Infected website files

[Namefox]

I am needing help cleaning up some website files. There are some viruses on a site I sold to a member here and the Hosting was suspended due to spam/phishing emails to being sent from these files. Please excuse me as I'm not really sure how best to proceed. The person I sold the site to is unhappy as I can understand and I want to be able to send him the cleaned up files. If someone can help with this, I would appreciate it and pay for the service. However, you must know what you are doing as I want to take care of this in one swoop.

[myst woman]

that is a email issue not a html issue?

[raoul]

its prouberbly not the files, but the server itself. if your server is not uptodate hackers can use common backdoors to install a phishing site

[tonyfloyd]

same thing has happened to me....yet my server/Hosting company JaguarPC is blaming me and my site files.....i have no clue about these phishing scams...file viruses...etc...how does one clean this crap up??

[raoul]

same thing has happened to me....yet my server/Hosting company JaguarPC is blaming me and my site files.....i have no clue about these phishing scams...file viruses...etc...how does one clean this crap up??

do you have a dedicated server? is it managed or unmanaged?

what kind of access do you have? can you give me info about what and what versions are installed, for example debian, x.x.x.x php x.x..x bla bla bla the more infor the easier to solve

[Namefox]

its prouberbly not the files, but the server itself. if your server is not uptodate hackers can use common backdoors to install a phishing site

That sounds exactly like what happened. They actually created a php page/file on my site from where the phishing was coming from (or something like that). I have the site files and am sending them to a IT guy for cleaning. Am also changing hosts for the site too.

[raoul]

That sounds exactly like what happened. They actually created a php page/file on my site from where the phishing was coming from (or something like that). I have the site files and am sending them to a IT guy for cleaning. Am also changing hosts for the site too.

there is nothing to clean, UPDATE your server / joomla / whatever to the latest versions.

[Namefox]

Thank you Raoul. I appreciate your input on this.

[tonyfloyd]

@ Raoul....

I have a semi-dedicated at Jaguar....with 5.2.5 php...Linux....what else u need?

i just got another phishing attempt!!...wtf???...how do they keep getting into my files?...i have many wordpress sites hosted...but all are using 2.8.4 and i have one site that is disabled....it was custom designed and i have no clue if any of the files in there are in fact infected....any ideas??

[PeterMan]

That sounds exactly like what happened. They actually created a php page/file on my site from where the phishing was coming from (or something like that). I have the site files and am sending them to a IT guy for cleaning. Am also changing hosts for the site too.

Was this a WordPress site? That happened to me and it was simply a hack of the site, the were able to gain access using the admin account, they likely used some sort of brute force password app... They put a bunch of crap code in the footer.php file, it must have been a bot or something because every tinme I changed the file it would get changed back in a day or two...

The only way to fix it was to create a new administrator account (with a new username) and delete the admin account... Which should have been done from the start anyway...

[raoul]

@ Raoul....

I have a semi-dedicated at Jaguar....with 5.2.5 php...Linux....what else u need?

i just got another phishing attempt!!...wtf???...how do they keep getting into my files?...i have many wordpress sites hosted...but all are using 2.8.4 and i have one site that is disabled....it was custom designed and i have no clue if any of the files in there are in fact infected....any ideas??

usally these "hackers" use something like "yourdomain.com/bladibla/yourbankname/login"

tell me what your "root" domain uses for example, joomla, vbulletin whatever.. + versions

to say it simple, they use KNOWN backdoors on old versions of these scripts, it technical "very easy" to build a own spider tool that harvasts these low versions of scripts on the internet.

tell me if the server self is managed (the hosters resplonsibility*) or unmanaged

* not for scripts, but for the OS on the server (linux debian etc also receive "weekly" updates and security patches

[Johnn]

I assumed this is a dedicated server?

