We have already raised the topic of malicious attacks on 1C-Bitrix sites before - in February 2025, we analyzed a similar infection case in detail. Then the virus also disguised itself as system files, created hidden directories and embedded dangerous code. More details about this are at the end of this article.
Since the beginning of July, our 1C-Bitrix site has been subjected to a malicious attack. Below are all the signs of infection, the actions of the virus and recommendations for administrators and developers who may encounter a similar situation.
What was discovered
The attacker created a number of new files in non-standard locations. Many of them were disguised as system or service files:
- /assets/.htaccess
- /include/.htaccess
- /.htaccess1
- /ajax/.htaccess
- /bitrix/.htaccess
- /bitrix/cjfuns.php
- /local/components/menu.php — the file was disguised as a menu component, although in Bitrix the correct menu names begin with a dot, for example: .left.menu.php and .left.menu_ext.php
- /options-discussion.php
An obfuscated file was also created:
- wp-ver.php - with rights 444 . When trying to delete this file, it instantly reappeared.
When analyzing processes via htop , it was noticed that the file was restored via a background process launched by the command:
php /tmp/different_symbols_and_site_name_at_the_end
After forcibly terminating this process, the file was no longer restored. This indicates that the virus was running itself as a daemon from a temporary directory.
Note: In normal condition the process list in htop should not contain any suspicious php-runs from /tmp.
Important to remember!
- All files managed by Bitrix must have rights 644
- All directories - rights 755
Modified original files
The attacker also made changes to key system files:
- /index.php
- /bitrix/header.php
Targeted attacks on Aspro solution
Attempts to exploit vulnerabilities in the standard Ajax handlers of the Aspro template were particularly active:
- /ajax/basket_fly.php
- /ajax/show_basket_fly.php
- /ajax/show_basket_popup.php
Attempted penetration via non-existent script
An attempt to access a non-existent file was noticed in the logs:
- /bitrix/admin/esol_import_excel_cron_settings.php
This may indicate that the site is being scanned for vulnerabilities in third-party modules.
Security scanner
The Bitrix security scanner started sending notifications about exceeding activity limits from certain IP addresses. This is a clear sign of attacks from automated scripts.
Proactive Defense Monitor
All attacks are well reflected in the section “Proactive Defense Monitor” . It shows which PHP requests were blocked by the system. It is important that the system itself worked correctly and in some cases successfully blocked malicious access attempts.
Recommendations
- Check all system and root folders for non-standard files. Pay special attention to all .php, .htaccess and hidden files.
- Check active processes via htop. Any background PHP startup from temporary directories (/tmp) is a cause for concern.
-
Check access rights:
- files: 644
- folders: 755
-
Delete all suspicious files, especially:
- wp-ver.php
- cjfuns.php
- any files that are not related to the structure of your template/module
- Terminate the malicious process if it is active using kill.
- Update Bitrix to the latest version, including all modules, especially proactive protection and security scanner.
- Enable and configure proactive protection if it was previously disabled.
- Set up log monitoring and alerts to help you respond more quickly to repeat attacks.
- Check your web server for virus signatures (you can use tools like ai-bolit, ISPProtect, or built-in hosting antivirus modules).
- Make a backup after a complete cleanup and make sure it is safe.
Let us recall that in early February 2025, a similar virus was spreading across the network, affecting Bitrix sites. It created hidden directories (for example, /aspro_regions/robots/), added suspicious files to the root of the site (robots.connections.php, wp-ver.php, index.php), and also replaced index.php, introducing obfuscated malicious code there. The main logic of the virus was to collect data about visitors (in particular, IP and geolocation), and if the user was in Indonesia or the USA, a phishing readme.html was connected. Hidden backdoors, data transfer to external servers and launching remote commands were also used. The main goals of the virus were redirects, data theft, and creation of entry points for further attacks. We analyzed this case in detail in the article "February virus on Bitrix"