woutersf / help_me_clear_this_up Goto Github PK

Can you describe the hosting environment a bit (shared/vps/server to the one site/vps managed by you but with multiple sites)?
Was any other software available on the site/server (e.g. civicrm, phpmyadmin)?
Were any contributed modules out of date?
Did Drupal/Apache/PHP have the ability to write files into the Drupal root directory?
What were the firewall rules like?
Were passwords on remotely-accessible services strong?

Two of the scripts very obviously attempts to ping back to PHP scripts on two IP addresses: 78.138.118.127 and 78.138.127.174 and either serve a file or display HTML to the user. Both of these are servers hosted by MESH. You should probably email them ([email protected]) and make sure those machines are shut down. You might also want to consider blocking the whole IP range in the future.

The third script is a bit stranger and does a bunch of messing around to obfuscate the IP addresses it contacts although they appear to be either 62.122.75.232 or 67.35.103.53 depending on whether the script is a PHP file or not.

I watched at the messages.php file and directly saw, that its unicode-encoded (the \x32 stuff). So the easiest first step to read the code, is to decode it first with just a simple bash line

VAR=`cat messages.php`; echo -e $VAR

which you can also put back into a file. After that you need to make the code pretty for better readability and continue...

Hope it helps ;-)