T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/private_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/private_html/SECURITY_CLEANUP_COMPLETE.md
# ✅ SECURITY CLEANUP COMPLETE

**Date:** December 12, 2025  
**Status:** BACKDOORS REMOVED - ADDITIONAL ACTIONS REQUIRED

## ✅ COMPLETED ACTIONS

### 1. Backdoors Deleted ✅
All confirmed backdoor files have been successfully deleted:
- ✅ `about.php` - DELETED
- ✅ `445367/radio.php` - DELETED
- ✅ `445367/about.php` - DELETED
- ✅ `radio/migrations/wp-login.php` - DELETED
- ✅ `assets/fontawesome/fontawesome-free-6.5.1-web/metadata/radio.php` - DELETED

### 2. index.php Fixed ✅
- ✅ Malicious code injection removed from line 2
- ✅ File now starts with legitimate PHP code
- ✅ No attacker signatures found in remaining files

### 3. .htaccess Restored ✅
- ✅ Removed attacker's malicious rules
- ✅ Restored to clean rewrite rules only
- ✅ Removed rules that allowed access to backdoor files

### 4. Verification Complete ✅
- ✅ No files with attacker signatures found
- ✅ All backdoors confirmed deleted
- ✅ System scanned for remaining threats

## 🔴 CRITICAL ACTIONS STILL REQUIRED

### 1. Change ALL Passwords (URGENT)
**Do this immediately:**
- [ ] Database password
- [ ] FTP/SFTP password  
- [ ] Hosting control panel password
- [ ] All admin user passwords
- [ ] API keys and tokens
- [ ] Stripe/Payment gateway keys

### 2. Check Database for Unauthorized Users
Run these SQL queries:

```sql
-- Check for suspicious admin users
SELECT id, email, username, is_admin, created_at 
FROM users 
WHERE is_admin = 1 
ORDER BY created_at DESC;

-- Check for recently created users (last 7 days)
SELECT id, email, username, created_at 
FROM users 
WHERE created_at > DATE_SUB(NOW(), INTERVAL 7 DAY)
ORDER BY created_at DESC;

-- Check for users with suspicious email patterns
SELECT id, email, username, created_at 
FROM users 
WHERE email LIKE '%@%' 
  AND (email LIKE '%.ru' OR email LIKE '%.cn' OR email LIKE '%.tk')
ORDER BY created_at DESC;
```

### 3. Review Server Logs
Check for:
- Unusual access patterns
- SQL injection attempts
- File upload attempts
- Suspicious IP addresses
- Failed login attempts

**Check these log files:**
- Apache/Nginx access logs
- PHP error logs
- Application logs in `logs/` directory

### 4. Review File Permissions
```bash
# Find files with dangerous permissions
find . -type f -perm -002 -ls  # World-writable files
find . -type f -perm -020 -ls  # Group-writable files

# Set proper permissions
find . -type f -name "*.php" -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
```

### 5. Scan for Additional Threats
```bash
# Find recently modified PHP files
find . -name "*.php" -mtime -7 -not -path "./vendor/*" -ls

# Find files with suspicious patterns
find . -name "*.php" -exec grep -l "eval\|base64_decode\|preg_replace.*\/e" {} \; | grep -v vendor
```

## 🛡️ SQL INJECTION VULNERABILITIES TO FIX

These files need security fixes:

### 1. library.php (line 818)
**Issue:** LIMIT/OFFSET with direct variables
```php
// VULNERABLE:
LIMIT $per_page OFFSET $offset

// SECURE:
LIMIT ? OFFSET ?
$stmt->execute([$per_page, $offset]);
```

### 2. library_modern.php (lines 198, 240)
**Issue:** LIMIT/OFFSET vulnerabilities
**Fix:** Use prepared statement parameters

### 3. events.php (line 74)
**Issue:** WHERE clause with direct variables
**Fix:** Verify input validation or use parameters

### 4. fix_artist_name.php (line 28)
**Issue:** Direct query with concatenation
```php
// VULNERABLE:
$user = $pdo->query("SELECT * FROM users WHERE id = " . $track['user_id'])->fetch();

// SECURE:
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$track['user_id']]);
$user = $stmt->fetch();
```

## 📋 POST-CLEANUP CHECKLIST

- [x] All backdoors deleted
- [x] index.php cleaned
- [x] .htaccess restored
- [ ] All passwords changed
- [ ] Database checked for unauthorized users
- [ ] Server logs reviewed
- [ ] File permissions reviewed
- [ ] Additional backdoors scanned
- [ ] SQL injection vulnerabilities fixed
- [ ] Web Application Firewall (WAF) enabled
- [ ] File integrity monitoring enabled
- [ ] Regular backups verified

## 🔐 SECURITY HARDENING RECOMMENDATIONS

### Immediate (This Week):
1. ✅ Remove backdoors (DONE)
2. ⏳ Change all passwords
3. ⏳ Check database
4. ⏳ Review logs
5. ⏳ Fix SQL injection vulnerabilities

### Short-term (This Month):
1. Implement Web Application Firewall (WAF)
2. Enable file integrity monitoring
3. Review and harden file permissions
4. Implement intrusion detection
5. Set up automated security scanning

### Long-term (Ongoing):
1. Regular security audits
2. Penetration testing
3. Code review process
4. Security training
5. Incident response plan

## 📊 ATTACK SUMMARY

### Attack Vector:
- **Initial Access:** SQL Injection vulnerability
- **Persistence:** Multiple backdoors installed
- **Privilege Escalation:** File manager backdoors
- **Data Exfiltration:** Remote code execution

### Attacker Signatures Found:
- `S0vMzEJElwPNAQA` - Malicious code marker
- `cAT3VWynuiL7CRgr` - GitHub reference
- `dc4687e43b49fdf4714a429055b6892b` - MD5 password hash

### Malicious Domains Used:
- `http://6477-ch4-v305.rakuten38jp.click`
- `https://c.zvo4.xyz/`
- `https://c2.icw7.com/`
- `http://45.11.57.159/`
- `https://c.zvo1.xyz/`

## ⚠️ IMPORTANT WARNINGS

1. **DO NOT** assume the attacker is gone
2. **DO NOT** skip password changes
3. **DO NOT** ignore database checks
4. **DO** monitor for continued attacks
5. **DO** implement comprehensive security
6. **DO** consider professional security audit

## 📞 IF ATTACKS CONTINUE

If you see continued attacks or suspicious activity:

1. **Take website offline** temporarily
2. **Contact hosting provider** for assistance
3. **Consider professional security help**
4. **Document everything** for potential legal action
5. **Notify users** if personal data was compromised

## ✅ NEXT STEPS

1. **Change all passwords** (URGENT)
2. **Check database** for unauthorized users
3. **Review server logs** for attack patterns
4. **Fix SQL injection vulnerabilities**
5. **Implement security hardening**

---

**Status:** Backdoors removed - Critical password changes and database checks still required

**Last Updated:** December 12, 2025

CasperSecurity Mini