PHP.WebShell! E2 ..Still very dangerous!

Newbie Poster

15 posts since Mar 2011

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

0

Some Hands-on analysis is required...
in terminal on the infected host...
Do NOT run this as root unless it's run from the users' /home/$user directory

find `pwd` -name *.php -exec grep base64_decode {} \; > ~/infected.out

then let's count the number of infected files...

nl ~/infected.out | tail -1

Then check the ~/infected.out file manually and see what's what.

I'd need the first 15 characters or so of everything after "decode(""
and will resemble this (base64_decode("DQpzZXRfdGltZV9saW1p

How this stuff got there, I can only imagine (777 DIRs) or a stolen account password, but that's another day.

If you don't find and/or plug the hole, this will most likely repeat itself.

"It is interesting that the infection has spread to all subdomains and parked domains"
Not really. The first thing any decent hacker script does is look for more exploitable weaknesses in Security, and they LOVE those 777 directories.

"Is there a solution for this malware on the site?"
Yes, is WordPress up-to-date/latest?

Is this shared hosting, VPS, or a Dedicated Server?
I'd bet $20.00 this is a cPanel host.

The 5433712.php type files are usually reverse-shells.

You can PM me for a more in-depth course of cleaning or further diagnostics.

The cleaner script is a one-liner.

HTH.

Light Poster

28 posts since Jan 2012

Reputation Points: 10

Solved Threads: 2

Skill Endorsements: 0

0

Congratulations for your reply, i just worked on it and your answer helped me to focus on finding vulnerabilities. The whole problem is reflected on the reputation of my main web site design studio that is in (public_html) while other sites like addon, i took off and barely mentioned the problem with the door. Yes, it's a Linux VPS Hosting, cPanel, etc. ... so that you get a bet:). However, the main generator problems that i mentioned was in Wordpress, although it comes a new edition. Now i see that the WP introduced compulsory FTP access for each installation accessories. How safe is it for and i am hosting our privacy? Otherwise, you have a better solution for the 301 permanent redirect and that it is not using .htaccess file?

Newbie Poster

15 posts since Mar 2011

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

0

Are you a client on this VPS, or the "owner"? (do you have root?)
Because if it is just a regular cPanel account (swebdiza) then it is possible it is only that account that is an issue.

If swebdiza IS the Main cPanel account (WHM actually) then it is possible that the entire host VPS is infected.

No base64_decode anything in /home/swebdiza/infected.out?

Is WordPress up-to-date/latest? If this was installed via Fantastico or another cPanel Software "Manager" it may not be the latest, and it should be. There is a WP Exploit Scanner plugin at http://wordpress.org/extend/plugins/exploit-scanner/

What "installation accessories" (did you mean plugins?) require ftp access and where did these "installation accessories" originate?

I'd change your swebdiza cPanel password immediately and check for 777 directories and nobody-owned files with 777 permissions and if you are the "owner" of this VPS, I'd alter that instruction to change your root password.

I'll assume here that we are only dealing with the cPanel account for swebdiza...
login via terminal/ssh as swebdiza and run these 3 commands:

find `pwd` -perm 777 > ~/777DIRsFound.out
find `pwd` -user nobody > ~/NobodyFilesFound.out
find `pwd` -name ".htaccess" > ~/HtaccessFilesFound.out

Examine them closely.

less ~/*.out

I'd like to see them.

Directories should NEVER be 777 (755 is recommended)
Files should all be 644 (except for .cgi scripts)

That should keep you busy for a day or so.

You can email me directly (yes it's a real address)

HTH.

JJ

Light Poster

28 posts since Jan 2012

Reputation Points: 10

Solved Threads: 2

Skill Endorsements: 0

0

What i noticed is that we are constantly generate new .htaccess file, which diverted all my sites on compromised sites. I tried to lock .htaccess and it has failed because it always overwrites the new file. If i delete it, it re-generates ... and so on. Here, these days i have stabilized the situation. I left, however, one unsolved question in this .htaccess file.

I have a small problem with the .htaccess file. If I put this file as:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
rewritecond %{http_host} ^domain.com [nc]
rewriterule ^(.*)$ http://www.domain.com/$1 [r=301,nc]

RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

Site can not be loaded (internal server Erorr 500) ... and when I download the
"Options +FollowSymLinks" it's working normally.
Where I am wrong and how it should look like what .htacces file if you do not want to appear to me to www and the URL is correct?

Newbie Poster

15 posts since Mar 2011

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

0

Let's try to stay on topic. :)

Your are possibly rooted and you're messing around with rewrite rules?
Editing their files is not a good idea.

Have you changed your password? Run, don't walk!

and who is the owner:group of these newly written .htaccess files?

ls -al /path/to/some/.htaccess

Light Poster

28 posts since Jan 2012

Reputation Points: 10

Solved Threads: 2

Skill Endorsements: 0

0

I manage all the files. After changing the FTP password and deleting an addon domain for which i have found that the WP mentioned PHP.WebShell infected! E2 is no longer occurring changes or changes in .htaccess php pages. Probably it was broken into my FTP code and malicious code generator was in Youtube plugin for WP. However, now that i have arranged this, the dilemma of whether to use .htaccess files for the 301 redirect or not to use it? What should not i use the framework .htacces file, given that the above code does not work?

Newbie Poster

15 posts since Mar 2011

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

0

Why do you now need a 301 redirect?