A couple of weeks ago I came across this line of code on my girlfriend’s Mom’s Web site: <img heigth=“1” width=“1” border=“0” src=“http://imgaaa.net/t.php?id=10482688”>
I wasn’t looking for anything malicious, but it stood out so I started digging into it, and ultimately found this thread. She asked me to clean it up for her so this week I took a look at it. The stuff I found was in line with what others found, but there were a couple of additions as well.
Note: I’m not a coder or Web designer, I’m a Cisco guy. If any of what I say seems basic then forgive me; I hope what I found might add to the discussion.
The first modification to the site was the addition of "<img heigth=“1” width=“1” border=“0” src="http://imgaaa.net/t.php?id=10482688">" at the bottom of the /index.php page.
One day later, two more modifications were made:
The .htaccess file was modified (thanks to Sventy’s post for cluing me into looking for that). The file was also hidden so it did not show up when I was looking at the file modification dates. I am not sure if that is normal for this server or if it was modified during the attack.
Files 43.php and 95.php were added. They contained compressed binary code, as outlined in other posts.
Then, within a seven day window, one other file was modified and one was added.
First, an index.html file in a sub-directory was modified to include this script: #1851387 - Pastie (NOTE: Your anti-virus may go crazy viewing that link; if you’re worried about it then you can view a screenshot of it here: [url=http://img832.imageshack.us/i/scriptm.jpg/]ImageShack® - Online Photo and Video Hosting.)
There were two other things in that same file that I think were probably additions, but I can’t know for sure since I didn’t have the original to compare against. They didn’t look right so I removed them. They are both shown in this pastie: #1851393 - Pastie
The last change was that a file named hxyn.php was uploaded to the root of the Web site. This file was the “Web Shell by oRB” script. Again, I’m not a coder, but from what I can tell this file is designed to check for vulnerabilities or security flaws on the web server (.htpasswd, config files, admin files, etc). You can view it here: #1851432 - Pastie
One thing to note about hxyn.php is that is that it contains some mechanism to keep you from viewing it on the Web server using nano or vi (at least I couldn’t view it on this particular server, which is Debian based). The file is easily viewable once you download it and open it in a local editor. I am assuming this is to keep it from being found through grep, etc.
- Change your FTP passwords. That goes without saying.
- IMMEDIATELY change the passwords to any other accounts that used the same password as your FTP/SSH/Telnet, ESPECIALLY if they are email or banking accounts. The best thing to do is just assume all of your passwords or your client’s passwords were compromised.
- Look for any files that were modified OR ADDED after the attack. Remember that restoring from a backup will not necessarily remove added files. This particular attack starts with the imgaaa line of code, so if you can identify when that line was added to a page then you have a nice baseline of when to start looking for changes.
- Don’t forget directories and hidden files. Filezilla contains a nice feature that will try to show hidden files. Remember to turn it on.
- Download the Web site (unzipped) to a Windows PC that has good malware protection. Check the logs of your anti-malware products to see if they detected anything unusual in the files.
- Don’t forget to look for scripts or anything else unusual that may have been added.
Unfortunately I have the feeling that my girlfriend’s Mom’s site may have been compromised in more ways than what I saw. If anyone else has any suggestions on what to look for then I’d appreciate it. It was coded from scratch so it is not based on WP or Joomla or anything like that, and it is written in a combination of html and php.