1. Delete all the file under /tmp folder
2. Remove all processes running by "nobody" users
3. Check all the folders under /public_html folder and remove suspicious folders & files
4. Reboot the server

[tonyfloyd]

usally these "hackers" use something like "yourdomain.com/bladibla/yourbankname/login"

tell me what your "root" domain uses for example, joomla, vbulletin whatever.. + versions

to say it simple, they use KNOWN backdoors on old versions of these scripts, it technical "very easy" to build a own spider tool that harvasts these low versions of scripts on the internet.

tell me if the server self is managed (the hosters resplonsibility*) or unmanaged

* not for scripts, but for the OS on the server (linux debian etc also receive "weekly" updates and security patches

Raoul....the "root" domain is a custom site i had bought...i have taken the site down...because that is where i believe the infected file is....however i have no idea where inside all those folders it can be.....should i just backup these files, download them, and just delete the site's files from the server?....also...it is a managed server...and they keep telling me i am the only customer on this server that keeps getting these phishing attacks.....

[hina]

Try this: http://www.unmaskparasites.com

[tonyfloyd]

Try this: http://www.unmaskparasites.com

don't think this will help much...

[raoul]

@tony

your not getting my point. Popular platforms wich are used to build sites, joomla, worldpress and ANY other, have bugs. To fix the bugs they release security patches/ updats for the scripts.

So there is no infection on any files, there is a unpatched backdoor to insert (inject) new pages to your server..........

final try to explain with example, I just got a phishing email, with this link zambezilife.com//includes/phpmailer/bofa/images/verify.php

its phishing mail to phish for email accounts...


now if I goto the ROOT http://zambezilife.com/ I can see its joomla page (just set up, version 1.5)

When I check JOOMLA changelog, I can see that a VERY important security update is needed :

What's new in Joomla! 1.5.6:

· SECURITY [HIGH] Fixed security hole in reset logic to check for proper token length.

so if he not install a higher version of joomla , he will stay exposed to this security hole. his files self 90% sure not infected, its just "hobby hackers" using PUBLIC known holes....

[liberator]

Raoul....the "root" domain is a custom site i had bought...i have taken the site down...because that is where i believe the infected file is....however i have no idea where inside all those folders it can be.....should i just backup these files, download them, and just delete the site's files from the server?....also...it is a managed server...and they keep telling me i am the only customer on this server that keeps getting these phishing attacks.....

If its a managed server they should be able to provide proof that it is coming from your files. It could be a vulnerability in the server that is allowing remote access.

If they got access to your server and have any knowledge they can do very tricky things, opening ports and binding shells to them, placing shells in image files / text files using .htaccess's to make them executable. The list goes on.

My suggestion would be to go through your apache error logs first looking for odd entries. This can usually lead to finding the whole they got in from. For instance in a recent server I had the pleasure of examining. I found the error log had a ton of:

/roundcube/
/rc/
/roundcube-mail/

type paths then it suddenly stopped, I found that roundcube was installed and had a recently published exploit allowing remote access and write permissions.

Next I would examine the access logs, this can be daunting but I would look for specific query strings:

search for ../ that is a common trick used in directory transversal vulnerabilities to travel the directory path without knowing the file structure, also look for call using POST to files you do not recognize or shouldn't have been called with the post method.

Lastly if you still can't find it, I would take a backup of all sites, then revert to a known good backup. Then once the phishing starts again take note of the timeline and investigate using that timeline.

Hope some of that is useful.

Cheers,

Jay

[Namefox]

.

[raoul]

Apparently even after sending these files to someone, my customer said that he still has found suspicious files. He also stated that no one would upgrade the OScommerce script to a more updated one because of the modified template for HammockHut.com. So right now I am at a loss of what to do. Any suggestions would be appreciated as I really need to resolve this so I can move forward and my customer can have a functioning site.

man, on shitty virusscanners many files are "suspicious", besides virus scanners are not build to scan php files.

Upgrade that OScommerce temporary, and I am sure its solved (unless its the server self, that is not upgraded correctly)

There are known bugs in OScommerce that allow to:
-insert new subdirectory on server
-insert new html page in new created subdirectory

this is exactly how this phishing on other men server works.....

[dejanlesi]

Yes and the html pages are already inserted.. So if i dont get rid of them the same problem will persist, upgrade or no upgrade.. Or am i wrong?