0

A php file in my apache web server that kept on being renamed to php.suspected. The particular file is:

/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php.suspected

I tried to find out which process did this by using auditlog and was able to get the following information. It gave me the pid and ppid number but I cannot search for the name of the process. Would someone be able to help me? Thank you.

sudo ausearch -f /home/apache/www/html/nextcloud
----
time->Thu Mar 15 06:28:55 2018
type=PATH msg=audit(1521109735.929:32994): item=0 name="/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php" inode=1617455 dev=00:29 mode=0100444 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109735.929:32994):  cwd="/home/apache/www/html/piwigo/language/km_KH"
type=SYSCALL msg=audit(1521109735.929:32994): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=7ffcca21f35c items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:28:56 2018
type=PATH msg=audit(1521109736.565:32997): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109736.565:32997):  cwd="/home/apache/www/html/piwigo/language/km_KH"
type=SYSCALL msg=audit(1521109736.565:32997): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:29:07 2018
type=PATH msg=audit(1521109747.461:32998): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109747.461:32998):  cwd="/home/apache/www/html/piwigo/language/km_KH"
type=SYSCALL msg=audit(1521109747.461:32998): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:30:25 2018
type=PATH msg=audit(1521109825.005:33011): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109825.005:33011):  cwd="/home/apache/www/html/components/com_wrapper"
type=SYSCALL msg=audit(1521109825.005:33011): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:30:36 2018
type=PATH msg=audit(1521109836.473:33012): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109836.473:33012):  cwd="/home/apache/www/html/components/com_wrapper"
type=SYSCALL msg=audit(1521109836.473:33012): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Fri Mar 16 05:01:11 2018
type=PATH msg=audit(1521190871.159:37515): item=0 name="/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php" inode=1617455 dev=00:29 mode=0100444 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521190871.159:37515):  cwd="/"
type=SYSCALL msg=audit(1521190871.159:37515): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd47ee2edc a1=0 a2=1b6 a3=0 items=1 ppid=15352 pid=15354 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="md5sum" exe="/usr/bin/md5sum" key=(null)
----
time->Fri Mar 16 05:01:11 2018
type=PATH msg=audit(1521190871.619:37516): item=0 name="/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php" inode=1617455 dev=00:29 mode=0100444 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521190871.619:37516):  cwd="/"
type=SYSCALL msg=audit(1521190871.619:37516): arch=c000003e syscall=2 success=yes exit=3 a0=7fff46f40ee4 a1=0 a2=1b6 a3=0 items=1 ppid=4437 pid=15356 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="od" exe="/usr/bin/od" key=(null)
elixenide
  • 44,308
  • 16
  • 74
  • 100
XU LUV
  • 3
  • 5
  • [security.stackexchange](https://security.stackexchange.com/) might be a better option than SO. – Script47 Mar 28 '18 at 15:05
  • It looks like your source files are owned by the Apache user, and thus writable by the Apache process. Don't do that. Make the files (and dirs) owned by a different user and revoke write permission. – Alex Howansky Mar 28 '18 at 15:09
  • Sounds like you've been hacked. See this post, which is not exactly a duplicate: https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected – elixenide Mar 28 '18 at 15:09
  • Also, please pay attention to your formatting when posting. – elixenide Mar 28 '18 at 15:10
  • This is not your own server right? I had a bug in some code running on a hoster and this bug was killing their server (infinite loop), so they rewrote the file to something else to stop it from running. I had to contact them to know wtf was going on. Bug fixed, issue resolved. Could that be similar to your problem? – Nic3500 Mar 28 '18 at 18:55
  • Hi Ed, how did you format the text? I was not sure of how to do proper format so I just cut and pasted the log. – XU LUV Mar 28 '18 at 21:06
  • Alex, I will try remove the write permission to the php from apache user. – XU LUV Mar 28 '18 at 21:09

0 Answers0