Xpltscn_alpha120307

software development

#1

This is just the scanner section.

Upload, Unzip, Open xpltscn.php in browser <- In that order.

It might take > 30 seconds on 1st run, so if you receive a 500 (it’s a timeout) then hit reload to pump the mem. If you get 3 hits in a row it might be that the server is under load or you are scanning far too many files. Take a breath a try again in a few minutes.

http://sxi.sabrextreme.com/files/xpltscn/xpltscn_alpha120307.zip

It’s alpha, and it expires. Don’t bother archiving :wink:


#2

This worked awesome. Thanks!

Not sure if you’re going to tweak it but the only “bug” I found was that as you re-run it after clearing if checklist.txt still exists it says there are modified files at the bottom even though it reports zero in the scan itself. Perhaps delete checklist.txt before the run?

A very helpful tool none-the-less.


#3

Thanks, This is awesome, just a note for us nOObs. I use a mac and when I downloaded the zip file, the mac ‘helpfully’ unziped it for me. When I downloaded the resulting directory and tried to run the php program from /xpltscn_alpha120307/ nothing happened. I then forced a download of the actual zip file, then downloaded the zip to my website, and unzipped it on the website. This worked! Maybe the program could run in the /xpltscn_alpha120307/ for us nOObs?


#4

@Oz: This is not the app proper. I only agreed to upload a part because you asked (it’s throw-away code).

@Bill: This is just an impromptu cut hurriedly made from the main app after a request from Oz. The included companion binary requires specific settings which are retained when unzipped server-side. The “real” app doesn’t require that a companion file is uploaded by the end user. I envisage a solitary PHP file much like the ini auto-installers which will avoid the permissions requirements.

I do try and do some tinkering with the dehackerer each day, alas I am quite pressed for time due to commitments with projects on other servers and am more concerned with collating exploit fingerprints than any end-user experience at this stage. I will endeavor to prioritize more time to working on the user-end side of things today and make a standalone “scanner only” so that these questions disappear.

Fielding questions about incomplete code is why I abhor making it available, however helpful it might be :slight_smile:


#5

I figured it wasn’t the app proper.

Still a very useful app especially since I am not running wordpress so the scripts all designed specifically for that weren’t helping me out.


#6

Yeah, I reckon something that will work with “everything” rather than tailored for one particular app like Wordpress would be a bit more handy for everyone. If the scanner section performs as expected it could be utilised from time to time during a user’s maintenance procedure as a checking mechanism.


#7

Ok I am usually pretty handy with this stuff but honestly I am having issues trying to get this script to work. Can you tell me exactly how to get this done? I did get an email from Dreamhost that one of my concrete 5 sites got hacked. I went in and updated everything and deleted the directories where the files where located.

However I want to do some type of scan to see exactly what is going on with it.

I followed the directions by uploading the zip file to its own directory, then I tried to unzip it but the only option it gives me is to download the zip file all over so I am stuck on how to get this to work. Anyhelp or suggestions would be appreciated. Thanks for your time.

Aaron


#8

The SFTP client I use allows me to issue commands via right-click files in the client to do things like unzip.

You should be able to unzip the file using the WebFTP here. I could be wrong (I don’t use it myself).

I’ll go try WebFTP now. brb…


#9

Thanks sXi I will head over there and try that as well. Thanks for your help. I really appreciate it.

Aaron


#10

Nope :frowning:

After dismissing the browser-issued warning about lack of security to even get to the WebFTP screen itself it took me about 20 attempts to just login (ended up having to use an old FTP Only user) and there is no unzip functionality (or any real functionality at all) in the WebFTP client. The entire WebFTP interface is garbage imho. Needs more cowbell.


#11

Yea I agree. I have a fever and the only cure is more cowbell! Thanks for the try and help.

Aaron


#12

If you’re using Windoze like me, grab WinSCP and set your user account type to shell account.

Makes things wayyyyy more easier.


#13

Ok thanks sXi :slight_smile: Have a great night and thanks so much for your help.


