Current time: 04-23-2014, 09:18 AM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-15-2012, 07:11 PM (This post was last modified: 03-15-2012 07:25 PM by DanceScape.)
Post: #291
RE: Sites hacked

We just discovered our site(s) were all hacked and have sent in Support help as well. We installed Wordpress using the one click installs and usually the sites automatically updated to new wordpress versions.

Only yesterday, w noticed the sites were really slow in accessing the Admin panel and sent in a support request. The support person wrote back and seemed to indicate was a memory issue.

However, discovered this thread and checked the various .php files and did find the malicious code ...

val(base64_decode("aWYoZnVuY3Rpb .....

Is there any way that Dreamhost will be able to clean up all our Wordpress sites automatically? Would hate to have to go through all files, and it looks like even that may not work.

Have sent in another Support request so hope someone from Dreamhost is seeing this and have some kind of solution to help clean.

Will keep monitoring this thread, thanks.






I just found the reference in the thread and created a new file:

scan.php

and ftp'd in the main directory. I then typed in the browser:

http://www.<yourdomainname>.com/scan.php

The scan.php fixed everything, THANK YOU for referring to this fix!


----------------------------------------
scan.php
----------------------------------------

<?php
/**
* Vaccine: Malware rr.nu
* This simple script will read all file php

recursivelly from directory and cleanup string defined

by rr.nu
*
* changelog:
* v0.2 - verification by Regex, based on idea:

http://misc.wordherders.net/wp/wordpress-fix_php.txt
* v0.1 - single string verification
*
* @author Walker de Alencar <walkeralencar@gmail.com>
* @link {https://github.com/walkeralencar/rrnuVaccine}
*/
class rrnuVaccine {

private $directory;
private $counter;
private $log = '';
private $pattern = '(\<\?php \/\*\*\/ eval

\(base64_decode

\("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQo

JF9TRVJWRVJbJ21yX25vJ10pKX.*"\)\);\?\>)';

private function __construct() {

}

/**
* @return rrnuVacine
*/
public static function create() {
return new self();
}

/**
* Define root directory to start the recursive

search to Vacine all php files.
* @param type $dir
* @return rrnuVacine
*/
public function setDirectory($dir) {
$this->directory = $dir;
return $this;
}

private function getDirectory() {
return $this->directory;
}

private function validate() {
if (is_null($this->getDirectory())) {
throw new exception('Define the root

directory to Vacine!');
}
}

private function startup() {
$this->counter = array(
'free' => 0,
'infected' => 0,
'disinfected' => 0,
'total' => 0,
);
}

private function vaccine($directory) {
$currentDir = dir($directory);

while (false !== ($entry = $currentDir->read

())) {
$file = $directory . DIRECTORY_SEPARATOR .

$entry;

if ($entry != "." && $entry != ".." &&

is_dir($file)) {
$this->vaccine($file);
} else if (pathinfo($entry,

PATHINFO_EXTENSION) == 'php') {
$fileContent = preg_replace($this-

>pattern, '', file_get_contents($file),-1,$detected);
if($detected === 0){
$status = '<em

style="color:darkblue">free</em>';
$this->counter['free']++;
} else {
if (false === file_put_contents

($file, $fileContent)) {
$status = '<em

style="color:darkred">infected!</em>';
$this->counter['infected']++;
} else {
$status = '<em

style="color:darkgreen">disinfected!</em>';
$this->counter['disinfected']+

+;
}
}
$this->counter['total']++;
$this->log .= $file . "[" . $status .

"]<br>\n";
}
}
$currentDir->close();

}

public function execute() {
$this->validate();
$this->startup();
$this->vaccine($this->getDirectory());

$result = array();
foreach($this->counter as $key => $value){
$result[] = "<b>{$key}</b>({$value}) ";
}

return "<h2>".implode(' | ',$result)."</h2>\n".

$this->log;
}

}

echo '<div style="color:#333; font-family:Verdana;

font-size:11px;">';
echo '<h1><a

href="https://github.com/walkeralencar/rrnuVaccine">rr.

nu Vaccine - v0.2 Beta</a></h1>';
echo '<h3>by <a

href="mailto:walkeralencar@gmail.com">Walker de

Alencar</a></h3><hr/>';
echo rrnuVaccine::create()
->setDirectory(realpath(getcwd()))
->execute();
echo '</div>';
Find all posts by this user
Quote this message in a reply
03-15-2012, 07:39 PM (This post was last modified: 03-15-2012 07:46 PM by bobocat.)
Post: #292
RE: Sites hacked
(03-15-2012 01:29 PM)dtmp Wrote:  I don't have the time, money or expertise to thwart these attacks.

