Virus in /ajax/error_log_logic.php: How hackers infect Bitrix sites and create backdoors

Order a service
1 min.

How We Detected the Virus and Stopped the Infection

Recently we encountered a mass infection of several sites on 1C-Bitrix. After treating standard viruses (for example, through vulnerabilities in Aspro), backdoors continued to appear - new files were created in the /ajax/ folder every day:

  • 1d861c1d0a00.php

  • 61707a3351d8.php

  • assets/... (hidden backdoors)

How did we find the source?

  1. Checked the file creation dates → compared them with the logs.

  2. We found that all attacks were going through /ajax/error_log_logic.php .

  3. After its removal, new backdoors stopped appearing.

Conclusion: The virus was hiding in error_log_logic.php and used it to download malicious scripts.

How did the virus work?

1. Entry point: error_log_logic.php

The file looked harmless, but contained vulnerable code that allowed:

  • Write PHP files ( file_put_contents ).

  • Execute arbitrary code ( eval , base64_decode ).

Example of a malicious request from the logs: 

 GET /ajax/error_log_logic.php?data=

 2. Creating backdoors



The hackers uploaded encrypted PHP files that:



    

  • 

    
Gave access to the server.

    

    • 

  • 

    
Allowed the download of new viruses.

    

    • 

  • 

    
Spread to neighboring sites.

    

    • 



 3. Further infection



After the first backdoor was implemented:



    

  • 

    
The virus scanned other sites on the hosting.

    

    • 

  • 

    
Infected them through the same vulnerabilities.

    

    • 



 How to detect such a virus?


 1. Check the /ajax/ folder



Search for suspicious files:



 ls -la /ajax/
find /ajax/ -name "*.php" -mtime -7 # files created in the last week


 2. Analyze logs


 grep "error_log_logic.php" /var/log/nginx/access.log
grep "file_put_contents" /var/log/nginx/error.log


 3. Check the contents of suspicious files



If you found 61707a3351d8.php or similar:



 cat /ajax/61707a3351d8.php | grep "eval"


 How to protect a website on Bitrix?


 1. Remove malicious files


 rm -f /ajax/error_log_logic.php /ajax/1d861c1d0a00.php /ajax/61707a3351d8.php


 2. Update Bitrix and modules



Old versions are vulnerable!



 3. Set up access rights


 4. Install protection


 Need help?



If your 1C-Bitrix site has been attacked and you cannot find the source of the infection, contact us!




We carry out:



    

  • 

    
Security audit.

    

    • 

  • 

    
Search and remove backdoors.

    

    • 

  • 

    
Protection from future attacks.

    

    • 



 Conclusion



The virus via error_log_logic.php is one of the most hidden. It is not detected by regular antiviruses, but it can be found through logs and manual analysis.




The main thing is to delete the infected file in time and close the vulnerabilities!




Share this article - maybe it will save someone's site!

7 April 2025 (Boudybuilder) Виталий Фантич

Back to the list

This site is multilingual
thanks to the Multilingual module
file_download Download Module Market
file_download Download Module Market