Hi folks,
I'm hoping someone can help shed some light on what might be going on here.
Today I logged into my 5 servers to update them all to latest ECP version.
I noticed on one (only one) server in the SSH user's home a folder named y. It's also in the root user's home folder. Although the owner and group on the folder is root:root.
It contains four files.
The same folder is also at the top level (/y) but with only the three smaller files.
As far as I can tell, the large 38MB file i part contains virus/malware signatures, etc. It's an encoded file, but I was able to find some seconds with human readable data.
The filenames are hax encoded.
Here is what ChatGPT had to say about the four files (I could only provide it with a same of the partially human readable content from the 38MB file).
1) 6C61746573745F76657273696F6E
Hex → latest_version (the filename is hex-encoded ASCII).
Size: 20 bytes.
Contents (first bytes): include something like 5.0.1 — appears to be a tiny version marker file (binary-ish header then a version string).
Likely interpretation: a tiny version indicator file (possibly created by Wordfence or another tool), not an obvious malicious payload by itself.
2) 7465726D732D6163636570746564
Hex → terms-accepted
Size: 389 bytes.
Contents contain readable strings: wordfence.cli.terms_management, LicenseTermsAccept, a license hash-like string, and words like paid, accepted.
Likely interpretation: looks like Wordfence CLI / license / “terms accepted” data (a small config/marker file), not raw PHP shell code.
3) file-code-sample.txt (the sample you uploaded earlier)
Size: 72 KB (you said the full file is 38 MB — you uploaded a sample).
This file contains many malware signature names and matching patterns (e.g. Obfuscated😛HP/..., Backdoor😛HP/..., eval(base64_decode(...)), wp_create_user, gzdecode, file_put_contents, curl_exec, Telegram, etc).
Likely interpretation: this looks like the output of a malware scanner or a signature database / detection log listing many suspicious patterns. It lists many kinds of malicious patterns that scanners look for — which explains the long list of suspicious names in the sample. The file itself is not necessarily the malicious code in your ~/y directory; it may be a scan result or signature file.
I gave a much larger sample (1.2MB of text) to Google Gemini. It had something similar to say:
Based on its contents, it appears to be a snippet from a signature database used by a security tool, such as an antivirus or a malware scanner. This is because the file contains numerous patterns (regular expressions) designed to identify various types of malicious and suspicious code.
Here's a breakdown of what the file contains and what it's used for:
Malware and Threat Signatures
The file is structured with patterns and corresponding labels that categorize different types of threats. These signatures are used to detect:
- [cite_start]Phishing: The file contains signatures to identify phishing pages, particularly those targeting services like Office 365. For example, one signature looks for a specific HTML form structure commonly used in Office 365 phishing kits[cite: 1955].
- Backdoors: There are numerous signatures to detect backdoors, which allow unauthorized access to a system. [cite_start]Examples include signatures for the "Gmanager" Russian webshell [cite: 1955, 1956][cite_start], as well as various obfuscated backdoors that use techniques like
preg_replace for remote code execution[cite: 1961, 1962].
- [cite_start]Spam: The file includes patterns to identify spam content generated with templates like "fancybox" and others[cite: 1956, 1957]. These are often found in compromised WordPress installations.
- [cite_start]Hacktools: Signatures for hacking tools are also present, such as those used for file uploading or modifying
.htaccess files[cite: 1958, 1959].
- Obfuscated Code: The database contains patterns to detect obfuscated code, which is often used to hide malicious intent. [cite_start]This includes obfuscated variable assignments and the use of functions like
base64_decode[cite: 1958].
- [cite_start]Suspicious Code: There are also signatures for code that may not be inherently malicious but is often found in compromised systems, such as uncommon Directory Index settings in
.htaccess files[cite: 1957, 1958].
In summary, the provided text file is a collection of rules that a security scanner would use to identify and classify threats in files it analyzes. Each rule consists of a pattern to search for and a label describing the type of threat it represents.
After I had updated all servers, I saw that the same y folder was created in the same locations on all other servers. Originally it was only on the above-mentioned server. Some time later (I checked around 20 mins later to run some analsysis scripts on the y folders on each server) they had all vanished from the servers on which they appeared shortly after the ECP update. The original server (on which these files were creating in June) they remained.
My first impression (when it was on the first server) is that it was the result of a malware infection. However, after the AI analysis, and also after seeing it show up on all the other servers right after I did the ECP update (I'm not suggesting it was created by the update, since the original server hadn't been updated before the y folder was identified), I'm starting to wonder if it's something else.
Also the fact they came and went on all the other servers, suggests to me these are being created as part of some routine that is likely innocuous. I suspect the June files were the result of that routine failing to complete.
The whole cluster has @cPFence installed and actively running. Although I've not seen any notifications from CPFence regarding an infection.
Any thoughts on what this might be would be greatly appreciated.
Jonathan
