I was notified by Digital Ocean that one of sites was hosting malware.
I was surprised because this was a box I setup on 10/12 but did nothing more than install a WP theme.
After investigation I found that some of WP install directories were setup with 777 permissions, like wp-content, themes and then each of the themes install -- even the new one I installed.
Next I found a folder that was create named YEzfU0EZ and an index.php file inside which is encoded (looks like B64) I have not decoded it yet.
I found another php file called thasinchild.php which is not encoded and is complex .. plan to study. This file and the directory above were created on 10/15
I found a text file created 10/15 also ( not mine )
I also found in the htdocs directory a php file called xjbscr.php which appears to decode B64 and then execute functions hiding in the index.php file above.
The reason I bring this up is that the file mentioned above, xjbscr.php was installed with the WP installation on 10/12 at 14:46 No other WP install (i have dozens) has this file --
I had ufw setup and a strong USER PW .. I use a ssh key for entry ..
Note when I copied the directory to a new name -- within 30 seconds it was recreated and running again. I then downloaded Ninjafirewall WP and watched .. the site was very busy with IPs looking for the malware file .. but also other files starting with the pattern /do-you/ .. several files getting a 200 status code that did not exist on the site .. see the access print out below ..
If the files were created at installation then the somehow it called out and found home base .. If they were not created at installation how did the xjbscr.php get in the htdocs directory with installation time the same exact time as the other files and with normal permissions.
Here is some of the stuff in the access log
18.104.22.168 0.404 MISS [15/Oct/2020:22:11:53 +0000] site.tld "GET /cWPbYhc210d_b/t-od_b/t-oSSPTXl.nrw HTTP/1.1" 200 8590 "-" "Googlebot-Image/1.0" [note the 200 status]
22.214.171.124 0.280 MISS [15/Oct/2020:22:11:54 +0000] site.tld"GET /6YcRxzGc210d_b/t-od_b/t-oizPZLLv.nrw HTTP/1.1" 200 9510 "-" "Googlebot-Image/1.0"
126.96.36.199 0.000 BYPASS [15/Oct/2020:22:12:08 +0000] site.tld "GET /wp-admin/YEzfU0EZ/?5f88c938d3b6d HTTP/1.0" 200 13 "-" "-"
188.8.131.52 0.084 BYPASS [15/Oct/2020:22:12:08 +0000] site.tld "POST /xjbscr.php HTTP/1.1" 200 239 "https://site.tld/xjbscr.php" "Mozilla/5.0
and from the ninja log after it began to block malformed and malicious requests
[16/Oct/20:00:23:18 +0000] - 184.108.40.206 "GET /wp-admin/YEzfU0EZ/" "-" "python-requests/2.24.0" "-"
[16/Oct/20:00:23:37 +0000] - 220.127.116.11 "POST /xjbscr.php"
and messages like this one also damning ..
6/Oct/20 00:24:09 #6256717 CRITICAL - 18.104.22.168 POST /xjbscr.php - BASE64-encoded injection - [POST:e = bP3Nkqu6FoWJvko1bkTdiNtBYDLSjWosEgTGRiRCP6DODUBEYhCYtEkb8/Q12adVEdXYcc5ey9sGac4xvgFC/H8e/8f/9X/U1aP9OPz/ddvcdPv//T9Le+0aJ/nJf6xz+7LOp69/P6fIe1eF6nTIf+Kws0pJelWQ7eRbP7FF52YUvQ6P75abPxWKwyn83/9...] -
Does anyone have any comment -- are we installing malware ? Theme installation is suspect but the xjbscr.php file seems damning..
Further digging and I found other files littered around like JST10x.php in wp-includes/css/dist/components WAF firewall found it .. POST /wp-includes/css/dist/components/JST10x.php - Forbidden direct access to PHP script - [/wp-includes/css/dist/components/JST10x.php]