WHMCS - Suspicious File Found...

[UKInternetGroup]

OK, so i was transferring files from my RDP via one of my sites FTP accounts... which happens to have WHMCS installed on the same account also, Then i spotted a file which i was pretty sure wasn't a normal file, and i hadn't seen it before... So i checked with a friend in the states to see if he had this file and he said no... So basically im wondering if anyone else has happened to come across this file in there whmcs root dir...

File Name: _d41f60d0
Size: 3051

With all this stuff that's been going on with WHMCS these last couple of weeks, Will be interesting to see what comes of this thread...

Note: I renamed the file " _d41f60d0.bak " and it didn't seem to affect the way whmcs ran...

Note: I currently have 3 sites running whmcs (all legit) and only one has the file above...

Look forward to your post's....

UKInternetGroup Reviewed by UKInternetGroup on 5th Jun 2012. WHMCS - Suspicious File Found... OK, so i was transferring files from my RDP via one of my sites FTP accounts... which happens to have WHMCS installed on the same account also, Then i spotted a file which i was pretty sure wasn't a normal file, and i hadn't seen it before... So i checked with a friend in the states to see if he had this file and he said no... So basically im wondering if anyone else has happened to come across this file in there whmcs root dir... File Name: _d41f60d0 Size: 3051 With all this stuff Rating: 5

[Zeokat]

Can you post contents of the file...? without contents is mainly impossible research deeper, because seems a random generated filename, admins can search for that file but perhaps on their boxes exists at another location with another name. If you supply file contents search can be done fast.

[UKInternetGroup]

http://i.imgur.com/LttSs.png

Code: 

{"ef846c5a76d80e53634cbc6b3d453d01":{"time":"MTMzODYyMzc4OA==","value":""},"8d38fb86defd82ab9e6e2cfe03499e58":{"time":"MTMzNzg1MTk5OA==","value":"eyIwIjp7InN0YXR1cyI6IjEifSwiMTQ2Ijp7Imx0ZXh0IjoiYWx0YXZpc3RhIiwibGRlc2MiOiJhbHRhdmlzdGEgbHljb3MgZKWWHheSBnb29nbGUgd2lraXBlZGlhIG1zbiBhYm91dCBhb2wgeWFob28gYmluZyIsImx1cmwiOiJodHRwOlwvXC93d3cuYWx0YXZpc3RhLmNvbVwvIiwibHR5cGUiOjJ9LCIyNzMiOnsibHRleHQiOiJ3aWtpcGVkaWEiLCJsZGVzYyI6Imdvb2dsZSB3aWtpcGVkaWEgeWFob28gYWx0YXZpc3RhIGx5Y29zIGFib3V0IGViYXkgYmluZyBtc24gYW9sIiwibHVybCI6Imh0dHA6XC9cL3d3dy53aWtpcGVkaWEuY29tXC8iLCJsdHlwZSI6MX0sIjQwMCI6eyJsdGV4dCI6ImViYXkiLCJsZGVzYyI6Imx5Y29zIGFsdGF2aXN0YSBlYmF5IGJpbmcgYW9sIGdvb2dsZSBhYm91dCB3aWtpcGVkaWEgeWFob28gbXNuIiwibHVybCI6Imh0dHA6XC9cL3d3dy5lYmF5LmNvbVwvIiwibHR5cGUiOjJ9LCI1MjciOnsibHRleHQiOiJnb29nbGUiLCJsZGVzYyI6ImJpbmcgbHljb3MgZKWWHheSBnb29nbGUgYWx0YXZpc3RhIHlhaG9vIHdpa2lwZWRpYSBhYm91dCBtc24gYW9sIiwibHVybCI6Imh0dHA6XC9cL3d3dy5nb29nbGUuY29tXC8iLCJsdHlwZSI6Mn0sIjY1NCI6eyJsdGV4dCI6ImFvbCIsImxkZXNjIjoiYWx0YXZpc3RhIGFib3V0IHlhaG9vIGViYXkgYW9sIHdpa2lwZWRpYSBtc24gbHljb3MgYmluZyBnb29nbGUiLCJsdXJsIjoiaHR0cDpcL1wvd3d3LmFvbC5jb21cLyIsImx0eXBlIjoxfSwiNzgxIjp7Imx0ZXh0Ijoid2lraXBlZGlhIiwibGRlc2MiOiJhbHRhdmlzdGEgbHljb3MgbXNuIGViYXkgYmluZyB3aWtpcGVkaWEgZ29vZ2xlIGFvbCBhYm91dCB5YWhvbyIsImx1cmwiOiJodHRwOlwvXC93d3cud2lraXBlZGlhLmNvbVwvIiwibHR5cGUiOjF9LCI5MDgiOnsibHRleHQiOiJ3aWtpcGVkaWEiLCJsZGVzYyI6Imx5Y29zIGdvb2dsZSBlYmF5IGJpbmcgYWx0YXZpc3RhIG1zbiB3aWtpcGVkaWEgYKWWHvdXQgYW9sIHlhaG9vIiwibHVybCI6Imh0dHA6XC9cL3d3dy53aWtpcGVkaWEuY29tXC8iLCJsdHlwZSI6MX0sIjEwMzUiOnsibHRleHQiOiJseWNvcyIsImxkZXNjIjoiYWx0YXZpc3RhIHlhaG9vIHdpa2lwZWRpYSBlYmF5IG1zbiBnb29nbGUgYW9sIGx5Y29zIGJpbmcgYKWWHvdXQiLCJsdXJsIjoiaHR0cDpcL1wvd3d3Lmx5Y29zLmNvbVwvIiwibHR5cGUiOjJ9LCIxMTYyIjp7Imx0ZXh0IjoiYW9sIiwibGRlc2MiOiJhYm91dCBiaW5nIHlhaG9vIGdvb2dsZSBseWNvcyBhbHRhdmlzdGEgbXNuIGViYXkgYW9sIHdpa2lwZWRpYSIsImx1cmwiOiJodHRwOlwvXC93d3cuYW9sLmNvbVwvIiwibHR5cGUiOjF9LCIxMjg5Ijp7Imx0ZXh0IjoiZKWWHheSIsImxkZXNjIjoibHljb3MgYKWWHvdXQgeWFob28gZ29vZ2xlIHdpa2lwZWRpYSBhb2wgYmluZyBtc24gYWx0YXZpc3RhIGViYXkiLCJsdXJsIjoiaHR0cDpcL1wvd3d3LmViYXkuY29tXC8iLCJsdHlwZSI6Mn19"},"4a87b14bd6dd0f6a5ea0e6ce747e86c4":{"time":"MTMzODI5Njg5Ng==","value":""},"d13a46cb5bf229be599204dfd3e61d6d":{"time":"MTMzODI5Njg5Mg==","value":""},"97ba631ccf3a9f831bd3117eb0520559":{"time":"MTMzODI5Njg4OQ==","value":""},"da16f12275b73432c7082b4aeeb408fd":{"time":"MTMzODI5Njg4NQ==","value":""},"33f70b2b5037126041598b437d9a9dfa":{"time":"MTMzODI5Njg4MQ==","value":""},"795b2a0cfbb14b8d62580e10a8292b86":{"time":"MTMzODIxOTIwNA==","value":""},"09d51f6da87fa5fc5ec3aee33017900a":{"time":"MTMzODI4MzIxMw==","value":""},"34431fa2453690724537724988cdda1d":{"time":"MTMzODI4MzM0Mw==","value":""},"3877728b20addce4c8d8a33b8a2de83b":{"time":"MTMzODI4MzQyMg==","value":""},"c1f44e05ebe63554384b03b3b2054b4f":{"time":"MTMzODI4MzI2Mw==","value":""},"fa53b946ac42548aa0fa32ddc97edc89":{"time":"MTMzODg2MTUyMw==","value":""},"afe68c33143d6b40788e053c0008632c":{"time":"MTMzODM0NDk3Mg==","value":""},"48f892a206504997b023f26878057b7e":{"time":"MTMzODM1NjQ5NQ==","value":""}}

