Plese Help, see if my site is still giveing security warnings

[johnyct9760]

Caution advised with these links - Moderator

Hi every one one of my sites was hacked the other day and some of the time this crap would come up:

[cpp]http://deletemalware.blogspot.com/2011/10/remove-wickedsearchsystemcom-uninstall.html[/cpp]

I posted earlyer and a very helpful person pointed me to a thread whereI ran the the back-end PHP script on my web site and that's posted on page one for this thread:

[cpp]http://discussion.dreamhost.com/thread-134262-page-1.html[/cpp]

and YES some files were found and removed.

From that point things appeared to be working ok, no more re-direction to crap sites. I then checked my site on unmask parasites and it came up clean, I've had a few friends check it and so far no return to any drama. I to have been looking at the site with a fine tooth comb and things appear to be working correct. I almost feel like I'm on the cusp of being able to relax and get a good nights sleep, with all that being said my URL that was hacked was:

[cpp]http://www.colleenobrien.org[/cpp]

Could some one, any one check that site out (if you have some kind of tools that you can see if a site is clean that would be great) and see if your seeing any redirects or anything else bad going on.

One extra note most of the problems that I experienced and were reported to me as well were encountered when looking over the site in IE.

Thank you for the help every one and I'm literately hoping and praying that some one looks this over and gives me some good news that nothing bad was found.

Nite, and thanks one more time for the help

John

 

[Brett928S2]

Hi

So you are asking users here at Toms to go to a site thats possibly infected....

I dont think so.....

And not very bright either...

All the best Brett

 

[scout_03]

close your web site clean it up then put it back also put good security setting so no one could acces it base to infect it and you visitors

 

[szaboaz]

Just a thought...
The problem is that the vulnerability may still be there, so you may get infected again. The least you can do is to make a backup copy of the current files/database, so you can compare it tomorrow's or next week's backup copy to see if anything changes.

I guess you (or your hosting service) didn't have backup from *before* the infection, because returning to that would have been much easier than scanning/combing through the files.

 

[szaboaz]

The forum link I posted earlier ( http://wordpress.org/support/topic/hacked-by-iedla63wyersrrnu ) was updated with a link to a quite detailed description of the attack: http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

It mentions that the malicious code creates this file: "/.logs/log1.txt".

This file still exists on the website! Maybe you forgot to delete it, or it came back.

 

[johnyct9760]

The forum link I posted earlier ( http://wordpress.org/support/topic/hacked-by-iedla63wyersrrnu ) was updated with a link to a quite detailed description of the attack: http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

It mentions that the malicious code creates this file: "/.logs/log1.txt".

This file still exists on the website! Maybe you forgot to delete it, or it came back.

Im trying to find it but I can't, you please give me more direction n where it might be located? I'm looking in the main directory with my FTP and I just can't find any thing that looks like .logs/log.txt

Thank you

 

[szaboaz]

[cpp]http://www.colleenobrien.org/.logs/log1.txt[/cpp]

 

[johnyct9760]

I'm not trying to be dense but I can't see the the .logs div any where in the colleeobrien.org sever space:

How ever if I go one level up in my sever structure via my FTP program then I do find a logs folder but with no period in front like the name illustrated above:

http://www.workspace.johncliffordtaylor.com/screenGrabOfServer000.png

Is this what you are talking about?

 

[szaboaz]

No. There must be a ".logs" directory under "colleenobrien.org" directory.

The missing piece of information is that file and directory names starting with "." are considered "hidden" in some contexts.

If they can't be seen, there can be only two reasons: either the server won't serve them up, or the client don't ask for them/don't show them.

For example, the FileZilla ftp client has an option under "Server" menu item: "Force showing hidden files". When I check it, a dialog box comes up, and gives a little explanation, let me copy it here, for I can't explain it better:

Note that this feature is only suppported using the FTP protocol.
A proper server always shows all files, but some broken servers hide files from the user. Use this option to force the server to show all files.
Keep in mind that not all servers support this feature and may return incorrect listings if this option is enabled. Although FileZilla performs some tests to check if the server supports this feaature, the test may fail.
Disable this option again if you will not be able to see the correct directory contents anymore.