According to the ToS, which you agreed to, you should have the expertise or be willing to obtain it. It's not included in your hosting package.


(03-15-2012 07:11 PM)DanceScape Wrote:  Is there any way that Dreamhost will be able to clean up all our Wordpress sites automatically? Would hate to have to go through all files, and it looks like even that may not work.

http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites

(03-15-2012 07:11 PM)DanceScape Wrote:  I just found the reference in the thread and created a new file:
scan.php
and ftp'd in the main directory. I then typed in the browser:
http://www.<yourdomainname>.com/scan.php
The scan.php fixed everything, THANK YOU for referring to this fix!

http://discussion.dreamhost.com/thread-1...#pid151137


(03-15-2012 12:55 PM)bb6600 Wrote:  Throughout this ordeal I have to say I've been completely unimpressed with DH's level of involvement and assistance.

What level of involvement do you expect? Do you know what you are paying for? Have you read the ToS?


(03-15-2012 12:07 PM)stephensmith Wrote:  Does anyone have a clue as to where I should look for the file(s) that is re-creating the .logs folder and the log1.txt file? I assume that this same file or another one is attempting to redirect my site as well.

http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites
Find all posts by this user
Quote this message in a reply
03-15-2012, 10:13 PM
Post: #293
RE: Sites hacked
dtmp Wrote:  I keep finding this added to the beginning of my php files:

Code:
<?php /**/?>

That's junk left behind after running a poorly written "cleaner" script.


dtmp Wrote:  I also find a folder titled ".logs" with a text file list of spam sites. I delete them and they return a day or so later.

Because "cleaner" scripts do not fix the problem.


(03-15-2012 07:11 PM)DanceScape Wrote:  However, discovered this thread and checked the various .php files and did find the malicious code ...
val(base64_decode("aWYoZnVuY3Rpb .....

Would hate to have to go through all files, and it looks like even that may not work.

Correct. Editing those files will not fix the problem.


(03-15-2012 07:11 PM)DanceScape Wrote:  I just found the reference in the thread and created a new file:
scan.php ........fixed everything, THANK YOU for referring to this fix!

Please pay attention. Those cleaner scripts do not "fix everything".


pgp_protector Wrote:  Only been with DramHost for about 5 years now, Few hickups but I've been much happier with them than my old Host Big Grin (They decided to modify the default 404 pages to generate ads for them, and got heavy with the ban hammer when people complained about it)

Haha! I believe I had an account with that particular host, too Wink

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-16-2012, 06:21 AM
Post: #294
RE: Sites hacked
As I posted earlier, I was hit with the rr.nu hack that creates a .log folder and a log1.txt file (with a list of URL redirects) in my root directory.

Deleting the folder and file does no good, because some malicious script keeps re-creating them almost immediately. Until I can find and get rid of that script, here's what I've done:

Go into the log1.txt file and delete all of those URLs, then save, creating an empty file. Set permissions on that file to 000. Then, set permissions to 000 on the .logs folder as well.

My theory is that the redirect script is continually looking to see if the folder/file it created exists, as well of course as using the URLs in the file to attempt redirects. When it doesn't see the file, it simply re-creates it. So what I've done is allow the folder/file to continue to exist but rendering it useless.

You more technical folks may be able to shoot this down, and I hate that the script is still lurking somewhere trying to do its nasty thing. But as a work-around to keep my site from re-directing, I'll say tentatively that it does appear to work.
Find all posts by this user
Quote this message in a reply
03-16-2012, 06:32 AM
Post: #295
RE: Sites hacked
(03-16-2012 06:21 AM)stephensmith Wrote:  .....and I hate that the script is still lurking somewhere trying to do its nasty thing......

Give SXI's scanner a try... http://discussion.dreamhost.com/thread-1...#pid151580
Find all posts by this user
Quote this message in a reply
03-16-2012, 07:08 AM (This post was last modified: 03-16-2012 07:15 AM by stephensmith.)
Post: #296
RE: Sites hacked
(03-16-2012 06:32 AM)LakeRat Wrote:  Give SXI's scanner a try... http://discussion.dreamhost.com/thread-1...#pid151580


Thank you, LakeRat. I will give that a try.

I've used a couple of other tools, such as the Exploit Scanner plug-in, and haven't found anything yet. I've also examined many of my files one by one. Unfortunately, the hack code could be staring me in the face and I wouldn't recognize it unless it was blatant, like "If log1.txt exist=false, then create log1.txt and populate with these URLs ..." !

Thanks again. Here's hoping!

Steve
Find all posts by this user
Quote this message in a reply
03-16-2012, 07:15 AM
Post: #297
RE: Sites hacked
(03-16-2012 07:08 AM)stephensmith Wrote:  Unfortunately, the hack code could be staring me in the face and I wouldn't recognize it unless it was blatant, like "If log1.txt exist=false, then create log1.txt and populate with these URLs ..." !

log1 will be there somewhere, but it's probably encoded. Try these two:

Code:
grep -r log1 *
grep -r base64_decode *

get any results?
Find all posts by this user
Quote this message in a reply
03-16-2012, 07:28 AM
Post: #298
RE: Sites hacked
(03-16-2012 07:15 AM)bobocat Wrote:  log1 will be there somewhere, but it's probably encoded. Try these two:

Code:
grep -r log1 *
grep -r base64_decode *

get any results?

Thank you bobocat. I will try this as well.

Here's the extent of my technical knowledge. I know (kind of) what grep is, but not where to use it from. I mostly use Filezilla for all my file operations, and I know how to enter my sites from the Dreamhost C-panel as well. Not sure where in all that I would use the grep command. I can figure it out, though.

As a side note, I know that the base64_decode thing can hide nasty stuff. I've been hit with that as well, and I've used one of the cleaner scripts to get rid of it. But the base64_decode stuff that hit my sites seemed to be connected with the sweepstakesandcontests hack rather than the rr.nu hack. And, cleaning out all the base64_decode junk hasn't stopped rr.nu from running. But I will love it if by "grepping" I can find something referencing log1. I think that would nail it.
Find all posts by this user
Quote this message in a reply
03-16-2012, 08:27 AM
Post: #299
RE: Sites hacked
(03-16-2012 07:28 AM)stephensmith Wrote:  Here's the extent of my technical knowledge. I know (kind of) what grep is, but not where to use it from.

ssh into your account and type it there.

(03-16-2012 07:28 AM)stephensmith Wrote:  As a side note, I know that the base64_decode thing can hide nasty stuff. I've been hit with that as well, and I've used one of the cleaner scripts to get rid of it. But the base64_decode stuff that hit my sites seemed to be connected with the sweepstakesandcontests hack rather than the rr.nu hack. And, cleaning out all the base64_decode junk hasn't stopped rr.nu from running. But I will love it if by "grepping" I can find something referencing log1. I think that would nail it.

base64_decode is just a PHP function. it can be used for legitimate purposes, but looking in all files that use it can at least narrow down your search for the backdoors that were installed.
Find all posts by this user
Quote this message in a reply
03-18-2012, 08:14 AM
Post: #300
RE: Sites hacked
(03-16-2012 06:21 AM)stephensmith Wrote:  As I posted earlier, I was hit with the rr.nu hack that creates a .log folder and a log1.txt file (with a list of URL redirects) in my root directory.

Deleting the folder and file does no good, because some malicious script keeps re-creating them almost immediately. Until I can find and get rid of that script, here's what I've done:

Go into the log1.txt file and delete all of those URLs, then save, creating an empty file. Set permissions on that file to 000. Then, set permissions to 000 on the .logs folder as well.

My theory is that the redirect script is continually looking to see if the folder/file it created exists, as well of course as using the URLs in the file to attempt redirects. When it doesn't see the file, it simply re-creates it. So what I've done is allow the folder/file to continue to exist but rendering it useless.

You more technical folks may be able to shoot this down, and I hate that the script is still lurking somewhere trying to do its nasty thing. But as a work-around to keep my site from re-directing, I'll say tentatively that it does appear to work.

I did the same thing. But it's just a workaround until you can get the rest of your files cleaned. Keep in mind that there may be other exploits in place, like remote shells, which can allow someone to undo your work. Get the rest of your site cleaned up as quickly as you can before someone comes back in to wreck more mischief.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: