Possible Wordpress malicious activity discovered - zboard.php?

[simcoweb]

I realize this is the PHP forum so please forgive if this seems out of line. But it's definitely PHP related and possibly a Wordpress related issue.

 

Out of the blue today we were notified by our server provider that our server was spewing out malicious activity (spam) and subsequently we've been banned or blocked by several large ISP's. The only clues i've gotten from my server provider was this information which points to some file named zboard.php but the problem appears to be some sort of cross-scripting hack using what I can only imagine is a Wordpress file (or possibly some other popular PHP based program we may be hosting).

 

So, question is, has anyone ever seen or heard of this zboard.php issue? I Googled it and found very limited info. We are trying to find the source of the activity and if there's actually some files that have been uploaded to our server that would be causing the problem or if they're just piggybacking off of something in order to run their malicious scripts. Have a look at this log:

 

	
blah.servernamehere.com - - [23/Feb/2012:03:47:31 +0100] "GET 
/index.php?q=taxonomy/term/4&page=4/zboard.php HTTP/1.1" 302 327 "-" 
"Mozilla/1.22 
(compatible; MSIE 1.5; Windows NT)" 
blah.servernamehere.com - - [23/Feb/2012:03:47:31 +0100] "GET 
/zboard.php 
HTTP/1.1" 302 300 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" 
blah.servernamehere.com - - [23/Feb/2012:03:47:32 +0100] "GET 
/index.php?q=taxonomy/term/zboard.php HTTP/1.1" 302 314 "-" "Mozilla/1.22 
(compatible; MSIE 1.5; Windows NT)" 
blah.servernamehere.com - - [23/Feb/2012:03:47:36 +0100] "GET 
/index.php?q=node/2686/zboard.php HTTP/1.1" 302 310 "-" "Mozilla/1.22 
(compatible; 
MSIE 1.5; Windows NT)" 
blah.servernamehere.com - - [23/Feb/2012:03:47:36 +0100] "GET 
/zboard.php 
HTTP/1.1" 302 300 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" 
blah.servernamehere.com - - [23/Feb/2012:03:47:36 +0100] "GET 
/index.php?q=node/zboard.php HTTP/1.1" 302 305 "-" "Mozilla/1.22 (compatible; 
MSIE 
1.5; Windows NT)" 

 

ANY help would be greatly appreciated. Our customers are freaking since their emails are going nowhere. I've searched the server for anything 'zboard' and there's no files that match that.

 

 

[ManiacDan]

Why not attach this file of yours to this thread so we can look at it?

 

Also, XSS attacks don't create files on your hard drive, so that's not the category of exploit you should be looking at.

[simcoweb]

Hi Maniac, thanks for the response! I did, after literally hours of searching, find the malicious file but have no way to incubate it so I simply deleted it from the server.

 

Turns out someone had somehow uploaded the file and named it after an existing javascript file so it looked 'legit'. Like:

 

menus.js  vs menu.js.php

 

The PHP version held a bunch of encrypted base64 code that was cranking out all kinds of spam to the point we got tossed onto a few 'block lists'. I found the file by going backwards from our Web Host Manager panel where under Process Manager it showed the server load was off the charts due to a specific account. Then searched all folders/directories of that account to find the culprit. 

 

Once that was done the emails and activity stopped. We changed the account password and activated a BruteForce  blocker and protector which logs all the attempts to get into the server and blocks the IP's.

 

What a mess. Spammers have to die an awful death.