Icy Phoenix

Today I went to my site at http://www.hatewalmart.com only to get a warning from firefox that the site was an attack site. I was unable to connect to the site and after a great deal of time, was presented with a warning that "Windows Security" had detected some worms or viruses or some such thin, which is kind of funny since I am running Ubuntu Linux on my laptop and obviously do not have Windows Security. I logged onto the ftp site with filezilla and found several files in the root directory that I had not put there. They were files with the extension of .dat. I also found the html.php file with a bunch of code above the

Quote:

<?php
/***************************************************************************
* index.php
* -------------------
* begin : Sunday, March 21, 2004
* copyright : (C) 2004 masterdavid - Ronald John David
* website : http://www.integramod.com
* email :
*
* modded by : Mighty Gorgon
* website : http://www.mightygorgon.com
* email :
*
* note: removing the original copyright is illegal even you have modified
* the code. Just append yours if you have modified it.

section.

I deleted that and uploaded the updated file. I had to kill firefox at the command prompt to stop the redirect to the site that was playing and showing the images of the fake Windows Security scan.

The site was loading from which I do not recommend anyone running windows go to. Now when I navigate the site and watch the status bar, I can see that there are still transfers coming from the above url and the domain name that refers to another site listed as an attack site by firefox. I was going to upgrade to delete any file that could still be exploited by this site, but I am wary of doing so since they might be able to inject something into the database if they are still connecting with my site during the database upgrade.

I have two questions;

How could someone have written files to my root directory?

More importantly, how do I find out where they have other files in the system to put a stop to it?

A bunch of the files in the root directory and the adm directory claim to have been modified on 4/03/2011 which was two days ago. I logged on 3 days ago and everything was fine. The permission on these files are reported by filezilla as "adfrw (0644) under the permissions column. Then under the Owner/Group column I have 642 715. It appears that permissions have been changed.

I have 345 members at this site some of which are fairly active. I could really use some help with this.

edit: I left for awhile and again, when I attempt to navigate the site I am getting a message that says "Are you sute you want to navigate away from this site?" I have found some of the files, but I have not found all of them. I hate this little :censored: .

When I go to that IP you gave (on windows :LOL: ) the site stays blank and after a while AVG (which actually exists on my machine) steps in blocking
It may be a good idea to start by blocking this IP for any traffic (to give you some breathing space and time to await some better advice than mine

I think you should go back in memory if and what you have installed lately because this is ofcourse one way of getting infected

I'm sure someone knowledgable will get here soon to have a look and try to help you out :wink:

I have not installed anything recently. As a matter of fact, I had not even been going to the site much at all. I went there on, I think April 2nd. Then went out of town for a couple of days and checked on it again when I returned yesterday to find the mess I have now. It is also affecting several other sites on the same shared server. It could be something that was introduced by one of the many other site on the same server.

I have been comparing the files in several of the sites and I found some files in there root directory that were not there before. It appears that one other site is affected so far and some of the files that have been added are login.html mylife.html mysite.html mywork.html shop.html site.html. These were all last modified on 04/03/2011 along with many of the other files that have been there. These are at the site http://www.adjustersonly.net. I have not been to that site in several months. So it cannot have been from something that I installed. There was also a directory names 12 with two files in it. One is index.html with 0B of size and another called list.txt. The list is a lists of files with the full path to the files. It also has other users from the same server on it. I am going to open a trouble ticket with the hosting service. I do not think that this has anything to do with IP. I will update.

it apears that Icy does´nt use any html files. only index html and thats a blank page.

i think, you should add the IP in question to your main .htaccess file to block it

[http://www.hatewalmart.com]

A tag like that is sure to generate some sort of retaliation from those who don't :twisted:

I have heard back from my web hoster and discovered that the old version of osCommerce I was using for one http://forums.oscommerce.com/topic/...ix-it-as-it-is/

I looked at the htaccess file and I could not figure out how to include banning a specific domain or ip address. I could use some help with that. I downloaded the latest version of Icy, but I want to get the site cleaned, before I upgrade. Of course, upgrading would clean the site, but I can't log on and back-up the database, or run the install script with this mess on the site.

mort, the exploit has nothing to do with our tag. If you follow the above link, you will find out that it was an exploit used on an old osCommerce version. Besides, there are some guys who can't get a date, so they use their time making everyone else just as miserable as they are. :roll: Another interesting note, it appears that most of our members are people who work there. :)

