So I've been fighting this problem for months now and decided that it's beyond my limited (if at all) server skills, and that I need help from the pros.
I have a VPS (with root access) which hosts several different PHP websites, some of which are WordPress-based. Some of the sites got infected with the a malware as a result of the MailPoet vulnerability. I cleaned the infected sites, completely removed MailPoet, backdoor accounts, and related stuff, but the malware keeps resurrecting once in a while. Below is what I can describe about it:
- There are two malware signatures (sorry if I'm using the wrong term), both are injected at the very top of PHP pages. Once looks like this
<?php $ozufdqjmhx = '7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x782vg}...
with the variable$ozufdqjmhx
changes from time to time, the other begins with<?php if(!isset($GLOBALS[\'\a\e\0... etc etc
- The malware comes back at random intervals. Sometimes it comes back a day after cleaning, sometimes a week, or several weeks.
- Only previously infected files/directories/websites get infected again. New directories, or old unaffected ones, are always clean. New files in old infected directories though, get infected.
- maldet (using ClamAV I believe) can't detect any malware. PHP Shell Detector can, but it cannot fix due to being a detector only.
Can you guys help, or give a direction I should be heading to? A million thanks in advance!
(Also I'm sorry if this question doesn't fit the site's regulations. When I'm a daily user of StackOverflow, this is my first time on this Security subsite).
EDIT: I really appreciate any recommendation from you guys, but wiping the sever and start from scratch is not an option. If it was, why would I ask this question to begin with, right? :)
EDIT 2: Following @Mints97's answer, I've checked all the open ports -- looks normal:
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3000/tcp open ppp
3306/tcp open mysql
5432/tcp open postgresql
8000/tcp open http-alt
8080/tcp open http-proxy
8082/tcp open blackice-alerts
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
EDIT 3: This is for @QuestionOverflow: When searching for the 4 domains you mentioned in your other answer, I came across a script to eliminate the malware here. In the code we can see if (preg_match('/^<\?php \$[a-z]{10} = \'/', $fh_str)) {
, which targets EXACTLY the first signature. I would say now it's the same malware, or at least from the same guy via the same vulnerability. Pretty interesting.
EDIT 4: The second malware has already been discussed here if it may help, and yes, apparently both fetch some payload randomly from 4 domains: "33db9538.com", "9507c4e8.com", "e5b57288.com", "54dfa1cb.com". I've added all 4 into my hosts
files, pointing to 127.0.0.1
. Let's see what's next.
EDIT 5: Several suggest that this question has already been answered here at How do you explain the necessity of “nuke it from orbit” to management and users?. Honestly I fail to see how the other question answers mine. I'm asking how to eliminate a malware, not to explain to my boss why I should reinstall a server.