! EMERGENCY ! Exploited host


#21

Firstly seiler, I wouldn’t consider myself a ‘jerk’, hijacking a thread just to point out your opion of me isn’t helping.

You can imagine that when reading a response to this thread in the hope that somebody will have an idea on what may be causing this, and it’s a question that was answered in a previous thread it can become frustrating.

I will make it clear that I appreciate anybody’s ideas and recommendations and I do not think I am better or know more than anybody, most of my posts in this thread have ended in questions.

The response I had from DH was not literally as I stated… I was merely conveying the tone of the response. The fact that it may be only my hosting that has been compromised is indeed a fact that has to be considered. If this is the case then I would consider it a wise decision to at least look at my account to see if this poses a risk to the rest of the server.

I hope this clears up any misgivings and makes my purpose here clear.


Update: Reply from DH

It’s possible there was something hiding in /tmp, so I removed
everything there. I also made sure you have no crontabs set up.

There should be nothing on your account now, so this should stop
happening. If it does, then we’ll need to delete the username, and start
over.

Well at least this person took it seriously to take some sort of action. I won’t know if this has helped until I get home from work and can check the server, but I will keep you informed.

The encrypted code in the index.php creates a file containing the ‘feebs’ worm on the visitors computer. I, having visited the site have been infected and I’m having great difficulting in removing it.

It seems to be using explorer.EXE which is running from my \Windows\ dir, also scvhost.exe has opened up numerous ports as ‘system’ with a PID of 0 … therefore the process cannot be killed.

Using netstat -an I can see about 100 LISTENING conns to .AU servers on port 53.

My router should prevent an data being transferred although I have put my firewall (Kas) on lockdown.

I’ll update this evening when I have looked at the server.


#22

Good to see you are getting closer to a resolution VB.

If it was me, I wouldn’t be going near my Dreamhost account until such time I was completely satisfied that my PC was not infected with a worm that may be keylogging, some friendly advice. :slight_smile:


Web Hosting Reviews | Shonky’s Blog


#23

Agreed, it seems there are some familiaralities between the virus and the files in the server, well the fact I picked up the virus from the server is not a suprise.

One thing that did confuse me is that the files on the server had my username in the owner column… and I have just read that a variant of this worm can connect to web servers.

I will check all this out when I get home.


#24

I’d be very suprised if you picked up the worm from DH’s servers, since you use IE you could have picked it up from just about anywhere.


Web Hosting Reviews | Shonky’s Blog


#25

I picked up the virus from viewing the infected index.php from the server… until the server was infected with this worm I had no problems. The index.php has an encrypted Javascript code that writes the file when anybody views the page.


#26

Don’t suppose you know if any of the major anti-virus packages are able to pick this up at all? Perhaps if you sent them the details they might have some further info about it which could help you. I think most of them accept suspect files via a weblink.


Norm


#27

Not a bad idea Norm… I’ll download a copy of the files when they are replaced again…


#28

Didn’t the first post mention something about using Firefox? In Firefox / Mozilla / Seamonkey, or pretty much anything other than IE, those attempts at executing files via ActiveX will have absolutely no effect.

– Dan


#29

You might want to inlist the help of a live linux CD. Knoppix is a good one in my opinion. You can download and burn this to a CD, pop it into the CD drive and turn on the computer. It will boot up into Knoppix without doing anythign to your hard drives - it works entirley from the CD and RAM.

Becuase windows won’t be running, it may help to facilitate cleaning your computer. It will certinly allow you read access to your files, so you can create a backup. You’ll need to do that regardless. There’s some drawbacks to using linux here though, windows doesn’t like sharing, and writing to a NTFS (if you’re using XP that’s what you’ve got) it can entirley corrupt the file system. But at this point, you don’t have much to loose. If you can’t clean it in some manner you’ll just have to wipe the HD clean and start over.

-Matttail


#30

VB - let us know when you think you’ve got things managed. It’s a bit scary to know that this is going on so close to our sites.

Good luck - we’re pulling for you.


#31

Well as it stands, my hosting has been empty now for 12 hours apart from the fake index pages I left… and they are still there untouched.

Before they were replaced within a couple of hours… this leads me to believe that after clearing the ‘temp’ dir the Support mentioned in the last email it seems to have solved it.

I’m hoping anyhow, I’ve started to upload the board and site backups as users are getting quite frustrated.

If this is the case then it seems the host could have been infected in some way, whether this was due to the new version of vBulletin being exploitable it’s a possibility, but I doubt it. But I’m hoping it’s cleared now.

All is quiet on the western front ;]

As a final note I would like to thank those for their comments and support and ask you to watch out for redirects to _index.php

~VB


#32

Shouldn’t the temp dir be no-exec anyway? Weird. Oh well, glad it’s back to normal for you regardless :slight_smile: