So after two days of wondering why my sites are lagging so much, I finally made it through my files via filezilla. I found some amazing s**t.

There is a new file out there called inc.php, that is a particularly bad one. if you own a network like I do, it could be months before your able to actually find it an eliminate it.

This came out of a wordpress installation, and we know those are vulnerable, but none the less, this is a nasty piece of work that everyone needs to know about.

it uses a find .pwd parameter that allows the hacker to own your password. I am not sure of any other names that it is going around as at the moment, but I know that avira did give it a new ranking and name classification, meaning that it is something new.

Hopefully that helps some of you to get it out there, and I know someone will be googling inc.php soon, and I hope they find this article, so they know they are infected.

Bottom line, CHMOD, and check ur S**T!

UPDATE: HERE IS WHAT VIRUSTOTAL HAD TO SAY ABOUT IT, 530AM est:

• Comments
• Additional information

ssdeep

1536:EtzhQp55YgGJVJrpmxPpN4RMLCeDVgWBiu:EtzpmxPpSR kDZF TrID

HyperText Markup Language (100.0%)
First seen by VirusTotal

2012-02-04 10:25:52 UTC ( 2 minutes ago ) Last seen by VirusTotal

2012-02-04 10:25:52 UTC ( 2 minutes ago ) File names (max. 25)

1. inc.php

I think what it is trying to say is that it's pretty new and pretty mean. that was the comment section. Only a few of the antiviruses (Avira, Avast and Trend Micro) had any positive result. AND THAT'S BECAUSE I SENT IT TO THEM OVER 6 HOURS AGO!!!

thank you for the heads up and giving me something to do Friday night :-)

Yeah, it's my ideal friday. i am dumping my sql databases

Also, please note, I am rather new to BHW, so if you can put this in a place where people with wordpress sites are going to see it, any help for others is greatly appreciated, and get's positive rep from me.

I know some of you are going to try to make money off of this. I just hope the other half are going to try to save their S**t and rescue the internet. This is rather bad news for everyone.

Any more information on this anyone?? A link to the vulnerability report maybe??

Guys that run dedis should invest in good protection. Get mod security, keep pattern files up to date, spend a Benjamin with config server to lock your dedi down and install csx anti-virus, chkroot, lfd, enable flood protection and replace passwords with keys. If you can't do key files then use HAC to lock down your server root to only your IP addies. Make sure you use a couple proxy IPs as backup in case your local internet goes down or changes your IP without warning.

I've been using dedis for many years. Once I found out about config server, csx, lfd and mod security I haven't come close to an infection and I run hundreds of sites.

I get emails all day long about attempts to cross script inject, ddos, brute force attacks, FTP and mail hack attempts but they get 5-8 shots before lfd shuts their ass out and send me an email. CSX scans every day looking for viruses and quarantines on the fly. Chkroot scans the root files. All the protection updates daily and scans 24.7.

Do it right and spend $100. It'll be the best $100 you ever spent. I run 12 dedis and haven't have an infection make it through in more than 2 years and many of my client sites are targets for hackers (osc, cre, wp, etc). I'm not affiliated with config servers but just like the service they do. They get you 80% there and with a little reading you can tweak the rest.

A good host will run daily virus scans and find a virus before you or Google does. ;-)

Ok, so here's the latest update.

I got the virus submitted to avira and viruslab. Avira responded first. They used their program to correctly deduce that it is a new virus, and are updating their software to find it. PLEASE take note, they named is something completely new that I have never heard of, but if you know something about this particular threat, please do share. It's a rather evil virus, and it almost runs silent, so detecting it is a bit of a problem. the only reason that I caught it was my server ping jumped from 100millisecond to around 300millisecond overnight, and my traffic level hadn't increased. Page views were the same, and I hadn't added anything crazier than I already did to my sites. they were pretty much stationary, except for a quote form that I was updating periodically. I will post the avira response:

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00975929.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result 26554620 inc.php 64.38 KB MALWARE
Please find a detailed report concerning each individual sample below:
Filename Result inc.php MALWARE
The file 'inc.php' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Shell.G.2. The term "PHP/" denotes a PHP scriptvirus. Detection is added to our virus definition file (VDF) starting with version 7.11.22.23.
Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/de...identid=975929

An overview of all your submissions can be found here:
http://analysis.avira.com/samples/de...HwpGn6dNpvtkrC


