Getting hacked issue.

huntor · Regular Joined: Jun 13, 2006 Posts: 53

Hey guys im not exactly sure how they are doing it. I am using raven nuke software 2.20.01 and sentinel is updated to the 2.6.01. Yesterday I whipped the site clean and only uploaded the core components of Ravens Nuke. They are writing to the index.php and index.html files on the site. My AVG is picking up the files as JS/Psyme.QM. I basically have everything turned off in the php.ini and it is still happening. I have been checking logs and I am not sure exactly how they are doing it. If any help it would be great. Also many other sites are running nuke and have not been hit just this single site.

jakec · Posted: Sun Jan 25, 2009 4:12 pm

Are you sure it's not a false positive from your virus checker?

Is any code added to the index.php and index.html files?

huntor · Regular Joined: Jun 13, 2006 Posts: 53

yes there is code added to it. And anytime that file gets replaced is when the AVG picks it up. Cause I have about 15 sites that are running it and none of the others are getting picked up. I looked at the ftp logs now and it looks like it may just be an ftp access issue where someone got the password. I have changed the password for there site and going to see what is going on. But yes its not picking it up as a false positive.

jakec · Posted: Sun Jan 25, 2009 4:26 pm

OK let us know what you find.

evaders99 · Posted: Sun Jan 25, 2009 5:37 pm

Why are you not using 2.3.0?
I don't think there were any major security issues, but you really should be upgraded to the latest code.

huntor · Regular Joined: Jun 13, 2006 Posts: 53

hehe was waiting for the 2.3.01 version cause of a few small bugs and alot of my users used the nukegallery

testy1 · Involved Joined: Apr 06, 2008 Posts: 483

after searching my intranet I came across this link

Only registered users can see links on this board!
Get registered or login to the forums!

Since I repair computers for a living it seems a few desktops have had this problem.So this is what I used to rid it.Maybe worth a look.

Raven · Posted: Sun Jan 25, 2009 6:50 pm

Thanks Testy1! Very interesting. Google for JS/Psyme.QM and you'll get a boat load of hits. here's a pretty good description:

Only registered users can see links on this board!
Get registered or login to the forums!

huntor · Regular Joined: Jun 13, 2006 Posts: 53

yeah I know I been looking at it for a while. But I see the person that we think is doing it logging in and specifically replacing those files with that. I feel confident thats what is going on. My AVG picks it up and holds it which caused the website error which im fine with lmao. No sence in anyone else getting the virus. It hasnt infected the machine itself since it catches it very fast. Soon as apache tries to load it AVG snags it.

nuken · Posted: Sun Jan 25, 2009 7:05 pm

That's why I use linux. Virus and adwares are way too annoying.

Raven · Posted: Sun Jan 25, 2009 7:26 pm

Off Topic: Huntor, your email address in your user record keeps bouncing and gets returned to me. Please fix Wink

Raven · Posted: Sun Jan 25, 2009 9:11 pm

Check your Preferences and make sure that he/she hasn't somehow injected an iframe into your foot_msg fields in Preferences.

huntor · Regular Joined: Jun 13, 2006 Posts: 53

oh raven you are so picky WILL DO SIR!!!!!!!

Raven · Posted: Mon Jan 26, 2009 3:53 pm

huntor wrote:

oh raven you are so picky WILL DO SIR!!!!!!!

I just hate reading other people's mail - unless it's really interesting killing me

huntor · Regular Joined: Jun 13, 2006 Posts: 53

ahh raven. I happened to have found a new bug you might be interested in. I changed my address as you wanted me to. I received the request in email. To
reactivate.
Hello huntor,

Your account on "Ravens PHP Scripts And Web Hosting" has been deactivated, most likely due to changes made to your profile. In order to reactivate your account you must click on the link below:

Once I clicked on the link big issue happened. Just a plain white screen not saying I was verified, nor could I access the forums anymore without it being blank white and I could see my account settings either. I thought maybe because of cache so I switched to firefox and get the same thing. I logged out I can see forums again but if I login I cant see anything. That is why im using huntor2 now. Maybe a coding issue somewheres Sad

Raven · Posted: Mon Jan 26, 2009 4:00 pm

I have reactivated your original huntor name. I will delete huntor2 after I switch your huntor2 post over to huntor. Please log off huntor2 and don't use it. Thanks for the head's up on the reactivation.

huntor · Regular Joined: Jun 13, 2006 Posts: 53

yeay thanks Raven

huntor · Regular Joined: Jun 13, 2006 Posts: 53

oh just a ps to the post about using unix/linux. This would have not mattered. It was a ftp issue were someone got ahold of a password and went in and replace index files with certain coding in them. So a unix/linux box would have been infected as well anytime someone would view those files using the <iframe code.

Guardian2003 · Posted: Mon Jan 26, 2009 5:42 pm

huntor wrote:

oh just a ps to the post about using unix/linux. This would have not mattered. It was a ftp issue were someone got ahold of a password and went in and replace index files with certain coding in them. So a unix/linux box would have been infected as well anytime someone would view those files using the <iframe code.

There is a big distinction between being infected and the infection being able to do it's job. Contrary to popular belief, many Unix/Linux boxes are 'infected' but since the attack vector is likely aimed at Windyblows it just doesn't do anything - except maybe pass that infection on to a Windyblows machine.

If the user got hold of the ftp password for the main ftp account you *must* change the cPanel or hosting control panel password.

huntor · Regular Joined: Jun 13, 2006 Posts: 53

I agree with that Wink

montego · Posted: Fri Jan 30, 2009 6:25 am

nuken wrote:

That's why I use linux. Virus and adwares are way too annoying.

Just don't think you are immune... as the popularity of linux on the desktop grows, so will the "troubles". Wink

nuken · Posted: Fri Jan 30, 2009 7:00 am

True. If you are not running as root user, the chance of having a virus install are greatly reduced. Plus .exe files are not native to linux, Wine maybe affected but not the linux system. I have been using Ubuntu for a couple of years and found it to be idiot safe (lucky for me). All the computers I fix for "friends" because of virus and adwares would never be an issue in linux.

montego · Posted: Fri Jan 30, 2009 7:08 am

I agree about the "greatly reduced" part. Just remember that your logged in user isn't immune, which means anything that you can run as that user from that user's account (i.e., owned by it). Also, on the Ubuntu side, what if you had just used sudo for something within the last 15 minutes... aren't the login credentials cached? (Don't shoot me Ubuntu/linux experts. I admit this is only speculation as I haven't a clue on that one.) Also, what about browser extensions and cache??? Virus writers know what O/S you are coming from based upon the headers, unless you are somehow obscuring that...

nuken · Posted: Fri Jan 30, 2009 7:32 am

You are right that the main reason Linux is "Virus Safe" is that most hackers attack Windows with their scripts. Ubuntu releases updates very regularly and the Linux core is updated regularly too. Nothing is 100% safe. Someone out there will always find a hole in security if given enough time. Compared to Windows, Linux is like Fort Knox though.

evaders99 · Posted: Fri Jan 30, 2009 11:03 pm

No, compared to Windows, Linux is Canada. No one cares to invade Canada, there's no money to be made there Smile

(I joke, really!)