Mysterious ico files appearing on webserver

This is an attack targeting a PHP vulnerability with POST requests.

The attacker somehow manages to change existing PHP files with an @include statement using an encoded path that translates into one to these .ico files which are self-decrypting PHP files calling an external script from another server.

Blocking POST requests works so far. Although that is only possible for sites that do not depend on external POST requests. This can be done in the .htaccess file as explained here.


EDITED: This is a known php hack. If your server runs Wordpress only, plugins like Wordfence can detect and clean the infected files but if you have other php applications it will take other steps. I ran Maldet and did'n work.

It injects or modifies index.php files which call an .ico file, also creates random named .php files

The cause can be many including unprotected form POST operations. Always use secure forms with recaptcha. Your system is definitely hacked, but copying your files to a new OS will probably copy the infected code as well.

Workarounds to cleanup the infected files

ico files

Using ssh find all .ico files from the html root:

find -name "*.ico"

remove those with random characters before the .ico extension

index.php files

They use to call the infected file using an @include on an index.php file. To find compromised index.php files I found this way much faster than pure grep command:

find -name index.php -exec grep -rnwl '@include ' {} \;

Remove the malicious code if the rest of the file is original or simply trash it if it is created by this malicious attack.

Random .php files

They use random names, in cli you can find same patterns alike. In my case the files were 8 characters long before .php having a substring function to create names, so I could find them like this:

find -name '????????.php' -exec grep -rnwl 'substr(md5(time()), 0, 8)' {} \;

Diff

You can use diff to find differences with original stuff in place or using svn, git.

diff -qr directory-1/ directory-2/

Tags:

Apache

Shared Hosting

Hacked Site

Related

Allow a folder and disallow all sub folders in robots.txt Why is the sitemap validator returning an error for the "lastmod" tag? Why would Wikipedia show set external links as rel="nofollow"? How to tell Google I'm doing a search from another city than mine Should company name in logo be an image or text? Leverage Browser Caching for third party resources Does Facebook Need both og:image and og:image:secure_url for HTTPS only site? How to tell Google that each subfolder is a different site? Otherwise, Google appends the main site's name to every other subfolder What is the best practice for redirecting the IP address of a web server when it hosts multiple domain names? Title too long - SEO implications? How to make sure Chinese text is rendered in webpage? Does SSL require a client side certificate of any kind at all?

Recent Posts