Please note: If you have specific questions please address them to support@avira.com
Kind regards
Avira Virus Lab

I placed as much information about this virus around the internet as I could whilst working with my database last night, and I am back at it again at 5am. It's that nasty. Here's some tricks and tips to help out, also the same path that I am following to deal with it:
I am moding all of my htaccess to require a htpasswd for all admin areas. I am changing table prefixes for the entire database, wiping and regenerating cookies, removing login meta and finally I have disabled new users to any of my wordpress installations that haven't received that treatment yet.

here is a good place to look for the required files and plugins to make this all possible:
http://www.htaccesstools.com/htpasswd-generator/
and
http://www.websitedefender.com/wordp...y-scan-plugin/

These two sites and plugins make it possible to beat this thing after you have cleaned it out. You should be able to find it in the root directory (or if you have multiple installations under a main url, it will be burried in a root directory of another site inside the main.
Once the inc.php file is irradicated, you need to go through your images folders. make sure that you have a good backup that's not corrupted (or at least remember the file names that you use), and make a backup of your database using the security scan plugin. Then when in the images folders, you should be looking for files that carry almost similar naming to the images that you have. It likes to hide there, and in the database. I am working on isolating the strings, so that you can use a simple "find and replace" command.

Thanks all who are keeping this going, and I appreciate everyone helping out to wipe this out before it becomes a nightmare for us all. finally, if you think your infected, I will be helping as many people as I can. Send me a raw export of your DB (use security scan) and I will do it as fast as I can.

Thanks

Originally Posted by kvmcable

Guys that run dedis should invest in good protection. Get mod security, keep pattern files up to date, spend a Benjamin with config server to lock your dedi down and install csx anti-virus, chkroot, lfd, enable flood protection and replace passwords with keys. If you can't do key files then use HAC to lock down your server root to only your IP addies. Make sure you use a couple proxy IPs as backup in case your local internet goes down or changes your IP without warning.

I've been using dedis for many years. Once I found out about config server, csx, lfd and mod security I haven't come close to an infection and I run hundreds of sites.

I get emails all day long about attempts to cross script inject, ddos, brute force attacks, FTP and mail hack attempts but they get 5-8 shots before lfd shuts their ass out and send me an email. CSX scans every day looking for viruses and quarantines on the fly. Chkroot scans the root files. All the protection updates daily and scans 24.7.

Do it right and spend $100. It'll be the best $100 you ever spent. I run 12 dedis and haven't have an infection make it through in more than 2 years and many of my client sites are targets for hackers (osc, cre, wp, etc). I'm not affiliated with config servers but just like the service they do. They get you 80% there and with a little reading you can tweak the rest.

A good host will run daily virus scans and find a virus before you or Google does. ;-)

Actually, none of the search engines found this, and they crawl my sites quite often. When I did a virustotal BEFORE extraction, results came back clean. It's an interesting one, or I wouldn't be posting about it here!!

None the less, thank you for your post, and the useful info. I will check out config tomorrow during business hours. I am also working at securing scripts to handle things like this and scan. When I do, I will share them in downloads area.

Thanks for sharing such a nice information...it really looks interesting.....

Originally Posted by oblivionembraced

Actually, none of the search engines found this, and they crawl my sites quite often. When I did a virustotal BEFORE extraction, results came back clean. It's an interesting one, or I wouldn't be posting about it here!!

None the less, thank you for your post, and the useful info. I will check out config tomorrow during business hours. I am also working at securing scripts to handle things like this and scan. When I do, I will share them in downloads area.

Any idea as to how you got it or what security flaws it exploits? Can we webmasters do anything to avoid it?

Originally Posted by Bisturi

Any idea as to how you got it or what security flaws it exploits? Can we webmasters do anything to avoid it?

yes there are ways it can be avoided. It has a problem getting past .htaccess and .htpasswd that I mentioned at the top. If you comment .htaccess with the required lines:

Code:

AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

Then generate the .htpasswd file to keep access to that area low. I shared the generator up top, but again it is:
http://www.htaccesstools.com/htpasswd-generator/


It allows you build a / encrypted .htpasswd file, and it stops most scripts almost immediately. If they can't get to the admin areas to run, they're rather harmless (unless they make it onto your wamp server machine).

good job mate