Php-cgi vulnerability in php 5.4

CentOS Linux 7.9.2009 REQUIRED

I have a security problem with virtualmin, specifically with vulnerability in PHP-CGI, I found that the server had php 5.4 installed, they indicate that updating php to 7 fixes the error, but the error continues, they create new files in the public folder, in php as in txt.

I already changed admin passwords, remove ftp and smtp services, install and configure fail2ban for http, but nothing works, delete old users, change the passwords of all users.

install fail2ban to block the ips by iptables but looking at the system unban appears after a while the ip that fail2ban had blocked, I don’t know how they manage to unblock the ips.

It generates files with content that I can’t understand. I’ll upload a sample of it.

the content of these files is as follows

What worries me the most is that it modifies the files that should be on the server:


I come to you if you can guide me with some configuration or how I remove this security flaw from the system, as you can see I have tried everything but nothing works, thank you very much for your help

Upgrading fixes the ’ error ’ for all future exploit attempts.

Upgrading to PHP 7 will not secure you system if it has already been compromised while PHP 5.6 was in use.

The security of your system has been compromised. The simple fix is to start from scratch with a new install of OS and Virtualmin. If you want your existing system to be repaired then it could be an expensive proposition.


I don’t know who ‘THEY’ are, but they are wrong.

PHP 5.4 was end of life September 14th of 2015. (Edit by Joe: This is not accurate for PHP 5.4 in CentOS 7.) You were simply BEGGING to be hacked by leaving it on your system this long. That’s the chance you take when dealing with old, outdated, no longer supported software.

Bite the bullet, do as Calport says and from here on out when it reaches end of life, get rid of it.

Please don’t spread misinformation. PHP 5.4 as provided by CentOS 7 is not EOL. CentOS (and RHEL from which it is derived) continue to maintain the packages they provide throughout the life of the distro. CentOS 7 will be maintained until 2024.

If OP was up to date with system packages, then the exploit was more likely due to a bug in the app(s) they’re running than the PHP binary.

1 Like

OP, I have edited your title to correctly reflect the version of PHP you have (I assume it is correct, since you said 5.4 later in the post). CentOS 7 PHP 5.4 is actively maintained. It is not EOL and will not be until 2024.

Upgrading to PHP 7 is irrelevant to the problem you have.

It was I who edited the OP’s title to include a version of PHP to make it appear less alarming - it was originally something like “Php-cgi vulnerability” which could have sent the pulse of the community racing.

The mistake I made is to append 5.6 instead of 5.4. Sorry about that.


yes, i think is wordpress or php app have trouble and not php / centos.

i suggest you to run maldet or imunify to find php files compromides and delete / repair.

check also user’s cronjob…

I’ve seen a similar things in the past. The malware is in, and it copies itself to all php files in the account.
The files will need to be replaced with a clean copy from backup, or cleaned up manually, while the site is offline.
Any remnant of the malware will reinfect all the files again.
And as ale.ab mentioned, check the cron jobs, malwares tend to create jobs that will revive them after cleaning up the php code.

If the infected user account did not have sudo, you’re probably fine with your current operating system and don’t need to rebuild it.

Finally, make sure to avoid the issue again by fixing the vulnerability in the php code.
This looks like WordPress, so make sure to have the core, the themes, and the plug ins all updated.
And remove any plug ins and themes that are not available on the WordPress store.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.