1

Possible Duplicate:
My server's been hacked EMERGENCY

The hosting company supplied an email to its client and the client wanted some help from me. the message states:

 Any items listed here which are folders 
named with 5 to 7 random letters are are likely FTP account hacks

Checking for known bad files
/home2/1/public_html/images/sm6ay7.php
/home2/1/public_html/images/sm5ak0.php

Checking for known spam scripts
/home2/1/public_html/images/sm6ay7.php
/home2/1/public_html/images/sm5ak0.php
/home2/1/public_html/images/rssok4.php

These files are suspicious and should be looked at before deleting

The redirects in these files may not be legitimate. 
 Often the actual file name will give you an idea if it is legit or not. 
If any .htaccess files are listed here, they need to be cleaned.


TimThumb fixes

Thumbs DB fixes

Completed

------------------------
  Trackback
------------------------ 

These results are likely valid files 
that have had code added to them so they should be cleaned 
rather than removed: 

------------------------
  .htaccess 
------------------------


------------------------
  General
------------------------
Started at: Sun Jul 15 15:55:04 MDT 2012

/home2/1/public_html/images/sm6ay7.php
/home2/1/public_html/images/sm5ak0.php
/home2/1/public_html/images/rssok4.php

Completed at: Sun Jul 15 15:55:05 MDT 2012 

------------------------
  Phish
------------------------ 

Started at: Sun Jul 15 15:55:05 MDT 2012

Completed at: Sun Jul 15 15:55:05 MDT 2012 

------------------------
  Base64
------------------------

the code looks like this in the files mentioned above. What these lines of codes do I cannot say. Not a programmer as well. Since the files are located in the image folder seems to be suspicious. have looked into, but I am not sure if I have WP as CMS.
I do have the access to the control panel of the website, I tried to SSH was not able to may be some configurations in control panel that I need to deal with, the main problem is the spam in it, for SSH I will manage some way looking at the config. files.

.htaccess configuration settings. 

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit> 

AuthUserFile /home/1/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/1/public_html/_vti_pvt/service.grp

I am new to this, some some help would be appreciated. about identification and rules of thumbs if any to debug.

Community
  • 1
tough
  • 113
  • 4

2 Answers2

1

The file you provided is definitely a remote triggered mail-bot. I quickly formatted it and it assembles an email and sends it using mail(). I didn't look into details how it works, but the general idea is pretty obvious. Interestingly it showed a syntax error for me, so it might not have worked ever.

You need to clean the server. I would recommend you do a backup and then delete all the files and install whatever cms they use from scratch. You can probably safely keep the database, it may have become corrupted, but there should at least be no code executed from there. You also need to restore the image-folder. If there are only a few files, restore those, that are actually an image (just try opening them). Obviously don't restore any scripts (ending in .php, .pl, .py, .sh, ...) or executables (no ending, .exe, .cmd, bat, ...). Be sure to change any passwords and make sure those are good.

You also need to read up on security with the particular software they use. The hole is probably still there and it needs to be fixed before any attend at getting rid of viruses has a chance of success.

Delphinator
  • 136
  • 4
  • Thank you for the code revision and the suggestions, I would will create a backup and update the plug-in for the CMS (Word-Press) which suggests to fix this issue (hole) in the image uploading system. For sure change the Passwords. – tough Aug 15 '12 at 10:28
0

my recommendation is take everything from the hoster side, copy files/dump db, than remove everything and let hoster know that you cleaned the account, so you will be unsuspended. Next I would recommend reset all passwords to more secure min 20 symbols of random from this array: A-Za-z!@#$%^&*(),./ . Next if you are using WP install clean WP and restore DB.

next restore carefully everything what is missed, if it not CMS, check every file using some tools ie VirusTotal etc. if you will see that file is safe upload it to hosting.

Michael
  • 80
  • 3
  • Everything clean is not my option, I got to remove or debug the infected files if any, does anything here means anything or suggest any of the known virus file names? The script in the link above- what function is that supposed to do, and what is it doing in the Image file? could you suggest something including the hints we can get form this information provided above. – tough Aug 13 '12 at 14:29
  • well we usually recommend things I wrote for our customers. also if you have backup its better to restore everything from backup. but always necessary to change passwords. – Michael Aug 13 '12 at 14:43