Re: [PLUG] Malware Webshell Infection.

jeffv via plug on 3 Sep 2023 08:55:29 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Malware Webshell Infection. - Advice Needed

From: jeffv via plug <plug@lists.phillylinux.org>
To: Casey Bralla <MailList@NerdWorld.org>, PLUG Philadelphia Linux Users Group <PLUG@Lists.PhillyLinux.org>
Subject: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Date: Sun, 3 Sep 2023 11:55:23 -0400
Authentication-results: smtp01.aqua.email-ash1.sync.lan smtp.user=<hidden>; auth=pass (LOGIN)
Dkim-signature: v=1; a=rsa-sha1; d=op.net; s=20180222; c=relaxed/simple; q=dns/txt; i=@op.net; t=1693756523; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=SXKzZHeiH+T/loGNY8hiw3nNHL8=; b=mtHXicXIYxyKrJh4ZN2zR3yMLI8iY2RFLh7XCHidyQJjj9fEdWOzFXp2OTVEHRwA s37INynkKxYAc0pF6hm6HF+oHyuIN6nfk7sufGahRF4o3OIGmfZ4BJbH97+xXBPb 4VqhkgpFZCoolYW0ZXkq45Kj9s0IDNfGCdRznPqM5JDYXB2fYCA8wzqD2mWL/1pJ 8amG0lRCFh0H4ITfPm1AxkdeijH8ySy1/Z7F+pLDyva77WO6ek1BAzLKNIkjcM1A YIszKEq3CTUzXtYphq1n9jzMoNwwhtUHbug652YalkvWUAX407SQm8096feZsg/s DUdW25+V3kyVLOSd7KYReQ==;
Reply-to: jeffv <jeffv@op.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0

That sucks.

Do a little research on it, but in the interest of security, alwaysrebuild. Hopefully the research will allow you to discover the vector,if the person who wrote wasn't correct. If correct, check with yourhost. Might be a good idea to check with them regardless.

Ask yourself what's the worst that can happen either way and you haveyour answer.


Good luck.



On 9/3/23 05:58, Casey Bralla via plug wrote:

This morning, I received this eMail. Originally I thought it was ascam, but looks like it might be true. Here is the eMail (with redactedspecifics)



    Hello Casey,
    Your cloud server that is hosting: [URL] and [URL] has been
    compromised on 2022-05-28 at 21:58, server time. I am not the threat
    actor, i stumbled across your server in a Shodan search.
    Your server with IP [IP Address] and [URL] has directory listing
    enabled and you can see a webshell present there, wso.php, This
    probably happened because your server shares the webroot with rsync
    without authentication, someone used this to upload the webshell.
    The webshell has a default password of ghost287, is ran with the
    permissions of the www-data user so it's not possible to do heavy
    damage without escalating privileges but i highly encourage you to
    remove it to prevent further problems for your server.
    Please answer if you need help to remove the webshell.
    Kind regards

The file wso.php was present in /var/www along with another text filethat looked like it had a password in it. I've deleted those files.But I'm wondering what my next course of action should be?

Should I completely shutdown and rebuild the servers (not too hard, I'vegot copies of the important files)?


Should I ask the author of this eMail for help as he offered?

Should I delete the 2 files and forget about it?

Obviously, I will be changing passwords, but could a bad person alreadyhave penetrated enough to see me change them and get the new passwords also?


Any advice would be appreciated.


--
LEGAL NOTICE:  This eMail contains private, personal, and/or privileged
information and is only for the intended recipient(s).  In fact, you
really should consider yourself honored to even be cc'd on this
tremendously important communication.  The author spent literally
seconds composing this magnificent opus of rational thought and
deductive logic.  Unfortunately, it has probably been based on
inaccurate data, which really stinks because this eMail would have been
truly awesome!  If you have received this eMail in error, we
respectfully DEMAND that you immediately delete it and inform the sender
that you have received it in error.  Then, just to be safe, you should
reformat your hard drive, shave your head, renounce all material
possessions (which are really controlling your life anyway), and join an
end-of-times cult somewhere.  Once there, you must reconsider all the
terrible choices you've made in your life, and promise never to confuse
"sex" with "gender" again.  Of course, this assumes you have already
come to terms with your inherent whiteness, AND that you have learned
the lyrics to The Internationale. "Arise, wretched of the earth!  Arise,
convicts of hunger..."
(https://en.wikipedia.org/wiki/The_Internationale)
We sincerely hope you are able to get your medication stabilized and no
longer have that recurring dream where you're alone in a large crowd,
standing naked in a vat of chocolate Yoo-hoo.  BTW, Yoo-hoo really is an
underrated beverage.  It’s chocolatey, yet suprisingly refreshing. Pick
up a 6-pack today, and tell your friends!


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Malware Webshell Infection. - Advice Needed
  - From: Rachel plays Linux via plug <plug@lists.phillylinux.org>

References:
- [PLUG] Malware Webshell Infection. - Advice Needed
  - From: Casey Bralla via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] Malware Webshell Infection. - Advice Needed
Next by Date: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Previous by thread: [PLUG] Malware Webshell Infection. - Advice Needed
Next by thread: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Index(es):
- Date
- Thread