#14

By the way I did find a really simple fix for this hack. There are a ton of people dealing with the hack. I am finding out now that I have multiple users and websites suffering from it.

I went here

http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html

Which led me to here

https://github.com/walkeralencar/rrnuVaccine/blob/master/rrnuVaccine.php

Click on the rrnuVaccine.php file name. Do not download it as you want to see the actual code which is shown after clicking the name.

Next create a scan.php file and copy and paste the code from the rrnuVaccine.php file. The link here should open up the php file with the code already showing. Upload it to your main directory and then hit it with your browser. It fixed and cleaned all instances of this on my site.

To see if your site has been infected see

http://sitecheck.sucuri.net/scanner/

Then do the steps above that I did, run the script, then rescan your site. You should now be clean. :slight_smile: Worked like a charm and is super easy to use. Now all I have to do is fix all the hacked sites :confused: lol.

Aaron


#15

This script does nothing more than:

It only cleans up the symptoms, not the causes!

The comments regarding that script are telling:

[quote]Walker de Alencar
Result of script rrnuVaccine:
1st wp site : free(386) | disinfected(321) | total(707)
2nd wp site: free(4) | disinfected(582) | total(586)
who interests: https://github.com/walkeralenc
1 week ago 2 Likes F

Shawn
The script works great!!! Thanks a lot!
1 week ago in reply to Walker de Alencar 1 Like

Shawn
It came back… and this time it’s not working for me at all. Any suggestions? I have many sites and 10s of thousands of files that are infected.
2 days ago in reply to Walker de Alencar
[/quote]


#16

I realise you are trying to help, but you are not understanding what is actually happening.

That cleaner detects one thing until that one thing is run through a reiteration (it already has been btw) which leaves the “vaccine” totally useless. There have been simple grep lines posted in the hack thread that are far superior to that cleaner by orders of magnitude - and even they are lacking. The scanner site you linked to simply reads your site like any search engine does and flags it if it sees post-exploitation redirects.

The goal here is something that is as future-proof detection-wise as is possible, and that reverts sites back to a pre-hack condition after removing all known active exploits and hidden shells.

sigh I knew posting here was a bad idea. This thread was bound to be hijacked from the outset.


#17

At leaast you know if helped someone out.


#18

Hey sXi and Bobocat,

I was just sharing what I did to clean the site and then I had to go into everything and update all plug ins which needed to be updated and then I made sure to change the chmode structure of the folders.

I really do appreciate your help with everything and I am currently getting ssh situated so I can run some commands to find any files that are left over. My next step is to change every single password including the databases. It is a weird hack in that only about half of my users where effected. I am just glad that so far I have not lost anything yet.

I really do appreciate your help and I am sorry if I confused anyone. It was not my intention as the scope of this can be a bit overwhelming when I know enough to be dangerous lol.

Aaron


#19

Thanks for the script!

I am a bit of a noob when it comes to website security. So I have one question regarding the results of my running of the script.

I ran it and one of the errors is:

CRITICAL : 3 REMOTE SHELLS DETECTED

What does this mean and what can I do about it?
Is this the reason that my site was hacked?


#20

Yeah, basically it means you’re screwed. It’s not the reason you were hacked, it’s the consequence of being hacked. You’ll need to find the original hole, plug it, remove the shells, remove the modifications, and take other steps to clean up. All of the information you need is available in these forums or online. It’s not a simple task and it can be time consuming and ineffective if you don’t know what you are doing. sXi is generously donating his time by building a scanner to detect and mitigate intrusions, but it’s not finished yet. It’s volunteer work which should be appreciated and not demanded.

I’d recommend that you either educate yourself using the wiki, forum search function, and google or enlist the help of someone who knows what s/he is doing. I don’t mean this to come across as harsh, but there’s no simple one-step thing that will magically make everything right again. It takes time and knowledge and, if you take the time to look through some of the related threads, it takes even more time for those who have some knowledge to a) convince those that don’t that they ought to be paying attention and b) teach those people how to actually help themselves.