 

[johnyct9760]

First of all szaboaz, bless you for sticking with me on this right from the start, your a good man if you were here I would buy you lunch!

You were right all a long the file was there and it hiding on me:

http://www.tech-evangelist.com/2006/01/22/display-hidden-files/

I followed the instructions above and the min I turned on the show hidden files options the .logs file poped right up.

I deleted the .logs folder and now I have changed my FTP password (yet again) is there any thing else I should do to help clean up this mess and keep them out for good?

Thank you

John

 

[johnyct9760]

Also I have manully looked for any open doors found a few and removed them. In the article there was a sub head title: Cleaning up the mess and then he gives instructions to open word writeable dicetoryies and then there appears to be a command line there to execute, The problem with this is I'm not sure how to pull up this command line interface. I've also asked my host how I do this as well.

Thanks

 

[szaboaz]

It's lovely to hear that things are getting all right.

Do a full-site backup today. It's even better if you can test your backup on localhost to be absolutely sure that if anything bad happens in the future, you can reconstruct the current state in one or two simple steps.

About the command line interface, you'll hear about SSH, Putty, and Linux commands.

I still remember some ten years ago, I was sitting in front of an AIX mainframe-terminal monitor, with its green letters, and the blinking prompt. I borrowed a book from the library, I think it was "The Unix Programming Environment", by Kernighan and Pike, from 1984. And I typed those commands, mkdir, who, finger, talk(!), lynx(!!), pine.. And I felt like a true hacker. Good old days.

If I can give one advice, that would be: invest time into Linux. It'll pay back. Lol, if I can give two advice, the second would be: learn to touch type. Every hour you spend learning, will come back 100 times or more. But I digress...

And don't worry about that lunch, I'm sure one day you'll be there for someone in need. And if that person asks how to return the help, just tell him to do the same to someone else. Like a chain of help. Cool, or what?

Good luck.

 

[szaboaz]

Yeah, and prompted by your messages, I discovered, that one of my close friend's Wordpress site has the timthumbs.php vulnerability (the site has version 1.25!), so I was able to warn them, hopefully the site won't be infected, at least not through this.

So there's my prize. It's all about the knowledge. Battle of minds. But enough of wisdom for today.

 

[johnyct9760]

So I run a scan and found this:

wp-content/themes/Karma/truethemes_framework/extended/timthumb/timthumb.php:206
Used by malicious scripts to decode previously obscured data/programs

Should I delete that? Cause when i go into the PHP file and look it over it say's on line 206:

if(BLOCK_EXTERNAL_LEECHERS && array_key_exists('HTTP_REFERER', $_SERVER) && (! preg_match('/^https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $_SERVER['HTTP_REFERER']))){
// base64 encoded red image that says 'no hotlinkers'
// nothing to worry about!
$imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
header('Content-Type: image/gif');
header('Content-Length: ' . sizeof($imgData));
header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
header("Pragma: no-cache");
header('Expires: ' . gmdate ('D, d M Y H:i:s', time()));
echo $imgData;
return false;
exit(0);
}
that all looks like giverish to me there is the comment telling me not to worry about it, but then there is this really long string of numbers and letters commonly associated with virus programs?

Your thoughts, untill I hear from you I'm going to pull the file and see if it has any effect on the front end and if not I may just leave it out all together, better safe then sorry I say.

As always your thoughts and insights are welcome.

 

[szaboaz]

This block of code is clean. All it does is display a little image with "No hotlinking" description.

I put it in a php file, run it, and this is the picture:

The scanner was simply reacted to the presence of the "base64_decode()" function ( http://php.net/manual/en/function.base64-decode.php ), which is, along with "eval()" often used to make malicious code unreadable/unsearchable.

This time, it was simply used to store the binary data contents of that gif file as character data, so that it can be inserted into the php file, instead of having this file in the filesystem.


If your site (and the theme you use) doesn't use it anywhere, you could disable (rename, delete or whatever) it, I guess.
Otherwise, you can replace it with the latest version directly from the developers, which has most chance of known security issues fixed (and new security issues introduced okay, I'm being funny here), and uses reasonable default values for external site caching. Hopefully.
http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php