Current time: 04-17-2014, 12:13 PM Hello There, Guest! (LoginRegister)

Post Reply 
xpltscn_alpha120307
03-07-2012, 08:16 PM
Post: #11
RE: xpltscn_alpha120307
(03-07-2012 08:12 PM)sXi Wrote:  Nope Sad

After dismissing the browser-issued warning about lack of security to even get to the WebFTP screen itself it took me about 20 attempts to just login (ended up having to use an old FTP Only user) and there is no unzip functionality (or any real functionality at all) in the WebFTP client. The entire WebFTP interface is garbage imho. Needs more cowbell.

Yea I agree. I have a fever and the only cure is more cowbell! Thanks for the try and help.

Aaron
Find all posts by this user
Quote this message in a reply
03-07-2012, 08:37 PM
Post: #12
RE: xpltscn_alpha120307
If you're using Windoze like me, grab WinSCP and set your user account type to shell account.

Makes things wayyyyy more easier.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-07-2012, 08:43 PM
Post: #13
RE: xpltscn_alpha120307
(03-07-2012 08:37 PM)sXi Wrote:  If you're using Windoze like me, grab WinSCP and set your user account type to shell account.

Makes things wayyyyy more easier.

Ok thanks sXi Smile Have a great night and thanks so much for your help.
Find all posts by this user
Quote this message in a reply
03-07-2012, 10:10 PM
Post: #14
RE: xpltscn_alpha120307
By the way I did find a really simple fix for this hack. There are a ton of people dealing with the hack. I am finding out now that I have multiple users and websites suffering from it.

I went here

http://blog.sucuri.net/2012/02/malware-c...rr-nu.html

Which led me to here

https://github.com/walkeralencar/rrnuVac...accine.php

Click on the rrnuVaccine.php file name. Do not download it as you want to see the actual code which is shown after clicking the name.

Next create a scan.php file and copy and paste the code from the rrnuVaccine.php file. The link here should open up the php file with the code already showing. Upload it to your main directory and then hit it with your browser. It fixed and cleaned all instances of this on my site.

To see if your site has been infected see

http://sitecheck.sucuri.net/scanner/

Then do the steps above that I did, run the script, then rescan your site. You should now be clean. Smile Worked like a charm and is super easy to use. Now all I have to do is fix all the hacked sites :/ lol.

Aaron
Find all posts by this user
Quote this message in a reply
03-07-2012, 10:31 PM (This post was last modified: 03-07-2012 11:08 PM by bobocat.)
Post: #15
RE: xpltscn_alpha120307
(03-07-2012 10:10 PM)aarbarr Wrote:  By the way I did find a really simple fix for this hack.

https://github.com/walkeralencar/rrnuVac...accine.php

It fixed and cleaned all instances of this on my site.

This script does nothing more than:

Code:
find . -name "*.php" -exec sed -i -r '/base64_decode\("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKX.*​"\);/ d' {} \;

It only cleans up the symptoms, not the causes!

The comments regarding that script are telling:

Quote:Walker de Alencar
Result of script rrnuVaccine:
1st wp site : free(386) | disinfected(321) | total(707)
2nd wp site: free(4) | disinfected(582) | total(586)
who interests: https://github.com/walkeralenc...
1 week ago 2 Likes F

Shawn
The script works great!!! Thanks a lot!
1 week ago in reply to Walker de Alencar 1 Like

Shawn
It came back.. and this time it's not working for me at all. Any suggestions? I have many sites and 10s of thousands of files that are infected.
2 days ago in reply to Walker de Alencar
Find all posts by this user
Quote this message in a reply
03-07-2012, 10:47 PM
Post: #16
RE: xpltscn_alpha120307
I realise you are trying to help, but you are not understanding what is actually happening.

