/maldetect/quarantine/phpjCSsUm.virus.19274
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/php3XzUaV.virus => /usr/local/maldetect/quarantine/php3XzUaV.virus.2231
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpxwJZcq.virus => /usr/local/maldetect/quarantine/phpxwJZcq.virus.24669
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpvj0joT.virus => /usr/local/maldetect/quarantine/phpvj0joT.virus.13242
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpWMez7E.virus => /usr/local/maldetect/quarantine/phpWMez7E.virus.31003
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phprZSKEg.virus => /usr/local/maldetect/quarantine/phprZSKEg.virus.325
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpitJ2Jb.virus => /usr/local/maldetect/quarantine/phpitJ2Jb.virus.24629
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/php9Purbx.virus => /usr/local/maldetect/quarantine/php9Purbx.virus.24780
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/php2fxujn.virus => /usr/local/maldetect/quarantine/php2fxujn.virus.29580
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/php9d1UxG.virus => /usr/local/maldetect/quarantine/php9d1UxG.virus.9537
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpcaR70l.virus => /usr/local/maldetect/quarantine/phpcaR70l.virus.28694
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpRi6Jgn.virus => /usr/local/maldetect/quarantine/phpRi6Jgn.virus.23697
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpNKLBjm.virus => /usr/local/maldetect/quarantine/phpNKLBjm.virus.23109
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpm5ZCoB.virus => /usr/local/maldetect/quarantine/phpm5ZCoB.virus.672
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpKZXSdW.virus => /usr/local/maldetect/quarantine/phpKZXSdW.virus.24637
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/php8um8Pb.virus => /usr/local/maldetect/quarantine/php8um8Pb.virus.22861
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/php8P6z6M.virus => /usr/local/maldetect/quarantine/php8P6z6M.virus.29861
{HEX}php.cmdshell.FilesMan.235 : /var/www/virtual/xxxxx/phptmp/phpoziXHp.virus => /usr/local/maldetect/quarantine/phpoziXHp.virus.6507
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phplrDjJr.virus => /usr/local/maldetect/quarantine/phplrDjJr.virus.19199
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/php78WEyK.virus => /usr/local/maldetect/quarantine/php78WEyK.virus.22844
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpg1FCAK.virus => /usr/local/maldetect/quarantine/phpg1FCAK.virus.5865
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpe7i2V5.virus => /usr/local/maldetect/quarantine/phpe7i2V5.virus.8315
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpdVVY3S.virus => /usr/local/maldetect/quarantine/phpdVVY3S.virus.5559
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpnhDO0b.virus => /usr/local/maldetect/quarantine/phpnhDO0b.virus.17013
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpUi5jKJ.virus => /usr/local/maldetect/quarantine/phpUi5jKJ.virus.15401
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpHHgNBX.virus => /usr/local/maldetect/quarantine/phpHHgNBX.virus.14641
{HEX}php.cmdshell.FilesMan.235 : /var/www/virtual/xxxxx/phptmp/phpQ37DFQ.virus => /usr/local/maldetect/quarantine/phpQ37DFQ.virus.29618
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpAKvYoO.virus => /usr/local/maldetect/quarantine/phpAKvYoO.virus.26773
{HEX}php.cmdshell.FilesMan.235 : /var/www/virtual/xxxxx/phptmp/phpHzH9FH.virus => /usr/local/maldetect/quarantine/phpHzH9FH.virus.19890
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/php04E0VT.virus => /usr/local/maldetect/quarantine/php04E0VT.virus.12155
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpQrtiI6.virus => /usr/local/maldetect/quarantine/phpQrtiI6.virus.251
{CAV}PHP.Hide : /var/www/virtual/xxxxx/phptmp/phpNWRESo.virus => /usr/local/maldetect/quarantine/phpNWRESo.virus.6017
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpIGUGAQ.virus => /usr/local/maldetect/quarantine/phpIGUGAQ.virus.29028
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpfUGb2M.virus => /usr/local/maldetect/quarantine/phpfUGb2M.virus.17149
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpNbiTXL.virus => /usr/local/maldetect/quarantine/phpNbiTXL.virus.8995
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpfTM9fn.virus => /usr/local/maldetect/quarantine/phpfTM9fn.virus.29282
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpsR4ZxD.virus => /usr/local/maldetect/quarantine/phpsR4ZxD.virus.22772
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpkyMKHl.virus => /usr/local/maldetect/quarantine/phpkyMKHl.virus.20359
{HEX}php.cmdshell.FilesMan.235 : /var/www/virtual/xxxxx.eu/phptmp/php3d9cGt.virus => /usr/local/maldetect/quarantine/php3d9cGt.virus.1230
{HEX}php.cmdshell.FilesMan.235 : /var/www/virtual/xxxxx.eu/phptmp/phpCkVMP4.virus => /usr/local/maldetect/quarantine/phpCkVMP4.virus.19611
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpLwNSpN.virus => /usr/local/maldetect/quarantine/phpLwNSpN.virus.32761
{HEX}php.cmdshell.FilesMan.235 : /var/www/virtual/xxxxx.eu/phptmp/phpWJqB1y.virus => /usr/local/maldetect/quarantine/phpWJqB1y.virus.20929
{CAV}PHP.Hide : /var/www/virtual/xxxxx.eu/phptmp/phpbxhTZ9.virus => /usr/local/maldetect/quarantine/phpbxhTZ9.virus.12672
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpc1Y9DN.virus => /usr/local/maldetect/quarantine/phpc1Y9DN.virus.8279
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpHw4AiV.virus => /usr/local/maldetect/quarantine/phpHw4AiV.virus.2971
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpLrosd5.virus => /usr/local/maldetect/quarantine/phpLrosd5.virus.13510
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpg9Fptc.virus => /usr/local/maldetect/quarantine/phpg9Fptc.virus.24817
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpPXJUcl.virus => /usr/local/maldetect/quarantine/phpPXJUcl.virus.4005
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phppNNBso.virus => /usr/local/maldetect/quarantine/phppNNBso.virus.19947
{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpVAb7uQ.virus => /usr/local/maldetect/quarantine/phpVAb7uQ.virus.22729

