Infected PHP from recent Dreamhost FTP password hack

I’m hoping this is old news, but I wanted to offer this for inspection just in case.

I noticed something was wrong when my iPad redirected me to a porn site when trying to view my own webpage.

Dreamhost had their FTP user/pass repository hacked recently. I had changed my password, but when I tried to log-in yesterday, I found my newly requested password didn’t work.

When I got into my FTP dir today, I finally noticed that all of the .PHP files had had lines similar to the following “line” of code added to their head:

Malicious code have been removed

All subdirs I searched of my Gallery folders and production ‘Boards had it. (It’s a bloomin’ mess.)

Other than letting the people who know about these sorts of things chew on it to see how dangerous it is, I felt it important to make a little noise for other Dreamhost users to look at their own websites.

And of course, my worry is that it’s more than just a redirect. :frowning:

-Ama

Oh, yes, I forgot to mention when I had to retype the message, (because it disappeared from the entry form when I didn’t type the ReCapatcha correctly)…

All the infected PHP’s showed a modified datestamp of 3/18/2012.

-Ama

dont post suspected malware code in the forum as this will give alarm if your antivirus detect it

what is the URL you have problems with…post the link uncklickable

Hi Amadhia,

First, please remove the malicious coding from your first post as Pondus recommended! mod removed coding for you

The code you thought was suspicious is indeed malware. The decoding of it shows that it checks for OS and other key elements to hide the redirection to you. When it feels that it wants to redirect, there is another Base64 inside the previous Base64 to decode. Sneaky.

You should remove this coding ASAP. Following that, change ALL of your passwords. It is possible that the hacker got access to your email account if you use the same password for both of them.

It would also help if you posted the link to your site. Use hXtp instead of http to avoid accidental clicks.

This malware is indeed dangerous.

Possibly a new kind of exploit. No antiviruses detect even when lvl 1 decoded (as seen above).

https://www.virustotal.com/file/060598d25399a88519e316c43a2b74d3478b4cb3ea0769b68336409f94554ee1/analysis/1332593768/

Oh my! :frowning:

I’m glad to have made you all aware of it then!

I worried about what it would do if I would have posted the code… So I inserted a few spaces and then a carriage return after the <<php thing that begins it… …so it would look visually like what I saw in my text editor, but hopefully be defanged…

(With revulsion I wanted to get all of it totally off my site ASAP, I didn’t even think about leaving an unlinked infected file there and posting the URL made unclickable. I will know better now, thank you. I hope I won’t have to use that knowledge soon. :frowning: )

I was able to do a System Restore on both PC’s I viewed my site on, (and a full boot-time scan… But if you said that no scanners detected it…) I’m just worried about the extent of the infection… Did it leave anything on either my PC’s or my iPad? I’m afraid to change PW’s from a machine I know I viewed my site with. :frowning:

(Oh, and sorry for taking so long to respond here… I had throught I’d set this post to notify me when replies were made… Today and last night were all about trying to fix/clean/restore my site… I’ve been sending out resumes and my site is where my portfolio and demo reel are. :frowning:

Thank you so very much for looking into this!

Ama

Hi Amadhia if you wish I can check your PC’s out

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*

C:\commands.txt echo list vol /raw /hide /c
/wait
C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

Did it leave anything on either my PC's or my iPad?
to my knowledge there are no malware found for iPad / iPhone yet....... exept some jailbroken iPhones that was using apps not from itunes

Thank you, essexboy…

…um… If the systems that !Donavin threw at the code didn’t register anything, how can an infection by it be cognized until a new “Virus Definitions” can be made to find and include it?

(My apologies if I seem like reeeeaaalllly skittish… But I’m really skittish now… :confused: )

-Ama

Thank you Pondus. I’d hoped that was the case… And knowing very little about the “cutting edge” of bad’uns, I had to ask.

Thank you.
-Ama

The malicious code that I was talking about on your website redirects to another website, as you have seen.

The website that showed instead of your website may contain additional potentially malicious coding. That is why essexboy is checking your computer for any abnormal findings.

As for the script that isn’t detected by anything. That is the redirect script. Therefore nothing was done. The redirected site however can do damage if it contains malicious coding.

Hope this clears it up for you,
~Donovan

Oh! Thank you !Donovan. (shakes her head I’m sorry to be so skittish, but I try so consciously to be safe with respect to the Internet that I’m just thrown for a loop by all this.)

Wow… all that Base64 was just redirect? It was so big it scared me.

Thankfully… the only redirecting I saw was on the iPad, (on which I did the power-button + home-button reset thing, & cleared all cookies and history and web data so I’m hoping all traces of bad are now gone from it). And I closed the redirected page both times I saw it happening…

(I’d been working on updating my site all day on my Avast/Firefox PC and not even once saw it redirect…)

Thanks guys… for doing what you do to keep the rest of us safe… and thanks for your patience with folks who have been a little freaked by finding an odd thing like this.

-Ama

(I’ve DL’d OTL and aswMBR and am queuing up to do those steps that Essexboy posted.)

Whenever you get the time to fit them in. I am subscribed to this topic so I will know when you answer ;D

Thanks, essexboy! :slight_smile:

I’m attaching both the otl.txt and extras.text files… (They’re long so I attached rather than pasted…)

-Ama

I’m attaching the aswMBR.txt that aswMBR saved after it said that the scan had finished successfully. (I see it also generated an MBR.dat file, but it doesn’t look like it has any text characters for me to paste here.)

Thanks again so much for offering to see if all is okay…!

-Ama

Looks like there was a failed attempt to install malware as shown by the ads - but it didn’t stick

I will also remove some Java security loopholes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a16qi0nj) FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 [2010/09/14 09:17:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2011/03/08 13:04:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - No CLSID value found. @Alternate Data Stream - 1346 bytes -> C:\Users\XPC1\AppData\Local\l8A8mJOO:5EQuSdYdUrVODSDw

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

It took a while – the first couple of times I tried the fix, OTL became unresponsive…

I rebooted, then OTL completed the fix and reboot with no further issues. (I’m attaching first the log file that was shown after the machine came back from rebooting.)

I’m also attaching (the second file) the log results of of the QuickScan (ran after the fix-and-reboot).

I noticed that there are a couple of files in c:/_OTL/MovedFiles/* …

…I trust it caught something?

Thanks so much!
-Ama

Yep those are the bits we moved to quarantine ;D

How is the computer behaving now ?

I don’t need those infected files anymore – I can delete them, yes?

The machine seems to be running fine now – Firefox no longer hangs when I try to test a Unity web build. :slight_smile:

Thanks so much for taking the personal time to examine my machine!

By the way… I notice you like dragons?

As a little token of thanks, I’d like to give ya a picture of a dragon I did a while ago. :slight_smile:

Thank you again!
-Ama

OK thankee I will snaffle that one ;D

Lets clear my rubbish away and all the bad stuff

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave: