 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/soundstudiopro.com/public_html/ |
# 🚨 CRITICAL SECURITY BREACH REPORT **Date:** December 12, 2025 **Status:** ACTIVE COMPROMISE - IMMEDIATE ACTION REQUIRED ## ⚠️ EXECUTIVE SUMMARY Your website has been compromised with multiple backdoors and malicious code injections. The attacker has installed several web shells and remote code execution backdoors that allow them to: - Execute arbitrary code on your server - Upload/download/delete files - Access your database - Modify your website files - Steal user data ## 🔴 CONFIRMED COMPROMISED FILES ### 1. **index.php** - CRITICAL **Location:** `/index.php` (Line 2) **Threat Level:** CRITICAL **Type:** Remote Code Execution Backdoor **Malicious Code Detected:** - Injected at the very beginning of the file (before your legitimate code) - Makes remote requests to: `http://6477-ch4-v305.rakuten38jp.click` - Modifies `.htaccess` files - Executes remote code via base64_decode and eval - Steals server information (domain, IP, user agent, etc.) **Action Required:** - **IMMEDIATELY REMOVE** lines 1-2 (the malicious code) - Restore from clean backup if available - File was modified: Dec 11 23:34 ### 2. **about.php** - CRITICAL **Location:** `/about.php` **Threat Level:** CRITICAL **Type:** Complete File Manager Web Shell **Malicious Code Detected:** - Full-featured file manager backdoor - Password protected (MD5: `dc4687e43b49fdf4714a429055b6892b`) - Can upload, edit, delete, rename files - Downloads and executes code from remote servers: - `https://c.zvo4.xyz/` - `https://c2.icw7.com/` - `http://45.11.57.159/` - `https://c.zvo1.xyz/` **Action Required:** - **DELETE THIS FILE IMMEDIATELY** or restore from clean backup - This is a complete web shell - attacker has full control ### 3. **445367/radio.php** - CRITICAL **Location:** `/445367/radio.php` **Threat Level:** CRITICAL **Type:** Obfuscated Backdoor with eval() **Malicious Code Detected:** - Contains heavily obfuscated code - Uses eval() to execute malicious payloads - References suspicious GitHub: `github.com/cAT3VWynuiL7CRgr/c332d` **Action Required:** - **DELETE THIS FILE IMMEDIATELY** ### 4. **radio/migrations/wp-login.php** - SUSPICIOUS **Location:** `/radio/migrations/wp-login.php` **Threat Level:** HIGH **Type:** Suspicious File (should not exist) **Issues:** - File named `wp-login.php` in migrations folder (highly suspicious) - Contains same malicious code pattern as `about.php` - This is likely a WordPress backdoor disguised in wrong location **Action Required:** - **DELETE THIS FILE IMMEDIATELY** ### 5. **assets/fontawesome/fontawesome-free-6.5.1-web/metadata/radio.php** - CRITICAL **Location:** `/assets/fontawesome/fontawesome-free-6.5.1-web/metadata/radio.php` **Threat Level:** CRITICAL **Type:** File Manager Backdoor (duplicate of about.php) **Malicious Code Detected:** - Identical to `about.php` backdoor - Hidden in FontAwesome assets folder to avoid detection **Action Required:** - **DELETE THIS FILE IMMEDIATELY** ## 🔍 POTENTIALLY COMPROMISED FILES These files contain suspicious patterns but may be legitimate. Review carefully: - `audiofiles.php` - Contains base64_decode - `ajax_load_page.php` - Contains base64_decode - `community_fixed.php` - Contains exec() - `subscribe3.php` - Contains base64_decode - `composer-setup.php` - Contains base64_decode (may be legitimate) - `api/download_*.php` files - Contains base64_decode (may be legitimate for file downloads) ## 📋 IMMEDIATE ACTION PLAN ### Step 1: QUARANTINE (Do This NOW) 1. **Take website offline** if possible 2. **Change all passwords** (database, FTP, hosting, admin accounts) 3. **Revoke all API keys** and tokens 4. **Check for unauthorized admin users** in database ### Step 2: REMOVE BACKDOORS ```bash # Delete confirmed malicious files rm about.php rm 445367/radio.php rm radio/migrations/wp-login.php rm assets/fontawesome/fontawesome-free-6.5.1-web/metadata/radio.php # Fix index.php - remove lines 1-2 (the malicious code) # Keep only the legitimate code starting from line 3 ``` ### Step 3: RESTORE CLEAN FILES - Restore `index.php` from clean backup (remove malicious code at top) - Restore `artist_profile_clean.php` if it was deleted - Verify all other files haven't been modified ### Step 4: SECURITY HARDENING 1. **Update all software** (PHP, CMS, plugins) 2. **Review file permissions** - PHP files should be 644, directories 755 3. **Check for SQL injection vulnerabilities** in your code 4. **Implement Web Application Firewall (WAF)** 5. **Enable file integrity monitoring** 6. **Review server logs** for suspicious activity ### Step 5: DATABASE SECURITY 1. **Check for unauthorized database modifications** 2. **Review user accounts** - look for new admin users 3. **Check for data exfiltration** in logs 4. **Change database passwords** ## 🔐 SQL INJECTION VULNERABILITIES The attacker likely used SQL injection to gain initial access. Review these patterns in your code: **DANGEROUS PATTERNS FOUND:** - Direct use of `$_GET`, `$_POST`, `$_REQUEST` in SQL queries - Missing prepared statements - Unescaped user input **FILES TO REVIEW:** - All files using `$_GET`, `$_POST`, `$_REQUEST` with database queries - Check for: `SELECT * FROM ... WHERE id = $_GET['id']` (DANGEROUS) - Should use: Prepared statements with PDO or mysqli ## 📊 ATTACK VECTOR ANALYSIS **Likely Attack Path:** 1. SQL Injection vulnerability exploited 2. Backdoors installed via file upload or code injection 3. `.htaccess` modified to hide backdoors 4. Multiple backdoors installed for redundancy 5. File manager installed for persistent access **Attacker Capabilities:** - ✅ Remote code execution - ✅ File upload/download/delete - ✅ Database access - ✅ User data theft - ✅ Website defacement - ✅ Further malware installation ## 🛡️ PREVENTION MEASURES 1. **Input Validation:** All user input must be validated and sanitized 2. **Prepared Statements:** Use PDO prepared statements for ALL database queries 3. **File Upload Security:** Restrict file types, scan uploads, store outside web root 4. **File Integrity Monitoring:** Monitor for unauthorized file changes 5. **Regular Backups:** Maintain clean, tested backups 6. **Security Audits:** Regular code reviews and penetration testing 7. **Least Privilege:** Database and file system permissions should be minimal 8. **Error Handling:** Don't expose sensitive information in error messages ## 📞 NEXT STEPS 1. **IMMEDIATELY** remove all backdoors listed above 2. **RESTORE** clean versions of compromised files 3. **CHANGE** all passwords and credentials 4. **SCAN** entire codebase for additional backdoors 5. **REVIEW** server access logs to identify attack source 6. **NOTIFY** users if personal data may have been compromised 7. **CONSIDER** professional security audit ## ⚠️ WARNING **DO NOT** simply delete the malicious code and continue. The attacker had full access to your system. You must: - Assume all data may be compromised - Review all database changes - Check for additional backdoors - Implement comprehensive security measures - Consider professional security assistance --- **Report Generated:** December 12, 2025 **Status:** ACTIVE THREAT - IMMEDIATE REMEDIATION REQUIRED