Malware found in log folder?

  • Resolved derweili

    (@h3p315t05)


    8 years, 11 months ago

    My Hoster sent me an email in which he informed me that he has found a file that may include malicious code.
    The file is stored in the nfwlog/ folder:

    Here you can see the ‘virus-log’ my hoster send me.
    06:09:41 php_worm_2.UNOFFICIAL found in /www/htdocs/w01276f2/werbeagenten.de/wp-content/nfwlog/firewall_2015-05.php (chown: w01276f2.w01276f2 | last change: 2015-05-15 19:46:14.470267431 +0200 | last mod.: 2015-05-15 19:46:14.470267431 +0200 | chmod: 644) renamed to: /www/htdocs/w01276f2/werbeagenten.de/wp-content/nfwlog/VIRUS_php_worm_2.UNOFFICIAL_firewall_2015-05.php (chmod: 200)

    The file contains this code:

    <?php exit; ?>
[1430437333] [0.02753] [werbeagenten.de] [#7563536] [0] [3] [85.25.103.119] [403] [GET] [/wp-admin/admin-ajax.php] [File upload attempt] [settings.php, 55 bytes]
[1430565775] [0.0461] [werbeagenten.de] [#6452282] [1351] [2] [94.131.14.102] [403] [GET] [/index.php] [Access to WP configuration file] [GET:target = wp-config.php]
[1430575623] [0.05059] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430575625] [0.00559] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430590682] [0.0745] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430597560] [0.06159] [werbeagenten.de] [#1144130] [0] [3] [185.14.29.221] [403] [POST] [/wp-admin/admin-ajax.php] [File upload attempt] [settings.php, 55 bytes]
[1430597588] [0.00999] [werbeagenten.de] [#8922646] [1369] [3] [37.187.129.166] [403] [POST] [/index.php] [WordPress: Download Manager remote command execution] [POST:execute = a950a2fc20d02a92]
[1430606281] [0.02115] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430606283] [0.00994] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430622155] [0.05988] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430717430] [0.03979] [werbeagenten.de] [#5469888] [0] [3] [197.231.221.211] [403] [GET] [/wp-admin/admin-ajax.php] [File upload attempt] [settings.php, 55 bytes]
[1430768329] [0.02561] [werbeagenten.de] [#2560320] [0] [3] [94.131.14.200] [403] [POST] [/wp-admin/admin-ajax.php] [File upload attempt] [revslider.zip, 383 bytes]
[1430772860] [0.01431] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430772862] [0.01536] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430809941] [0.04791] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430829609] [0.04308] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430829611] [0.01696] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430836608] [0.06097] [wa.test.werbeagenten.de] [#2026797] [540] [2] [217.8.62.95] [403] [POST] [/installer.php] [Localhost IP in GET/POST request] [POST:dbhost = localhost]
[1430913127] [0.04791] [werbeagenten.de] [#3347743] [1351] [2] [194.33.184.31] [403] [GET] [/index.php] [Access to WP configuration file] [GET:file = wp-config.php]
[1430919902] [0.0274] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430919903] [0.00269] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430919904] [0.06461] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430919905] [0.00128] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1430934840] [0.0445] [werbeagenten.de] [#2121744] [160] [3] [212.250.16.17] [403] [GET] [/index.php] [Shellshock vulnerability (CVE-2014-6271)] [SERVER:HTTP_COOKIE = () { :; }; echo Content-type:text/plain;echo;echo;echo M<code>expr 1330 + 7</code>H;/bin/uname -a;echo @]
[1431000147] [0.0476] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431000149] [0.0107] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431020945] [0.03528] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431020947] [0.01543] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431039072] [0.03481] [werbeagenten.de] [#7842020] [0] [3] [46.165.221.166] [403] [POST] [/wp-admin/admin-ajax.php] [File upload attempt] [settings.php, 55 bytes]
[1431039073] [0.00621] [werbeagenten.de] [#5038922] [0] [3] [176.106.54.54] [403] [GET] [/wp-admin/admin-ajax.php] [File upload attempt] [settings.php, 55 bytes]
[1431039074] [0.0024] [werbeagenten.de] [#4260322] [1369] [3] [77.244.254.227] [403] [POST] [/index.php] [WordPress: Download Manager remote command execution] [POST:execute = a950a2fc20d02a92]
[1431042134] [0.01225] [werbeagenten.de] [#8103103] [0] [3] [81.89.96.90] [403] [GET] [/wp-admin/admin-ajax.php] [File upload attempt] [settings.php, 55 bytes]
[1431095186] [0.01344] [werbeagenten.de] [#0000000] [0] [6] [64.74.215.113] [200] [HEAD] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)']
[1431097191] [0.01436] [werbeagenten.de] [#3491468] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:guige = @eval(base64_decode($_POST[z0]));]
[1431097191] [0.00124] [werbeagenten.de] [#7831004] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:lemon = @eval(base64_decode($_POST[z0]));]
[1431097192] [0.00168] [werbeagenten.de] [#5440076] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:laobiao = @eval(base64_decode($_POST[z0]));]
[1431097192] [0.00112] [werbeagenten.de] [#2534817] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:511348 = @eval(base64_decode($_POST[z0]));]
[1431097193] [0.01417] [werbeagenten.de] [#8414994] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:guige = @eval(base64_decode($_POST[z0]));]
[1431097193] [0.01865] [werbeagenten.de] [#5652525] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:x = @eval(base64_decode($_POST[z0]));]
