Results 1 to 8 of 8
Thread: Malicious PHP Code?
Hybrid View
-
11-19-2009, 04:28 AM #1New Member
- Join Date
- Nov 2009
- Posts
- 2
Malicious PHP Code?
Hey All, The person that updates the content on the agency's website reported that it "wasnt working". Indeed, when I checked it, I got warnings from Firefox 3.5.5, IE7 and Google Safe browsing diagnostic page:
What is the current listing status?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 101 pages we tested on the site over the past 90 days, 13 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-15, and the last time suspicious content was found on this site was on 2009-11-10.
Malicious software includes 11 scripting exploit(s), 7 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 4 domain(s), including bigcjewelryandloan.com/, seoshell.com/, sparte-fussball.de/.
This site was hosted on 1 network(s) including AS30447 (INFB2).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, mydomain.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
It even triggers the Malwarebytes Antimalware IP protection. I downloaded the entire public folder and scanned it three times each with the following antimalware/antivirus applications:
SUPERAntispyware 4.30.1004, Malwarebytes Anti-Malware 1.41 and Microsoft Security Essentials 1.69.1105.0, all with fresh updates. Every scan was clean. I opened a ticket with the hosting service, no disposition yet but I did manage to wrangle this out of tier 1:
Disabled exploits:
---------- 1 root root 141 2009-11-18 01:46 ./public/images/gifimg.php
---------- 1 root root 141 2009-11-18 01:46 ./public/Web/images/gifimg.php
I then uploaded both copies of that file to virustotal.com and only 1 out of 41 antivirus antimalware engines (Sophos) found Troj/PHPMod-C. Looks like it may be a Gumblar residual/variant.
A few questions, if I may: What is the least painful way to clean this up and what will be the extent of short term damage to the integrity of the site? (stopbadware.org etc)
The content is updated with smartFTP. Aside from not storing passwords in the client, using FTPS or SFTP and changing all site passwords, what is the best way to prevent this in the future? Im surprised that the 3 apps I mentioned above came back clean if it is what it sounds like. Should they have picked it up?
Thank you. Thank you very much!
-
11-19-2009, 11:18 AM #2Newbie
- Join Date
- Oct 2009
- Posts
- 9
Hello,
Please scan your server using any anti-virus like clamd and check the result. If there is any Malicious code have installed on your server, you scan easily find the location by this scanning.
Shiju S Thomas
Admin-Ahead
-
11-19-2009, 01:02 PM #3Junior Guru Wannabe
- Join Date
- Oct 2007
- Location
- India
- Posts
- 68
Also ,
you may run the following script amd see if any thing unusual is found on the server , than the sesssion files and usual temp files .
Make this as a script .sh , give permission 700 and run as sh script.sh and check the genrateed exploits.txt file for any unusalu entries .
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " | grep -E "^$|^/|/$|*$|\.pl$" | tee exploits.txt; done; echo -e "\n\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
exitRegards,
Alan John
-
11-19-2009, 02:19 PM #4Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
They are shell scripts, not virus. A sort of admin panel that allows hackers to do almost whatever they want with your server.
Most of the time they are uploaded inside images directories.
You can block php files execution in such directories (and in all static dir as well) with an .htaccess.
Code:# Activate mod_rewrite : RewriteEngine on # No PHP allowed in that directory : RewriteRule \.php$ http://en.wikipedia.org/wiki/Script_kiddie [R=301,L]
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
11-19-2009, 07:10 PM #5New Member
- Join Date
- Nov 2009
- Posts
- 2
@shijusthomas, the webserver is running Apache on Linux but I dont have that kind of access.
@alanzkorner, I wouldnt know what to do with that if someone put a gun to my head
@khunj, if I block php file execution wouldnt that cause some other problem like the images not displaying correctly? As to how were they uploaded in the first place: I know its possible but how probable is the cause being the pc used to FTP the site was compromised somehow?
-
11-20-2009, 03:18 AM #6Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
That won't affect the display of images, css, js etc, since it is a .htaccess file, it means that even if the hacker found a way to upload a shell script again he just couldn't run it from his browser inside that directory.
About how it was uploaded, it's hard to tell you. A small vulnerability is enough to do it. There are a lot of ways to do it.NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
11-19-2009, 07:17 PM #7Junior Guru Wannabe
- Join Date
- Nov 2009
- Posts
- 70
If you do not have the level of access required you need to contact your web host and have them check your site for a root kit.
http://www.chkrootkit.org/
http://rkhunter.sourceforge.net/
The fact that the Google malicious notification states "13 page(s) resulted in malicious software being downloaded" leads me to believe you have an iframe injection or some type of script injection.
Look at the modified dates of files/folders on your server and see if anything has recently been changed when it should not have. Then open that file to look for anything out of place.
Once you've cleaned the issues you'll need to sign into your Google Webmaster Tools account and request them to re-scan your site to remove the warning.Larry Dougherty
Hosting.com Server Engineer
-
11-19-2009, 08:17 PM #8Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
Scan you site with upload guardian.
Similar Threads
-
google shows tha my site has malicious code and blocked me
By koukkos in forum Web HostingReplies: 5Last Post: 04-05-2009, 10:20 PM -
malicious code added to index file, help
By Mike006 in forum Hosting Security and TechnologyReplies: 8Last Post: 07-09-2008, 12:17 PM -
Malicious code script on idex page, been injected
By abeez in forum Hosting Security and TechnologyReplies: 12Last Post: 08-13-2006, 10:51 AM -
How to prevent malicious exploitation of my sendmail.php?
By ivytony in forum Programming DiscussionReplies: 7Last Post: 05-31-2006, 03:39 PM -
malicious code scanner
By Andy252 in forum Hosting Security and TechnologyReplies: 1Last Post: 07-10-2005, 10:48 PM