Display More

How they come in on several domain at the same time. I manage the most of these Pages and keep them up2date and check also all extension via http://vel.joomla.org/.
The Foldersecurity is done as strong it is possible.

How they can come in? How find the security problem?!

Cheers Peter

andy-lu · Mar 11th 2014

Quote from gpeter73

Hi,

everynight I run maldet / f-secure antivirus on my complete server.
Today I got an report that maldet found several malware at some customers phptmp folders:

Code

FILE HIT LIST:

{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpWnT6WN.virus => /usr/local/maldetect/quarantine/phpWnT6WN.virus.9407

{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpADqTDp.virus => /usr/local/maldetect/quarantine/phpADqTDp.virus.6573

...

{HEX}gzbase64.inject.unclassed.15 : /var/www/virtual/xxxxx.com/phptmp/phpVAb7uQ.virus => /usr/local/maldetect/quarantine/phpVAb7uQ.virus.22729

How they come in on several domain at the same time. I manage the most of these Pages and keep them up2date and check also all extension via http://vel.joomla.org/.
The Foldersecurity is done as strong it is possible.

How they can come in? How find the security problem?!

Cheers Peter

Display More

Maybe these are false possitives.. Are you googled about the virus they are been found?

**gpeter73** · Mar 11th 2014

I tried but didn't found any usable. Just the same answer as yours: may false positives

What I saw is, that my Mail Server is under attack since yesterday. 1000's of login errors on sasl from IP's all over the world.
Just set fail2ban to maxtries = 1 and bantime > 3 Years (just for a moment) . Now I don't have any new bans, it seems the hacker runned out of Proxy IP's

maldet finds malware in phptmp folders of several customers

Share

Daily visitors