@jbekker – yes I thought about this. Or maybe to clean the incoming passwords from outdated login data, that doesn’t work anymore and have only passwords that still work.
But the “price” for this would be an extreme high detection rate. If you look around the internet – almost all discussion start because a website didn’t work anymore. Just appending a html code will brake many Scripts even such popular like WP and Joomla.
So why provoke such a high attention/detection rate?
What comes to my mind is: to divert our attention from what they are really doing. I have seen this once before: A very obvious attack, easy to detect and easy to clean up. At the same time a very smart hidden backdoor was installed, which you might not notice because you clean up the easy, obvious stuff.
Sven
interesting discussion and some clean up stuff in this thread here:
so far ther’s another two topics dealing with the same issue:
malicious 96.php in wordpress
RSS feed won’t validate, junk after document element
The big question is: how this trojans got our “secured” ftp passwords? I’m using FileZilla as a client, what about you?
Hi,
Can anyone send me this 96.php (or whatever it is called on your server) file? I believe, there may be some more files involved. You can contact me here.
http://www.UnmaskParasites.com/contact/
@jbekker: How do you know about the “win32/kryptik”? (I agree that passwords stealling malware may be involved. I just want to know how you figured out it was “win32/kryptik”. Did you find it on computer of webmasters?)
here’s the content of this nasty thing:
[Code moderated as per the Forum Rules. Please use the pastebin]
it writes also to index.php and htaccess and leaves some html pages in the logs folder of the website.
@useshots I blamed the Kryptik because the outbreak occurred after the virus warning popped up on the laptop.
Sorry moderator forposting the file directly on the thread, I put it now on http://pastebin.com/0JRY8GcX
Thanks @jbekker and @abdessamad Idrissi.
Did you notice the .log/ directory or some other directory whose name begins with the “.”?
@useshots I looked for .(dot) directories but did not found any.
I Changed all FTP passwords right after discovery of the breach…
So this might have helped preventing the next step in the attack
I checked the FTP logs and all index.php and index.html files where uploade using FTP from IP 46.252.130.109
Hi,
I checked hundreds of infected sites (with nn.php scripts) and almost every one of them contained the “.log/<domain_name>” directory next to that script. The directory contains cached spammy pages and attack maintenance files (e.g. malicious scripts).
Can anyone who found such nn.php files on their site please contact me?
http://www.UnmaskParasites.com/contact/ (even if you’ve already removed them). I need some additional information.
Thanks for your help!
I checked my ftp logs and found the bad guys who put this files come from from this IP 91.200.240.10 which leads to Ukrain
Another bad thing is the fact that google says in his search results that my website is pirated! just next to the result title!
fortunately I used google webmaster tool to report this and was corrected the next day.
Again, change all your ftp passwords; I forget one password and the virus hit me again. it planted a file in the wordpress/wp-admin/41.php
Please everybody, tell us what ftp client do you use?
I would like to know how did this a** h**** (sorry for my bad language!) got my passwords?
I use the latest version of FileZilla ftp client for windows.
(and a big security hole: i saved all my pases in a word document with a strong password)
what about you?
I was also using Filezilla. And filezilla save your passwords in clear text.
So after changing all passwords i did not save them anymore in Filzilla
Thread Starter
iciman
(@iciman)
Hello everybody and thanks for all the comments and questions.
I started this thread about a month a go because I had the problem on one of my websites. After reading the replies I soon discovered that I had the same problem on all of the websites I look after (around 20 of them!!) What a weekend I had deleting and changing passwords. It also created problems with the feeds on the wordpress sites with one site being banned because of this problem.
I have noticed that there is a little bit of a reacurring theme in a lot of the replies, that is – that FileZilla is used by people with the problem. I to use the program for file transfers and have done for a number of years. I am going to post on FileZilla forum today to see what response I get from them.
Anyway, after a month I have just discovered that it is back on one of my sites (and I haven’t checked the others yet due to having to delete over 15,000 files added to the site!!!). My question is this – as anybody got a definitive answer in how to remove this problrm for good? And how did it start? I have AVG antivirus and adaware with automatic virus checks setup for 4 times a week. Yes, I have had viruses on my computer but I have not worked on some of the sites that got infected for months but they still got infected – How?
This is the most frustrating time for me because I have people relying on me to look after there sites.
@iciman:
Here are a few of my blogposts that show how malware steals passwords saved in FTP clients:
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/
http://blog.unmaskparasites.com/2011/04/13/unused-programs-real-threats/
You don’t have to work with sites. It’s enough that their credentials are saved somewhen on your computer (and malware know where). So it it only take a few minutes to steal everything. So if you find malware on your computer it you can safely assume that all your saved passwords have been compromised already (of course if they are not protected with a master key, which many webmaster usually forget to do).
By the way, that .php script has a file upload function and I have proofs that hackers use it to upload a web shell. (Check logs for requests with the &up100500 parameter)
P.S. If someone wants to help me with my investigation you can contact me at http://www.UnmaskParasites.com/contact/
I’m particularly interested in access log analysis. E.g. number of requests to that nn.php script. Or the .htaccess code if the filename is not nn.php
Thanks
