0

On my shared host, license.php file is automatically getting created at root folder/directory of every domain. I have find and deleted this file multiple times from everywhere.

Here is the code of the file on GitHub Gist: https://gist.github.com/nikunjbhatt/19b3458852077e7619636215039ad4bc

Can anybody tell me what this file is doing?

I am seeing these in server access logs:

14.183.74.216 - - [10/Oct/2020:12:43:57 +0000] "HEAD / HTTP/1.1" 200 - "-" "-" blog.techwheels.net 209.99.16.58
14.183.74.216 - - [10/Oct/2020:12:44:06 +0000] "POST /license.php HTTP/1.1" 404 30669 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" blog.techwheels.net 209.99.16.58
14.183.74.216 - - [10/Oct/2020:12:44:36 +0000] "POST /license.php HTTP/1.1" 200 7503 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" blog.techwheels.net 209.99.16.58

I have never executed this file but I am seeing this in the error_log file whenever this file's request is received:

[10-Oct-2020 12:44:37 UTC] PHP Deprecated:  Function create_function() is deprecated in /home/nikunjbh/public_html/TECHWHEELS.NET/BLOG/license.php on line 2

I am also seeing some folders being created automatically to sale some products. An example here: https://blog.techwheels.net/PS. The checkout form is linking to https://tuma.clickfunnels.com/order-form1599992569328#submit-form. In other such folders, to sale something, there were checkout pages to the same domain - checkfunnels.com. One of such folder had .exe file as well. And Google Search Console had reported malicious code in another ~8.5 MB GIF file.

I have zBench theme on the WordPress from http://zww.me/. And these plugins are installed:

  • Advanced noCaptcha & invisible Captcha
  • ELI's Related Posts Footer Links and Widget
  • Post Ratings
  • Webcraftic Local Google Analytics
  • WP PHP widget (I just deleted it now; I was using it to insert Google Translate code (to enable the visitors to translate blog posts); now I am adding its code using WordPress' built-in CustomHTML widget.)

Has these anything to do with phpList? Because I have seen similar problems of malicious code (not exactly license.php, but other code and files) after installing phpList on other hosting accounts as well.

How to get permanently get rid of all these?

Nikunj Bhatt
  • 1
  • 1
  • On searching Google for **PHP Deprecated: Function create_function() is deprecated in "license.php on line 2"** I found only one result, most probably of the same license.php file, hosted on a website: http://club.sassae.com/license.php – Nikunj Bhatt Oct 10 '20 at 20:02
  • 3
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Michael Hampton Oct 10 '20 at 20:59
  • The answer is too long and not to-the-point, so TL;DR. Presently I have deleted all FTP accounts, they weren't in use. Changed pwd of cPanel. Moved the phpList and other suspicious dirs to trash. I will move them back to original location one-by-one later and try to find the main culprit, and post update here. I have main doubt only on FTP though. Someone could have saved FTP creds in their computer and the computer could have been affected by malware and that malware could have stolen the creds and uploading the files. – Nikunj Bhatt Oct 13 '20 at 21:50
  • Presently, these measures seems working, new license.php files is not being created. – Nikunj Bhatt Oct 13 '20 at 21:52

0 Answers0