That cleaner detects one thing until that one thing is run through a reiteration (it already has been btw) which leaves the "vaccine" totally useless. There have been simple grep lines posted in the hack thread that are far superior to that cleaner by orders of magnitude - and even they are lacking. The scanner site you linked to simply reads your site like any search engine does and flags it if it sees post-exploitation redirects.

The goal here is something that is as future-proof detection-wise as is possible, and that reverts sites back to a pre-hack condition after removing all known active exploits and hidden shells.

*sigh* I knew posting here was a bad idea. This thread was bound to be hijacked from the outset.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-08-2012, 09:14 PM
Post: #17
RE: xpltscn_alpha120307
(03-07-2012 10:47 PM)sXi Wrote:  *sigh* I knew posting here was a bad idea. This thread was bound to be hijacked from the outset.
At leaast you know if helped someone out.
Find all posts by this user
Quote this message in a reply
03-08-2012, 09:17 PM
Post: #18
RE: xpltscn_alpha120307
(03-07-2012 10:47 PM)sXi Wrote:  I realise you are trying to help, but you are not understanding what is actually happening.

That cleaner detects one thing until that one thing is run through a reiteration (it already has been btw) which leaves the "vaccine" totally useless. There have been simple grep lines posted in the hack thread that are far superior to that cleaner by orders of magnitude - and even they are lacking. The scanner site you linked to simply reads your site like any search engine does and flags it if it sees post-exploitation redirects.

The goal here is something that is as future-proof detection-wise as is possible, and that reverts sites back to a pre-hack condition after removing all known active exploits and hidden shells.

*sigh* I knew posting here was a bad idea. This thread was bound to be hijacked from the outset.

Hey sXi and Bobocat,

I was just sharing what I did to clean the site and then I had to go into everything and update all plug ins which needed to be updated and then I made sure to change the chmode structure of the folders.

I really do appreciate your help with everything and I am currently getting ssh situated so I can run some commands to find any files that are left over. My next step is to change every single password including the databases. It is a weird hack in that only about half of my users where effected. I am just glad that so far I have not lost anything yet.

I really do appreciate your help and I am sorry if I confused anyone. It was not my intention as the scope of this can be a bit overwhelming when I know enough to be dangerous lol.

Aaron
Find all posts by this user
Quote this message in a reply
03-08-2012, 09:19 PM
Post: #19
RE: xpltscn_alpha120307
Thanks for the script!

I am a bit of a noob when it comes to website security. So I have one question regarding the results of my running of the script.

I ran it and one of the errors is:

### CRITICAL : 3 REMOTE SHELLS DETECTED ###

What does this mean and what can I do about it?
Is this the reason that my site was hacked?
Find all posts by this user
Quote this message in a reply
03-08-2012, 09:29 PM
Post: #20
RE: xpltscn_alpha120307
(03-08-2012 09:19 PM)ajburns Wrote:  Thanks for the script!

I am a bit of a noob when it comes to website security. So I have one question regarding the results of my running of the script.

I ran it and one of the errors is:

### CRITICAL : 3 REMOTE SHELLS DETECTED ###

What does this mean and what can I do about it?
Is this the reason that my site was hacked?

Yeah, basically it means you're screwed. It's not the reason you were hacked, it's the consequence of being hacked. You'll need to find the original hole, plug it, remove the shells, remove the modifications, and take other steps to clean up. All of the information you need is available in these forums or online. It's not a simple task and it can be time consuming and ineffective if you don't know what you are doing. sXi is generously donating his time by building a scanner to detect and mitigate intrusions, but it's not finished yet. It's volunteer work which should be appreciated and not demanded.

I'd recommend that you either educate yourself using the wiki, forum search function, and google or enlist the help of someone who knows what s/he is doing. I don't mean this to come across as harsh, but there's no simple one-step thing that will magically make everything right again. It takes time and knowledge and, if you take the time to look through some of the related threads, it takes even more time for those who have some knowledge to a) convince those that don't that they ought to be paying attention and b) teach those people how to actually help themselves.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: