Earlier today, Bill logged into his cpanel account to check on a few things before heading to work. Little did he know, little Jimmie was secretly watching porn late last night and visited a site which infected the family PC with a keylogger and a few trojans. The system hung and little Jimmie did what he always did and simply gave it the 3 finger salute M$ is famous for. The PC rebooted and with it the malware was firmly entrenched. The AV protection Bill installed 6 months ago has since been turned off because the test period expired and he hasn’t had time to investigate alternatives.
When he logs into his cpanel account for work, the little keylogger is busy, busy, busy shooting off all of his details to some faceless bad person who then automatically receives the data which is then entered into a database like all of the other infected PC users data and then this cute little bot, at a scheduled time, reads the data from the database, ftp’s into his server and downloads, re-writes and then re-uploads all of the html files in his public_html directory. 3 hours later, as the good little googlebot is scanning away at his site, it comes across this little iframe, sitting there all by it’s lonesome, redirecting traffic to someplace like quangdong.cn:8080.
Suddenly, he sees…
Reported Attack Site!
This web site at WTF.ru has been reported as an attack site and has been blocked based on your security preferences.
Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.
Later, Bill calls the hosting company to inquire why (WTF IS GOING ON WITH MY SERVER? WHAT DID YOU GUYS DO? I CANNOT F’ING BELIEVE THIS SH!T) his site is no longer available (I AM LOSING MILLIONS OF DOLLARZ PER MINUTE, GET MY SITE BACK UP NAO!!!). This scenario is repeated thousands of times per day all over the world. Bill never realizes what hit him and how it happened.
—————————————————————————————-
As more and more workstations or home computers become infected with keyloggers and trojans which steal your FTP passwords and other sensative data, the need arises to become informed as to how this happens. There are bots out there that constantly scan the servers connected to the web for easy FTP passwords. When it finds one, the bots will connect, download the docs in the public_html folder, modify them with an iframe tag and then re-upload them all within a matter of seconds. This can happen from an infected site that the user visits as well, utilizing the same method.
In order to locate these infected pages, we use a script to search out and identify them for later removal.
find . /home*/*/public_html -type f -print | xargs grep cn:8080 > iframe.txt
search for shells
find /home/*/public_html -type f -print0 | xargs -0 egrep '(\/tmp\/cmdtemp|SnIpEr_SA|Bhlynx|x2300|c99shell|r57shell|milw0rm|g00nshell|w4ck1ng|PHP-Proxy|Locus7s|ccteam)' | cut -d ':' -f1 | sort | uniq >> shellcheck.txt && cat shellcheck.txt
or
find /home/*/public_html -type f -print0 | xargs -0 egrep '(\/tmp\/cmd(temp)?|SnIpEr_SA|sniper_sa|c99shell|r57shell|crazy.pl|tryag|myshell|msshell|phpshell|vbspy|JaheeM|mpownz|ManTiLa|indoirc.net|NOGROD|Bhlynx|rfiScan|x2300|g00nshell|Bigdoz|Indoserv|Faskalis|Indohacker|pLuR|HacKed|AnakDompu|cHApoenk|Shellbot|r3v3ng4ns|MaXiMiZeR|milw0rm|n3oom3|rohitab|w4ck1ng|PHP-Proxy|Locus7s|cgitelnet.pl|ccteam|UNITX_TEAM|soqor|SpIdEr|dark.cgi)' >> /home/temp/list.shells
This will write a list of the infected html files to a text file for later perusal and use as reference when running a script to rid the server of these pesky little squirts.
A look at xferlog reveals this behavior, usually against a regex of pages (index.*, default.*, etc), and the connecting IP will often be foreign. A look at the secure log will reveal that the password was not brute-forced; rather, it was known.
The best solution for this issue would be to change all passwords and force the end user to reformat their computer, since they’re infected and do not realize it. Alas, this is not quite practical. Rather, we need advise the end user of the situation and suggest reformatting — or, at the very least, using a collection of anti-spyware, anti-virus, and anti-everything software on their workstation and the force a change of the affected user’s FTP password.
To clean up the malicious code that was added, we need to find out the exact string used; (usually a `tail index.php’ will reveal it) — it’s often a javascript line or an iframe.
[sourcecode language=”bash”]
sed -i "s#<script src=’http:\/\/b\.adserv\.cn\/E\/J\.JS’>##g" *
[/sourcecode]
sed’s not very good at recursing, but luckily, grep is. Make a list of files that match:
[sourcecode language=”bash”]
grep -R "b.adserv.cn" * |awk -F\: ‘{print $1}’ > filelist
[/sourcecode]
And then feed it to sed:
[sourcecode language=”bash”]
cat filelist |while read line ; do sed -i"s#<script src=’http:\/\/b\.adserv\.cn\/E\/J\.JS’>##g" $line ; done
[/sourcecode]
————————————————————————————————-
It should also be noted that this user logged in as the FTP user with no failed password attempts — they knew the password. This situation most often occurs when a client workstation that has access to this FTP account is compromised with a virus, spyware, trojan horse or keylogger that transmits the login credentials to a third party attacker. I strongly recommend running anti-virus and anti-spyware software on all client workstations that have access to this account.