fshagan Posted October 9, 2011 Report Share Posted October 9, 2011 One of my customer's sites had two javascript attacks inserting malicious redirection code. One I had seen before; it appended a line of obfuscated javascript after the opening PHP tag in each index file (and a few others like 404.php). The other one was new to me. It uploaded a file named "google_verify.php" and added the following code to the .htaccess file: <IfModule mod_php5.c> php_value auto_append_file "google_verify.php" </IfModule> <IfModule mod_php4.c> php_value auto_append_file "google_verify.php" </IfModule> The file itself was in several places, including outside of the "public_html" folder. It also affected two other accounts. One of those accounts is a straight HTML site that I have never touched (one of my few customers who does everything himself). Finding the file was pretty easy from root in shell: find / -iname 'google_verify.php' It appended a line of packed (obfuscated) javascript to the end of each file as it was served. I scanned my computer to see if I was the source of the infection, but it doesn't look like it. I'm using Sucuri's online scanning tool to check all my sites over the next few days to see if a re-infection occurs. BTW - to find the lines of javascript that had been added, I used two different "grep" commands to find and list all files recursively, starting with the current folder, with the text string in quotes: grep -lr "Oe={MQv1aN%2%7%1%6>:" . grep -lr "<?php ob_start" . Possible sources of infection: 1. Compromised home computer with infection spread via FTP (mine is clean)2. Old Javascript code in a Wordpress forms plugin (used on two of the sites)3. Coppermine photo gallery software that was behind one maintenance release (one site) Or? Quote Link to comment Share on other sites More sharing options...
Scott Posted October 10, 2011 Report Share Posted October 10, 2011 Details I can find seem to indicate that this attack uses a compromised FTP account. http://stackoverflow.com/questions/6686354/virus-problem-google-verify-php-and-ftp-passwordshttp://sucuri.net/malware/malware-injection-jtoolsmini-js Obviously, change all related FTP passwords, remove any infection you have found, and then be sure your users are making use of FTPES (opposed to plain, old, unencrypted FTP) Quote Link to comment Share on other sites More sharing options...
fshagan Posted October 11, 2011 Author Report Share Posted October 11, 2011 Details I can find seem to indicate that this attack uses a compromised FTP account. http://stackoverflow.com/questions/6686354/virus-problem-google-verify-php-and-ftp-passwordshttp://sucuri.net/malware/malware-injection-jtoolsmini-js Obviously, change all related FTP passwords, remove any infection you have found, and then be sure your users are making use of FTPES (opposed to plain, old, unencrypted FTP) That's what I've read as well, but I don't have any customers who used FTP during the infection time. I thought it must be me, but it was limited to three accounts, one of which I have never logged into, and my system scans clean (I used three different malware and virus scanning tools). I have notifications set up to get an email every time an account is accessed via FTP, each time they log into cPanel, and for all SSH log ins, and there was nothing going on (except for my log ins). But I'm also going by the file dates of all the modified files; perhaps the file dates changed more than one time. Quote Link to comment Share on other sites More sharing options...
Scott Posted October 11, 2011 Report Share Posted October 11, 2011 I suppose the details could have been sniffed prior to the hack and saved for later use. It's also possible there is another point of entry. Definitely make sure all of the plugins, scripts and themes are updated ASAP, just to be safe. If you haven't already, you can open a ticket and see if our support team is able to check through your logs and find anything useful. Quote Link to comment Share on other sites More sharing options...
fshagan Posted October 11, 2011 Author Report Share Posted October 11, 2011 I suppose the details could have been sniffed prior to the hack and saved for later use. It's also possible there is another point of entry. Definitely make sure all of the plugins, scripts and themes are updated ASAP, just to be safe. If you haven't already, you can open a ticket and see if our support team is able to check through your logs and find anything useful. That's a good idea; I haven't been able to find anything on my own, and it had to come from SOMEWHERE. Quote Link to comment Share on other sites More sharing options...
fshagan Posted October 11, 2011 Author Report Share Posted October 11, 2011 Scott, I have to thank you for the tip on the logs. I took a look in /var/log and downloaded "messages", "messages.1" etc. I found the problem; I did have a javascript exploit that compromised my FTP program. I scan nightly, but between the time of the infection and the scan, the FileZilla passwords file was evidently distributed. The attack on a few of the sites happened from several different IP addresses (fortunately, many of the sites in FileZilla did not have the password saved, so it was limited). I will submit a ticket on the best way to globally change the passwords or force a password change at the next log in attempt. Not sure the best way to do that! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.