Results 1 to 8 of 8

Hybrid View

  1. #1

    Malicious PHP Code?

    Hey All, The person that updates the content on the agency's website reported that it "wasnt working". Indeed, when I checked it, I got warnings from Firefox 3.5.5, IE7 and Google Safe browsing diagnostic page:

    What is the current listing status?

    Site is listed as suspicious - visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

    What happened when Google visited this site?

    Of the 101 pages we tested on the site over the past 90 days, 13 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-15, and the last time suspicious content was found on this site was on 2009-11-10.

    Malicious software includes 11 scripting exploit(s), 7 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

    Malicious software is hosted on 4 domain(s), including bigcjewelryandloan.com/, seoshell.com/, sparte-fussball.de/.

    This site was hosted on 1 network(s) including AS30447 (INFB2).

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, mydomain.com did not appear to function as an intermediary for the infection of any sites.

    Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.


    It even triggers the Malwarebytes Antimalware IP protection. I downloaded the entire public folder and scanned it three times each with the following antimalware/antivirus applications:
    SUPERAntispyware 4.30.1004, Malwarebytes Anti-Malware 1.41 and Microsoft Security Essentials 1.69.1105.0, all with fresh updates. Every scan was clean. I opened a ticket with the hosting service, no disposition yet but I did manage to wrangle this out of tier 1:

    Disabled exploits:

    ---------- 1 root root 141 2009-11-18 01:46 ./public/images/gifimg.php
    ---------- 1 root root 141 2009-11-18 01:46 ./public/Web/images/gifimg.php

    I then uploaded both copies of that file to virustotal.com and only 1 out of 41 antivirus antimalware engines (Sophos) found Troj/PHPMod-C. Looks like it may be a Gumblar residual/variant.

    A few questions, if I may: What is the least painful way to clean this up and what will be the extent of short term damage to the integrity of the site? (stopbadware.org etc)

    The content is updated with smartFTP. Aside from not storing passwords in the client, using FTPS or SFTP and changing all site passwords, what is the best way to prevent this in the future? Im surprised that the 3 apps I mentioned above came back clean if it is what it sounds like. Should they have picked it up?

    Thank you. Thank you very much!

  2. #2
    Hello,

    Please scan your server using any anti-virus like clamd and check the result. If there is any Malicious code have installed on your server, you scan easily find the location by this scanning.

    Shiju S Thomas
    Admin-Ahead

  3. #3
    Join Date
    Oct 2007
    Location
    India
    Posts
    68
    Also ,

    you may run the following script amd see if any thing unusual is found on the server , than the sesssion files and usual temp files .

    Make this as a script .sh , give permission 700 and run as sh script.sh and check the genrateed exploits.txt file for any unusalu entries .

    for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " | grep -E "^$|^/|/$|*$|\.pl$" | tee exploits.txt; done; echo -e "\n\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
    exit
    Regards,
    Alan John

  4. #4
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    They are shell scripts, not virus. A sort of admin panel that allows hackers to do almost whatever they want with your server.
    Most of the time they are uploaded inside images directories.
    You can block php files execution in such directories (and in all static dir as well) with an .htaccess.

    Code:
    # Activate mod_rewrite :
    RewriteEngine on
    # No PHP allowed in that directory :
    RewriteRule \.php$ http://en.wikipedia.org/wiki/Script_kiddie [R=301,L]
    But finding how they were uploaded (most of the time through an old vulnerable CMS) and patching it would definitely solve the problem
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  5. #5
    @shijusthomas, the webserver is running Apache on Linux but I dont have that kind of access.

    @alanzkorner, I wouldnt know what to do with that if someone put a gun to my head


    @khunj, if I block php file execution wouldnt that cause some other problem like the images not displaying correctly? As to how were they uploaded in the first place: I know its possible but how probable is the cause being the pc used to FTP the site was compromised somehow?

  6. #6
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    That won't affect the display of images, css, js etc, since it is a .htaccess file, it means that even if the hacker found a way to upload a shell script again he just couldn't run it from his browser inside that directory.
    About how it was uploaded, it's hard to tell you. A small vulnerability is enough to do it. There are a lot of ways to do it.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  7. #7
    Join Date
    Nov 2009
    Posts
    70
    If you do not have the level of access required you need to contact your web host and have them check your site for a root kit.

    http://www.chkrootkit.org/
    http://rkhunter.sourceforge.net/

    The fact that the Google malicious notification states "13 page(s) resulted in malicious software being downloaded" leads me to believe you have an iframe injection or some type of script injection.

    Look at the modified dates of files/folders on your server and see if anything has recently been changed when it should not have. Then open that file to look for anything out of place.

    Once you've cleaned the issues you'll need to sign into your Google Webmaster Tools account and request them to re-scan your site to remove the warning.
    Larry Dougherty
    Hosting.com Server Engineer

  8. #8
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    Scan you site with upload guardian.

Similar Threads

  1. Replies: 5
    Last Post: 04-05-2009, 10:20 PM
  2. malicious code added to index file, help
    By Mike006 in forum Hosting Security and Technology
    Replies: 8
    Last Post: 07-09-2008, 12:17 PM
  3. Malicious code script on idex page, been injected
    By abeez in forum Hosting Security and Technology
    Replies: 12
    Last Post: 08-13-2006, 10:51 AM
  4. How to prevent malicious exploitation of my sendmail.php?
    By ivytony in forum Programming Discussion
    Replies: 7
    Last Post: 05-31-2006, 03:39 PM
  5. malicious code scanner
    By Andy252 in forum Hosting Security and Technology
    Replies: 1
    Last Post: 07-10-2005, 10:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •