1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please Read - New Virus F'ing up Sites

Discussion in 'BlackHat Lounge' started by oblivionembraced, Feb 4, 2012.

  1. oblivionembraced

    oblivionembraced Newbie

    Joined:
    Mar 25, 2011
    Messages:
    25
    Likes Received:
    21
    Occupation:
    Full time cunsultant (i write code in my p.j.s but
    Location:
    PALM BEACH :)
    So after two days of wondering why my sites are lagging so much, I finally made it through my files via filezilla. I found some amazing s**t.

    There is a new file out there called inc.php, that is a particularly bad one. if you own a network like I do, it could be months before your able to actually find it an eliminate it.

    This came out of a wordpress installation, and we know those are vulnerable, but none the less, this is a nasty piece of work that everyone needs to know about.

    it uses a find .pwd parameter that allows the hacker to own your password. I am not sure of any other names that it is going around as at the moment, but I know that avira did give it a new ranking and name classification, meaning that it is something new.

    Hopefully that helps some of you to get it out there, and I know someone will be googling inc.php soon, and I hope they find this article, so they know they are infected.

    Bottom line, CHMOD, and check ur S**T!

    UPDATE: HERE IS WHAT VIRUSTOTAL HAD TO SAY ABOUT IT, 530AM est:
    I think what it is trying to say is that it's pretty new and pretty mean. that was the comment section. Only a few of the antiviruses (Avira, Avast and Trend Micro) had any positive result. AND THAT'S BECAUSE I SENT IT TO THEM OVER 6 HOURS AGO!!!
     
    • Thanks Thanks x 1
    Last edited: Feb 4, 2012
  2. AdisLCS

    AdisLCS Power Member

    Joined:
    May 16, 2009
    Messages:
    520
    Likes Received:
    216
    thank you for the heads up and giving me something to do Friday night :)
     
    • Thanks Thanks x 1
  3. oblivionembraced

    oblivionembraced Newbie

    Joined:
    Mar 25, 2011
    Messages:
    25
    Likes Received:
    21
    Occupation:
    Full time cunsultant (i write code in my p.j.s but
    Location:
    PALM BEACH :)
    Yeah, it's my ideal friday. i am dumping my sql databases
     
  4. oblivionembraced

    oblivionembraced Newbie

    Joined:
    Mar 25, 2011
    Messages:
    25
    Likes Received:
    21
    Occupation:
    Full time cunsultant (i write code in my p.j.s but
    Location:
    PALM BEACH :)
    Also, please note, I am rather new to BHW, so if you can put this in a place where people with wordpress sites are going to see it, any help for others is greatly appreciated, and get's positive rep from me.

    I know some of you are going to try to make money off of this. I just hope the other half are going to try to save their S**t and rescue the internet. This is rather bad news for everyone.
     
  5. killakem

    killakem Regular Member

    Joined:
    Oct 20, 2011
    Messages:
    383
    Likes Received:
    248
    Any more information on this anyone?? A link to the vulnerability report maybe??
     
  6. kvmcable

    kvmcable Supreme Member

    Joined:
    Dec 28, 2010
    Messages:
    1,355
    Likes Received:
    2,815
    Occupation:
    24 year business owner - old school dude
    Location:
    KFC - BW3
    Guys that run dedis should invest in good protection. Get mod security, keep pattern files up to date, spend a Benjamin with config server to lock your dedi down and install csx anti-virus, chkroot, lfd, enable flood protection and replace passwords with keys. If you can't do key files then use HAC to lock down your server root to only your IP addies. Make sure you use a couple proxy IPs as backup in case your local internet goes down or changes your IP without warning.

    I've been using dedis for many years. Once I found out about config server, csx, lfd and mod security I haven't come close to an infection and I run hundreds of sites.

    I get emails all day long about attempts to cross script inject, ddos, brute force attacks, FTP and mail hack attempts but they get 5-8 shots before lfd shuts their ass out and send me an email. CSX scans every day looking for viruses and quarantines on the fly. Chkroot scans the root files. All the protection updates daily and scans 24.7.

    Do it right and spend $100. It'll be the best $100 you ever spent. I run 12 dedis and haven't have an infection make it through in more than 2 years and many of my client sites are targets for hackers (osc, cre, wp, etc). I'm not affiliated with config servers but just like the service they do. They get you 80% there and with a little reading you can tweak the rest.

    A good host will run daily virus scans and find a virus before you or Google does. ;-)
     
    • Thanks Thanks x 2
  7. oblivionembraced

    oblivionembraced Newbie

    Joined:
    Mar 25, 2011
    Messages:
    25
    Likes Received:
    21
    Occupation:
    Full time cunsultant (i write code in my p.j.s but
    Location:
    PALM BEACH :)
    Ok, so here's the latest update.

    I got the virus submitted to avira and viruslab. Avira responded first. They used their program to correctly deduce that it is a new virus, and are updating their software to find it. PLEASE take note, they named is something completely new that I have never heard of, but if you know something about this particular threat, please do share. It's a rather evil virus, and it almost runs silent, so detecting it is a bit of a problem. the only reason that I caught it was my server ping jumped from 100millisecond to around 300millisecond overnight, and my traffic level hadn't increased. Page views were the same, and I hadn't added anything crazier than I already did to my sites. they were pretty much stationary, except for a quote form that I was updating periodically. I will post the avira response:
    I placed as much information about this virus around the internet as I could whilst working with my database last night, and I am back at it again at 5am. It's that nasty. Here's some tricks and tips to help out, also the same path that I am following to deal with it:
    I am moding all of my htaccess to require a htpasswd for all admin areas. I am changing table prefixes for the entire database, wiping and regenerating cookies, removing login meta and finally I have disabled new users to any of my wordpress installations that haven't received that treatment yet.

    here is a good place to look for the required files and plugins to make this all possible:
    http://www.htaccesstools.com/htpasswd-generator/
    and
    http://www.websitedefender.com/wordpress-security-scan-plugin/

    These two sites and plugins make it possible to beat this thing after you have cleaned it out. You should be able to find it in the root directory (or if you have multiple installations under a main url, it will be burried in a root directory of another site inside the main.
    Once the inc.php file is irradicated, you need to go through your images folders. make sure that you have a good backup that's not corrupted (or at least remember the file names that you use), and make a backup of your database using the security scan plugin. Then when in the images folders, you should be looking for files that carry almost similar naming to the images that you have. It likes to hide there, and in the database. I am working on isolating the strings, so that you can use a simple "find and replace" command.

    Thanks all who are keeping this going, and I appreciate everyone helping out to wipe this out before it becomes a nightmare for us all. finally, if you think your infected, I will be helping as many people as I can. Send me a raw export of your DB (use security scan) and I will do it as fast as I can.

    Thanks
     
    Last edited: Feb 4, 2012
  8. oblivionembraced

    oblivionembraced Newbie

    Joined:
    Mar 25, 2011
    Messages:
    25
    Likes Received:
    21
    Occupation:
    Full time cunsultant (i write code in my p.j.s but
    Location:
    PALM BEACH :)
    Actually, none of the search engines found this, and they crawl my sites quite often. When I did a virustotal BEFORE extraction, results came back clean. It's an interesting one, or I wouldn't be posting about it here!!

    None the less, thank you for your post, and the useful info. I will check out config tomorrow during business hours. I am also working at securing scripts to handle things like this and scan. When I do, I will share them in downloads area.
     
  9. Adam Xtubeage

    Adam Xtubeage Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 31, 2012
    Messages:
    141
    Likes Received:
    73
    Occupation:
    IM & ENJOYING LIFE & STUDYING....!
    Location:
    PARADISE
    Thanks for sharing such a nice information...it really looks interesting.....:)
     
    • Thanks Thanks x 1
  10. Bisturi

    Bisturi Junior Member

    Joined:
    Nov 27, 2011
    Messages:
    125
    Likes Received:
    38
    Any idea as to how you got it or what security flaws it exploits? Can we webmasters do anything to avoid it?
     
    • Thanks Thanks x 1
  11. oblivionembraced

    oblivionembraced Newbie

    Joined:
    Mar 25, 2011
    Messages:
    25
    Likes Received:
    21
    Occupation:
    Full time cunsultant (i write code in my p.j.s but
    Location:
    PALM BEACH :)
    yes there are ways it can be avoided. It has a problem getting past .htaccess and .htpasswd that I mentioned at the top. If you comment .htaccess with the required lines:
    Code:
    AuthUserFile /etc/httpd/.htpasswd
    AuthType Basic
    AuthName ?restricted?
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any

    Then generate the .htpasswd file to keep access to that area low. I shared the generator up top, but again it is:
    http://www.htaccesstools.com/htpasswd-generator/


    It allows you build a / encrypted .htpasswd file, and it stops most scripts almost immediately. If they can't get to the admin areas to run, they're rather harmless (unless they make it onto your wamp server machine).
    :chicken_w
     
    • Thanks Thanks x 2
  12. xzzxpimpxzzx

    xzzxpimpxzzx Regular Member

    Joined:
    May 5, 2007
    Messages:
    402
    Likes Received:
    307
    Occupation:
    i work online
    Location:
    Costa Rica
    good job mate
     
  13. sagimann

    sagimann Newbie

    Joined:
    Jul 5, 2012
    Messages:
    0
    Likes Received:
    0
    Hi,
    I came across this thread after Avira found a PHP/Shell.G.2 virus on my website, which seems to be a variant of what is mentioned here. I would like to share with you the details:

    We have found a file called "riad.php" under one of our public folders.
    This file starts by mentioning a "nickname" of the hacker: "breaker-dz", which seems to have youtube videos on how to break into SSH, among other things.


    The php file is a compressed php file. When I inflated the data and reviewed the code, it seems that it's a kind of an all-in-one admin console, able to get access to file system, network, databases, pwd files, hash decryption functions, file date manipulation, decoy code, and whatnot. Truely one mean piece of code.

    We DO seem to have a few WordPress installations on our server, and one of them did contain the riad.php file, under /wp-content/themes/twentyten/riad.php, although the same file was also in some other location unrelated to WP, but still in a public location where there is a public PHP API (rest service).

    I hope this info helps as well.
    I will go ahead and verify the htaccess files of the sensitive areas, and remove any inactive WP deployments.
     
  14. RMX

    RMX Power Member

    Joined:
    Nov 16, 2009
    Messages:
    726
    Likes Received:
    389
    Occupation:
    Network Security Admin
    Location:
    London, UK
    Home Page:
    What did they name it? This seems more of a hoax to me, than a real threat. Let us know the name of the "virus" please.
     
  15. WPRipper

    WPRipper Supreme Member

    Joined:
    Mar 24, 2010
    Messages:
    1,377
    Likes Received:
    1,493
    Location:
    Proudly romanian
    The problem is with Filezilla. The software send paswords in plain txt so i suggest to use sftp instead of classic ftp if you want to keep this ftp client.
     
  16. worldisyours

    worldisyours Junior Member

    Joined:
    Jan 26, 2012
    Messages:
    109
    Likes Received:
    32
    Occupation:
    student
    I had website that earned my first 100$ from online ( and I actually got for real ) but it got hacked, few months passed and I took the time and energy to create it again ( as I didn't had backup ) and it got hacked week later. Is it competition ?
     
  17. worldisyours

    worldisyours Junior Member

    Joined:
    Jan 26, 2012
    Messages:
    109
    Likes Received:
    32
    Occupation:
    student
    I had website that earned my first 100$ from online ( and I actually got for real ) but it got hacked, few months passed and I took the time and energy to create it again ( as I didn't had backup ) and it got hacked week later. Is it competition ?