Update: I added

order allow,deny
deny from 86.55.140.203
deny from 213.136.96.12
allow from all
to the bottom of my htacess file. One is the address that the fake windows page is loading from and the other is for webhosting.aviso.ci the name associated with chnatier.ci when I ping that domain name. When I am trying to load hatewalmart.com, the status bar tells me the browser is "Connecting to chantier.ci... This is spite of my banning the ip address in htaccess. More to come.

just add this at the end of your main htaccess file



replace 127.0.0.1 with the IP of the exploit (86.55.140.203)

that should work

or have a look here

From what I read there on the link you gave, editing the htaccess file may not even help if you missed one single file to clean up, they would simply delete it?

yep. looks like, first you clean all files.

when, htaccess should work

I thought if I updated the htaccess file it would slow them down a bit so that I could login and back the database before I delete everything and start over. I have already started "cleaning". After everything is deleted, I will start uploading the new file.

BTW, as long as I have the correct config file, wouldn't I be able to upload the new install directory and perform the update without all of the other file there? It would save on the uploading of the older version of IP before performing the upgrade.

i would make a copy of files-folder, downloads and pafield_db and config.php

when ill go to the admin c-panel of my server and pull a copy of the DB.

I´ll install Xampp server on my pc

and install a copy of my forum where, afterwards update the db and make the update to new version on local

check if all is ok , zip it up, and upload to the server

When all of this upgrade is finished it would be a good idea to use C-Tracker to check the files and log the checksums - Then in future "IF" there are any changes made that one didn't do - One should be able to determine with C-Tracker what files were changed.

:shock:

mort wrote: [View Post]

When all of this upgrade is finished it would be a good idea to use C-Tracker to check the files and log the checksums - Then in future "IF" there are any changes made that one didn't do - One should be able to determine with C-Tracker what files were changed.

:shock:

Good idea. I guess there are more uses for Ctracker than I realized. It was not just files in Icy that were affected. All of the php or html files have a php code appended to it. It was appended to code in php files that I wrote for http://afreecountry.com years ago. I was told that all of this occurred through a security exploit through the old version of osCommerce that I had installed under afrecountry.com/shop. The script then connected to a site at chantier.ci and the above mentioned url with the IP address where the faked windows scan was taking place. It also installed other files that created the video to lead someone to belive that a windows security scan was taking place on the users computer. Once the connection was made to the browser, it would not allow the user to close the browser or the tab within the browser. I had to run a kill command to close firefox once I had one of the affected pages. The only html files that I have found so far that have not been affect are those within the webstats subdirectory.

I have attached a text file that has the code that gets appended to the files in question. This code apparently makes a file browser out of any file within which it is appended. It also caused the creation of a subdirectory name simply 12 that had two files in it; an index.html file and a list.txt file. The list.txt file had a list of files that the program had found on the server including the full paths to get to them. Odds are, any file on the list had the code appended to it. I am wary of providing this code, since it works very well with the older version of oscommerce, but I think it has been eradicated on site that do a better job of updating there sites than I have done. :oops: But now I have seen the light. I will be MUCH more attention in the future. :mricy: I removed the php beginning and end tags, commented the whole code out, through it on the floor and stomped on it while holding my breath and left ear, so hopefully it will not cause any problems. I figured, just in case MightyGordon has not seen it, he can figure out how to combat it in future updates, just in case he hasn't already done so.

In short, this was not an Icy issue at all. So if anyone finds the string $ob_starting anywhere in any code on his site, it will likely be from this issue I had. The problem is, if one single file is not cleaned, the whole site will become infected again.

Thanks, spydie, I have bind running on a server at home and will do as you suggested. I pretty much have to rebuild everything, so it will take a bit of time. I appreciate everyones help. I will update as I go. I may need help with getting it running on my home server, but I can start new thread for that.

Then you may want to hit the solved button flabbergasted :wink:

Glad to see you figured it all out :mryellow:

flabbergasted wrote: [View Post]

I had to run a kill command to close firefox once I had one of the affected pages.

You know that you can start FF in safe mode?

Start -> All Programmes -> Mozilla Firefox -> Safe Mode. ;)