MaliciousPHP

2021: notice malicious PHP files written in EVERY apache-writable directory in the filesystem.

Not very careful analysis:

• it looks like a very obfuscated PHP is uploaded to one of the public upload areas
• it then scans for every directory on the system that's writeable by the apache process
• it puts a e.g. .37eb5bf3.ico in one place, and puts an index.php which includes the .ico in another place
• all of these set up to create a website to serve ... some kind of sports gambling info?

Decode the php with https://www.unphp.net/

2021-02-28: Notice that these files all have different creation dates, from 2020-02 to 2021-02-13: the malware is able to set the dates

Delete all the index.phps except for the five that are supposed to be on the system. Find them with

• put a sample .ico file in ~/malware/sample-ico-malware

 find / -name index.php -print > /tmp/phps

• delete all the hidden .ico

 find / -wholename /sys/kernel/slab -prune -o -regex ".*/\..*ico" -ls

2021-05-23: write ~daniel/scout/scout.pl to alarm on unregistered index.php files.

2021-06-06: add the hidden ico deletion code to it

2021-06: start tracking down the POSTs that create all the index.phps.

2021-06-29: Maybe find the source problem as Drupal 7 filemanager.config.php, template.php, dbconfig.php