Jump to content

Archived

This topic is now archived and is closed to further replies.

DogFoodIT

Mal/ObfJS-AG - Malware on my site, how to locate?

Recommended Posts

Hi all,

 

I have been having issues with my site over the past two weeks, a successful hack by the looks of it!

 

It started with data deleting tables & rows!! and of course file editing.

i flicked the site to a new hosting account on the same server and had the hosting company restore the database.

 

i then changed all passwords from host admin down to store admin (inc all sql and ftp), this seemed to slow the hacking process, although i did notice strange things happening within the admin. Admin users being deleted, settings changed etc... so i continued to change all passwords again. once again the hack process slowed.

 

I have upgraded all security features that i can find on the OSC network and i though it had stopped! little did i know i have had malware placed on the site somewhere as i have been notified by a customer.

 

The customers malware scanner found this: Mal/ObfJS-AG

this is all i have found on the little bugger:

 

Mal/ObfJS-AG is a script obfuscated in a manner typical of malware.

 

So now i need to workout how to rid this little monster before i lose all of our respected customers and not to forget the great relationship with my mate Google!!

 

 

does anyone know of a way to scan the server or a way to find this thing? i have checked the code of the file that has been found by the customers scanner but can not find any bug...

 

 

 

please any help would be appreciated.

 

Kind regards,

 

Ben

Share this post


Link to post
Share on other sites

@@DogFoodIT

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

ok so i have found some hacked files on the server using a code that i got from somewhere (not sure where!!):

 

code i used to scan my site:

<?php
//$checkfiles = array('index.php','index.htm','index.html','home.php','index2.php','homepage.php','homepagetopics.php','homemap.php','indexold.html','default_specials.php','index_default.tpl.php);
$checkfiles = array('.php','.html','.htm', '.tmpl','.js','.htaccess');
$badcode = array(array('<\?php ob_start\(["\']security_update["\']\);','//important security update \?>'),
  array('ob_start\(["\']security_update["\']\);','=\'\);\}'),
  array('<script language="javascript">\$=','document\.write\(\$\);</script>'),
  array('<script language="javascript">\$=','eval\(.*\);</script>'),
  array('<iframe src="http://','style="visibility: hidden"></iframe>'),
  array('<script>function nH\(\)','</script>'),
  //array('function nH\(\)','var zZG'),
  array('=false;this\.nUO','var nHJ=function\(\)\{\};'),
  array(';var vSN=new Date','iRW\(\)\{\};</script>'),
  array('d=\'function','eval\(d\)'),
  array('<IfModule mod_php[45]{1}.c>.*"google_verify.php"','</IfModule>'),
  '<script></script>',
  array('eval\(base64_decode\(','\)\);'),
  array('ob_start\(["\']security_update["\']\);','\+["\']\);\}'),
  array('s_nc=document;','s_nx=d;s_r\(s_nx\)'),
  array('\(function\(\)\{f_ET=document','\(f_EA\)\}\)\(\)')
 );

checkFiles($_SERVER['DOCUMENT_ROOT']);
function checkFiles($dir){
global $checkfiles, $badcode;
if ($handle = opendir($dir)) {
 while (false !== ($file = readdir($handle))) {
  if($file != '.' && $file != '..'){
   $fullpath = $dir.'/'.$file;
   if(basename($file) == 'google_verify.php' || basename($file) == 'Thumbs.db'){
 unlink($fullpath);
 echo 'DELETED File: '.$fullpath.'<br>';
   }elseif(is_dir($fullpath)){
 checkFiles($fullpath);
   }elseif($file != 'hackfix.php'){
 $ext = strtolower(strrchr($file,'.'));
 if(in_array($ext,$checkfiles)){
  echo 'Checking File: '.$fullpath.'<br>';
  foreach($badcode as $k => $badray){
   $source = file_get_contents($fullpath);
   if(is_array($badray)){
    $pattern = '#'.$badray[0].'.*'.$badray[1].'#siU';
    preg_match_all($pattern,$source,$matches);
    if(!empty($matches[0])){
	 foreach($matches as $k => $v){
	  $source = trim(str_replace($v[0], '', $source));
	 }
	 $perms = substr(sprintf('%o', fileperms('/tmp')), -4);
	 //@[member='CHMOD']($fullpath,0777);
	 if($fh = fopen($fullpath, 'w')){
	  fwrite($fh, $source);
	  fclose($fh);
	  //@[member='CHMOD']($fullpath,$perms);
	  echo 'Virus Found: '.$fullpath.'<br>CLEANED<br>';
	 }
    }
   }else{
    if(stristr($source,$badray)){
	 $source = str_ireplace($badray,'',$source);
	 if($fh = fopen($fullpath, 'w')){
	  fwrite($fh, $source);
	  fclose($fh);
	  echo 'Virus Found: '.$fullpath.'<br>CLEANED<br>';
	 }
    }
   }
   if($k == 0 && $ext == '.php' && (stristr($source,'eval(') || stristr($source,'exec('))){
    echo '<b>WARNING EVAL CALL: '.$fullpath.'</b><br><br>';
   }
   if($k == 0 && $ext == '.php' && (stristr($source,'"cookie"') || stristr($source,"'cookie'"))){
    echo '<b>WARNING COOKIE CALL: '.$fullpath.'</b><br><br>';
   }
  }
  echo '<br>';
 }
   }
  }
 }
 closedir($handle);
}
}
?>

 

just create a file called hackfinder.php upload to your root directory and browse to it, this will list any suspect files.

 

 

 

I found about 10 strange .php files that used the encode, eval etc functions and yep confirmed hacked. deleted and all clear of nasty files. even found a file for the hacker to upload to the server, my server... simple form that planted files!

 

i have also noticed that there are a few OSC files that use the eval function or has been flagged by the script so if i can just check with you all that these files are ok to use the eval(). I would check a fresh install, just thought i would ask first! try to save some time.

 

 

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/ext/modules/payment/paypal/standard_ipn.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/version_check.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/configuration.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/modules.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/backup.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/includes/classes/rss.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/includes/modules/newsletters/product_notification.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/includes/functions/compatibility.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/includes/functions/general.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/includes/functions/sitemonitor_functions.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/YYYYYYYYYYYY/server_info.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/modules/payment/paypal_standard.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/modules/payment/paypal_pro_payflow_ec.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/modules/payment/paypal_pro_dp.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/modules/payment/paypal_pro_payflow_dp.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/modules/payment/paypal_express.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/functions/compatibility.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/functions/general.php

WARNING EVAL CALL: /home/XXXXXXXXXX/public_html/includes/osc_sec.php

 

 

 

 

hope someone can shed some light on this for me.

 

thanks in advance,

 

Ben

Share this post


Link to post
Share on other sites

There are 2 add-ons that scan for known hack VTS and site monitor.

 

Step 4 in the post above is the essential one.

 

Checking your accrss logs for the time the fils were created/amended may enable you to identify where they got in and thus you will know what to block.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Before changing passwords (step 5), do a thorough spyware/virus scan of all PCs used to administer your website. If you have a password sniffer or keystroke logger on your PC, it will pass your new passwords to the bad guys as soon as you change them! Only once your PC is cleaned up (or verified clean) should you enter any passwords.

 

Make sure your PC firewall is "on". It will warn you if someone is trying to get in from the outside, or a suspicious program is trying to connect with the outside world. Finally, be aware that FTP is insecure. It sends passwords "in the clear". You might want to talk to your host about more secure methods (such as FTP versions that use SSL) for file transfer.

Share this post


Link to post
Share on other sites

Before changing passwords (step 5), do a thorough spyware/virus scan of all PCs used to administer your website. If you have a password sniffer or keystroke logger on your PC, it will pass your new passwords to the bad guys as soon as you change them! Only once your PC is cleaned up (or verified clean) should you enter any passwords.

 

Make sure your PC firewall is "on". It will warn you if someone is trying to get in from the outside, or a suspicious program is trying to connect with the outside world. Finally, be aware that FTP is insecure. It sends passwords "in the clear". You might want to talk to your host about more secure methods (such as FTP versions that use SSL) for file transfer.

 

 

Thanks for that MrPhil, I have done scans on all PC's here with a few different scanners to find nothing. we were suspicious of that also.

 

With FTP i always use SFTP to connect, does this encrypt the passwords/connection?

 

 

on the flip side i have done most of the security implementations that i can find and think of, cleaned out most of the baddies that i can confirm as nasty, now my question is this, with XXS and SQl Injection can this be stopped at the .htaccess level or root level, reason i ask is that i have noticed in the hack that they planted uploading forms throughout the site in different directories. so with security pro installed the application_top.php need to be used to run/clean the queries, so if the bad guys are using there own forms i can not stop them. is there a way around this?

 

 

thanks for all the help guys.

 

Ben

Share this post


Link to post
Share on other sites

With FTP i always use SFTP to connect, does this encrypt the passwords/connection?

I'm not sure which is which (I hear there are several forms of secure FTP). You could talk to your hosting service, or just see if you need SSL (https) to use SFTP.

 

application_top.php need to be used to run/clean the queries, so if the bad guys are using there own forms i can not stop them. is there a way around this?

So, are these bad guys forms completely separate pages? You ought to be able to look through your files and see if there are any scripts which you cannot account for (not found in standard osC, not added by your add-ons).

Share this post


Link to post
Share on other sites

So, are these bad guys forms completely separate pages? You ought to be able to look through your files and see if there are any scripts which you cannot account for (not found in standard osC, not added by your add-ons).

 

Yes, i found a whole heap of them throughout the site in different directories.

 

Well I have done the best i can with cleaning the site so i can only hope i have done it correctly. I haven't noticed any strange activity in the last week or so since updating all the security, so hopefully all sorted.

Share this post


Link to post
Share on other sites

×