Mysterious ico files appearing on webserver

This is an attack targeting a PHP vulnerability with POST requests.

The attacker somehow manages to change existing PHP files with an @include statement using an encoded path that translates into one to these .ico files which are self-decrypting PHP files calling an external script from another server.

Blocking POST requests works so far. Although that is only possible for sites that do not depend on external POST requests. This can be done in the .htaccess file as explained here.


EDITED: This is a known php hack. If your server runs Wordpress only, plugins like Wordfence can detect and clean the infected files but if you have other php applications it will take other steps. I ran Maldet and did'n work.

It injects or modifies index.php files which call an .ico file, also creates random named .php files

The cause can be many including unprotected form POST operations. Always use secure forms with recaptcha. Your system is definitely hacked, but copying your files to a new OS will probably copy the infected code as well.

Workarounds to cleanup the infected files

ico files

Using ssh find all .ico files from the html root:

find -name "*.ico"

remove those with random characters before the .ico extension

index.php files

They use to call the infected file using an @include on an index.php file. To find compromised index.php files I found this way much faster than pure grep command:

find -name index.php -exec grep -rnwl '@include ' {} \;

Remove the malicious code if the rest of the file is original or simply trash it if it is created by this malicious attack.

Random .php files

They use random names, in cli you can find same patterns alike. In my case the files were 8 characters long before .php having a substring function to create names, so I could find them like this:

find -name '????????.php' -exec grep -rnwl 'substr(md5(time()), 0, 8)' {} \;

Diff

You can use diff to find differences with original stuff in place or using svn, git.

diff -qr directory-1/ directory-2/