[Zeokat]

Can you use pastebin or similar to post the code... seems ofuscated code.
The file not have any extension? .php, .cgi or similar.. ?

[UKInternetGroup]

Just a file it seems... http://i.imgur.com/AJmwK.png

PM Sent by the way...

[Marc]

it's just base64 encoded.
and nothing malicious in it :

Code: 

{"0":{"status":"1"},"146":{"ltext":"altavista","ldesc":"altavista lycos ebay google wikipedia msn about aol yahoo bing","lurl":"http:\/\/www.altavista.com\/","ltype":2},"273":{"ltext":"wikipedia","ldesc":"google wikipedia yahoo altavista lycos about ebay bing msn aol","lurl":"http:\/\/www.wikipedia.com\/","ltype":1},"400":{"ltext":"ebay","ldesc":"lycos altavista ebay bing aol google about wikipedia yahoo msn","lurl":"http:\/\/www.ebay.com\/","ltype":2},"527":{"ltext":"google","ldesc":"bing lycos ebay google altavista yahoo wikipedia about msn aol","lurl":"http:\/\/www.google.com\/","ltype":2},"654":{"ltext":"aol","ldesc":"altavista about yahoo ebay aol wikipedia msn lycos bing google","lurl":"http:\/\/www.aol.com\/","ltype":1},"781":{"ltext":"wikipedia","ldesc":"altavista lycos msn ebay bing wikipedia google aol about yahoo","lurl":"http:\/\/www.wikipedia.com\/","ltype":1},"908":{"ltext":"wikipedia","ldesc":"lycos google ebay bing altavista msn wikipedia about aol yahoo","lurl":"http:\/\/www.wikipedia.com\/","ltype":1},"1035":{"ltext":"lycos","ldesc":"altavista yahoo wikipedia ebay msn google aol lycos bing about","lurl":"http:\/\/www.lycos.com\/","ltype":2},"1162":{"ltext":"aol","ldesc":"about bing yahoo google lycos altavista msn ebay aol wikipedia","lurl":"http:\/\/www.aol.com\/","ltype":1},"1289":{"ltext":"ebay","ldesc":"lycos about yahoo google wikipedia aol bing msn altavista ebay","lurl":"http:\/\/www.ebay.com\/","ltype":2}}

[UKInternetGroup]

Marc - Well i didnt think it was anything that was going to cause me any issues, just funny how its there out of 3 whmcs setups i have..

[Zeokat]

Yes, it is some kind of malware, the file isn?t complete, hackers seems that couldnt success.
I bet that the code will be inserted as javascript because seems written in JSON.

[Qoo]

I don't think this has to do with WHMCS setup. If the script was any kind of malware, it's probably a hole in the server.

P.S.: Just wanted to remind you. WHMCS got hacked by social engineering and not any kind of exploit.

[robert420]

I recommended that you install LMD which is Linux Malware Detect have it do it a full scan on your servers just cause a file might not be suspicious I wouldn't take any chance if I was you.

LMD Official Website
http://www.rfxn.com/projects/linux-malware-detect/

Install Instructions
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh