simcoweb Posted February 23, 2012 Share Posted February 23, 2012 I realize this is the PHP forum so please forgive if this seems out of line. But it's definitely PHP related and possibly a Wordpress related issue. Out of the blue today we were notified by our server provider that our server was spewing out malicious activity (spam) and subsequently we've been banned or blocked by several large ISP's. The only clues i've gotten from my server provider was this information which points to some file named zboard.php but the problem appears to be some sort of cross-scripting hack using what I can only imagine is a Wordpress file (or possibly some other popular PHP based program we may be hosting). So, question is, has anyone ever seen or heard of this zboard.php issue? I Googled it and found very limited info. We are trying to find the source of the activity and if there's actually some files that have been uploaded to our server that would be causing the problem or if they're just piggybacking off of something in order to run their malicious scripts. Have a look at this log: blah.servernamehere.com - - [23/Feb/2012:03:47:31 +0100] "GET /index.php?q=taxonomy/term/4&page=4/zboard.php HTTP/1.1" 302 327 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" blah.servernamehere.com - - [23/Feb/2012:03:47:31 +0100] "GET /zboard.php HTTP/1.1" 302 300 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" blah.servernamehere.com - - [23/Feb/2012:03:47:32 +0100] "GET /index.php?q=taxonomy/term/zboard.php HTTP/1.1" 302 314 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" blah.servernamehere.com - - [23/Feb/2012:03:47:36 +0100] "GET /index.php?q=node/2686/zboard.php HTTP/1.1" 302 310 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" blah.servernamehere.com - - [23/Feb/2012:03:47:36 +0100] "GET /zboard.php HTTP/1.1" 302 300 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" blah.servernamehere.com - - [23/Feb/2012:03:47:36 +0100] "GET /index.php?q=node/zboard.php HTTP/1.1" 302 305 "-" "Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)" ANY help would be greatly appreciated. Our customers are freaking since their emails are going nowhere. I've searched the server for anything 'zboard' and there's no files that match that. Quote Link to comment https://forums.phpfreaks.com/topic/257651-possible-wordpress-malicious-activity-discovered-zboardphp/ Share on other sites More sharing options...
ManiacDan Posted February 28, 2012 Share Posted February 28, 2012 Why not attach this file of yours to this thread so we can look at it? Also, XSS attacks don't create files on your hard drive, so that's not the category of exploit you should be looking at. Quote Link to comment https://forums.phpfreaks.com/topic/257651-possible-wordpress-malicious-activity-discovered-zboardphp/#findComment-1321897 Share on other sites More sharing options...
simcoweb Posted February 28, 2012 Author Share Posted February 28, 2012 Hi Maniac, thanks for the response! I did, after literally hours of searching, find the malicious file but have no way to incubate it so I simply deleted it from the server. Turns out someone had somehow uploaded the file and named it after an existing javascript file so it looked 'legit'. Like: menus.js vs menu.js.php The PHP version held a bunch of encrypted base64 code that was cranking out all kinds of spam to the point we got tossed onto a few 'block lists'. I found the file by going backwards from our Web Host Manager panel where under Process Manager it showed the server load was off the charts due to a specific account. Then searched all folders/directories of that account to find the culprit. Once that was done the emails and activity stopped. We changed the account password and activated a BruteForce blocker and protector which logs all the attempts to get into the server and blocks the IP's. What a mess. Spammers have to die an awful death. Quote Link to comment https://forums.phpfreaks.com/topic/257651-possible-wordpress-malicious-activity-discovered-zboardphp/#findComment-1321906 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.