[1431097194] [0.01196] [werbeagenten.de] [#2911275] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:long = @eval(base64_decode($_POST[z0]));]
[1431097194] [0.01797] [werbeagenten.de] [#2512077] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:110 = @eval(base64_decode($_POST[z0]));]
[1431097195] [0.00114] [werbeagenten.de] [#2065127] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:e7xue = @eval(base64_decode($_POST[z0]));]
[1431097195] [0.00133] [werbeagenten.de] [#4312271] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:mybak = @eval(base64_decode($_POST[z0]));]
[1431110762] [0.21193] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431110764] [0.01282] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431141456] [0.06711] [werbeagenten.de] [#5106358] [0] [3] [94.131.14.200] [403] [POST] [/index.php] [File upload attempt] [Handler.php, 139 bytes]
[1431142648] [0.03426] [werbeagenten.de] [#2201366] [0] [3] [94.131.14.200] [403] [POST] [/index.php] [File upload attempt] [wp-framework.php, 139 bytes]
[1431143838] [0.1958] [werbeagenten.de] [#5568935] [1369] [3] [94.131.14.200] [403] [POST] [/index.php] [WordPress: Download Manager remote command execution] [POST:execute = wp_insert_user]
[1431154462] [0.05143] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431276033] [0.02948] [werbeagenten.de] [#1630478] [1391] [3] [91.212.124.19] [403] [GET] [/index.php] [WordPress: WP All Import shell upload] [REQUEST:page = pmxi-admin-settings]
[1431276033] [0.00987] [werbeagenten.de] [#5673795] [1391] [3] [91.212.124.19] [403] [GET] [/index.php] [WordPress: WP All Import shell upload] [REQUEST:page = pmxi-admin-settings]
[1431344364] [0.06498] [werbeagenten.de] [#3309507] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:guige = @eval(base64_decode($_POST[z0]));]
[1431344365] [0.12487] [werbeagenten.de] [#5727409] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:lemon = @eval(base64_decode($_POST[z0]));]
[1431344366] [0.01859] [werbeagenten.de] [#4411389] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:laobiao = @eval(base64_decode($_POST[z0]));]
[1431344367] [0.08923] [werbeagenten.de] [#8923501] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:511348 = @eval(base64_decode($_POST[z0]));]
[1431344367] [0.01285] [werbeagenten.de] [#4532395] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:1 = @eval(base64_decode($_POST[z0]));]
[1431344368] [0.01778] [werbeagenten.de] [#6449172] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:x = @eval(base64_decode($_POST[z0]));]
[1431344368] [0.02808] [werbeagenten.de] [#1559788] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:long = @eval(base64_decode($_POST[z0]));]
[1431344369] [0.02665] [werbeagenten.de] [#7132528] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:e7xue = @eval(base64_decode($_POST[z0]));]
[1431344369] [0.0124] [werbeagenten.de] [#8169666] [156] [2] [204.12.217.93] [403] [POST] [/index.php] [Code injection #2] [POST:mybak = @eval(base64_decode($_POST[z0]));]
[1431392920] [0.03133] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431392922] [0.00646] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431490140] [0.19907] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431490141] [0.02445] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431512484] [0.05045] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431544965] [0.04388] [werbeagenten.de] [#1321948] [1391] [3] [91.212.124.19] [403] [GET] [/wp-admin/admin-ajax.php] [WordPress: WP All Import shell upload] [REQUEST:page = pmxi-admin-settings]
[1431544965] [0.01821] [werbeagenten.de] [#3159275] [1391] [3] [91.212.124.19] [403] [GET] [/wp-admin/admin-ajax.php] [WordPress: WP All Import shell upload] [REQUEST:page = pmxi-admin-settings]
[1431558322] [0.02603] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431558324] [0.01407] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431596068] [0.04081] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431596070] [0.01572] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431705197] [0.03852] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431705199] [0.013] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431705199] [0.00156] [werbeagenten.de] [#0000000] [0] [6] [188.40.53.78] [200] [GET] [/index.php] [Sanitising user input] [HTTP_USER_AGENT: "echocrawl 2.0"]
[1431711387] [0.01339] [werbeagenten.de] [#1549320] [160] [3] [5.134.126.206] [403] [GET] [/index.php] [Shellshock vulnerability (CVE-2014-6271)] [SERVER:HTTP_COOKIE = () { :; }; echo Content-type:text/plain;echo;echo;echo M<code>expr 1330 + 7</code>H;/bin/uname -a;echo @]
[1431711974] [0.01131] [werbeagenten.de] [#5920376] [0] [3] [89.227.108.231] [403] [POST] [/index.php] [File upload attempt] [11.jpg, 1,478 bytes]

    I’m not sure whether it really is malicious code.
    It would be great if you could give me feedback so I can tell my hoster what to do.

    https://wordpress.org/plugins/ninjafirewall/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    8 years, 11 months ago

    Hi,

    This is the firewall log, and there is nothing wrong or suspicious: it contains threats blocked by the firewall.
    It is a false positive.

    Thread Starter derweili

    (@h3p315t05)

    8 years, 11 months ago

    Thank you for your reply, I reportet it as a false positive.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malware found in log folder?’ is closed to new replies.

Tags