nikosd66
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: 2.9.2 site hackedI Just found in my log files the IP who runs this malicious script file the date of infection.
I did a search and I found the website also.
Is it ok to post it here?
Maybe hacker uses an IP of innocent people?
What are you suggesting?Forum: Fixing WordPress
In reply to: 2.9.2 site hackedOk, I run many tests.
I have a dedicated server. I was trying to run hacker’s script throught browser. With all possible file permissions exept 777 is not possible to change the php files.
I was able to change php files (regardless of what the permissions are) only runing the script through SSH with superuser permission (root).
However this doesn’t happen with a Shared hosting acount. There, runing the script from a browser, it changes .php files in all combinations of permissions exept when write is not allowed at all.
Besides, in shared hosting using SSH, script doesn’t change something. Has not any effect as hosting provider doesn’t allow you to login as superuser (root).
Using hacker’s script I wrote a script that checks if php files in a website are infected with this certain malicious code and removes it.
The script reports how many files were infected and from how many of them malicious code was successfully removed. (beacause if files are not writable code can’t be removed although hacker could infect it).
I tested this script exhaustively using many combinations of dirs/subdirs and file permissions and looks like working fine.
Maybe using it with a cron or something (I’m not an expert on this field) is a good option.
I’ll give you here a link where you can download it.
It is a .zip file. You have to unzip it and upload it to your root directory. Then using your browser run the file.
Here is the link
(If hacker changes the way malicious code is written, then this script becomes of no use if not edited accordingly)Forum: Fixing WordPress
In reply to: 2.9.2 site hackedHere is what i found out:
The time that the infection took place, all .php files were infected. As you cn see from malicious code only php files are supposed to change.
The only one file that remained uninfected was configurtion.php and that is beacause he had permissions 444.
All files with permissions 705 or 644 (index.php etc) were infected.
So hacker acts like an owner of the files.
Conclusion is that if you dont give write permissions to php files then you’ll stay clean. Maybe setting permissions to 555 or 544 is the solution?
Can anyone here tell me if this is going to affect the effectivess of the site?
By the way @useshots, directory permissions was drwx—r-x
and after I double checked, this joined_lemmie.php malicious file has permissions 644. This for sure.Forum: Fixing WordPress
In reply to: 2.9.2 site hackedI can see permissions and owner only after I restore the file. I don’t know if they change after restoration.
Anyway permissions are 644
owner is the same as every other file. <hosting account name>:inetuserForum: Fixing WordPress
In reply to: 2.9.2 site hackedClundie,
I censored out the bits that would identify me or the attacker but I can tell you: it was a .php script that doesn’t exist on my site, so somebody must have uploaded it, ran it, then deleted it.
Here is what happened in a linux shared hosting account:
May 6,2010 a file named “joined_lemmie.php” appears in root directory and then this file was deleted.
May 7,2010 all .php files were infected with malicious code (eval base_64….)(I saw it decoded earlier in a post here.)
I restore the deleted file from backup set and here is the script (after I decoded it)
`
[hack code moderated]What I did was to delete every file in the site and replace them from a backup set dated before May 6,2010.