# ?? Server Compromise Cleanup & Hardening Guide (PHP Backdoor Incident) ## ?? Overview This document outlines the steps required to: * Identify a compromised PHP server * Remove malware/backdoors * Prevent reinfection * Harden the system for production This guide is based on a real incident involving: * Obfuscated PHP loader * Remote payload execution * Persistent backdoor (`l.php`) * Temporary execution via `/tmp` --- # ?? Indicators of Compromise (IoC) Check for: ### 1. Suspicious PHP errors ``` Array and string offset access syntax with curly braces is no longer supported ``` ### 2. Unknown PHP files * `l.php` * `admin.php` * Random small `.php` files ### 3. Suspicious processes ``` php /path/to/file.php php -f /tmp/something.conf ``` ### 4. External callbacks * `.xyz`, `.top`, `.ru` domains * Base64 encoded URLs --- # ?? Detection Steps ## 1. Check running processes ```bash ps aux | grep php ``` Look for: * direct execution (`php file.php`) * `/tmp` execution --- ## 2. Search for malware patterns ```bash grep -R "base64_decode" /home/ grep -R "eval(" /home/ grep -R "GLOBALS" /home/ ``` --- ## 3. Find suspicious small PHP files ```bash find /home/ -type f -name "*.php" -size -5k ``` --- ## 4. Check recently modified files ```bash find /home/ -type f -mtime -2 ``` --- ## 5. Inspect /tmp directory ```bash ls -lah /tmp ``` Look for: * `.php` * `.conf` * random files --- ## 6. Check cron jobs ```bash crontab -l ls -la /etc/cron* ``` --- # ?? Immediate Containment ## Kill malicious processes ```bash kill -9 ``` Or: ```bash pkill -9 php ``` --- ## Remove backdoor files ```bash rm -f /path/to/l.php rm -f /tmp/malicious_file ``` --- ## Restart PHP services ```bash systemctl restart php8.3-fpm systemctl restart apache2 ``` --- # ?? Cleanup Procedure ## 1. Delete infected entry points * `index.php` (if modified) * unknown `.php` files --- ## 2. Restore clean code * Use Git / local backup * DO NOT reuse server files --- ## 3. Remove hidden files ```bash find /home/ -name ".*.php" ``` --- ## 4. Verify no malware remains ```bash grep -R "eval(" /home/ grep -R "base64_decode" /home/ ``` --- # ?? Security Hardening ## 1. Fix permissions ```bash find /home/ -type f -exec chmod 644 {} \; find /home/ -type d -exec chmod 755 {} \; ``` --- ## 2. Disable dangerous PHP functions Edit `php.ini`: ```ini disable_functions = exec,shell_exec,system,passthru,popen,proc_open ``` --- ## 3. Secure `/tmp` directory ```bash mount -o remount,noexec /tmp ``` Permanent fix (`/etc/fstab`): ``` tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0 ``` --- ## 4. Block PHP execution in uploads Add `.htaccess`: ```apache Deny from all ``` --- ## 5. Restrict outbound traffic (optional) * Allow only required ports (80, 443, 53) * Block unknown outbound connections --- # ?? Credential Rotation (MANDATORY) Change ALL: * SSH passwords / keys * FTP credentials * Hosting panel (cPanel / DirectAdmin) * Database passwords --- # ?? Root Cause Possibilities Most likely entry points: 1. Weak FTP credentials 2. Vulnerable file upload script 3. Outdated admin panel 4. Exposed API endpoint --- # ? Final Verification Checklist * [ ] No suspicious PHP processes running * [ ] No files executing from `/tmp` * [ ] No unknown `.php` files exist * [ ] No cron jobs executing PHP * [ ] Passwords rotated * [ ] `/tmp` locked (`noexec`) * [ ] PHP dangerous functions disabled --- # ?? Recommendations * Use WAF (Cloudflare / ModSecurity) * Enable logging + alerts * Use fail2ban for brute-force protection * Restrict file uploads strictly * Regularly audit server files --- # ?? Important Note If a backdoor was found: > Assume full compromise. Always: * clean completely * rotate credentials * audit all services --- # ?? Conclusion This was a typical automated PHP malware infection involving: * obfuscated loader * remote payload execution * persistent webshell After proper cleanup and hardening: ?? System can be considered secure again --- **Maintained by:** DevOps / Security Team **Last Updated:** March 2026