| Posted by Zixt, 05-24-2013, 06:31 PM | | Just had a hack attack on my development machine. All PHP scripts had the following:
inserted after PHP long tags (ONLY longtags, seemed to ignore short).
Decoded, it results in:
As far as I can tell, the code redirects the request to iddqd.compress.to if the request URL is from popular websites such as Facebook, MySpace and Google. This could allow the end server to capture request data including usernames, passwords and other personal information.
The host referenced, "iddqd.compress.to" goes to 94.242.251.211, an IP address on the root.lu network. An abuse email has been sent to them regarding this matter. A reverse DNS gives me the domain justhes.info.
Has anyone else had a similar hack attack themselves? I'm still investigating this matter on my own network so I'll be interested to hear more.
|
| Posted by Beast5, 05-24-2013, 08:52 PM | | iddqd? godmode attack?
seriously check your logs for last login to FTP, change all your passwords, and start cleaning or upload a backup.
|
| Posted by Zixt, 05-24-2013, 09:38 PM | | I've cleaned all files (Notepad++ found 16000 copies of the code within my http dir). There is no FTP access to the server and no publicly visible applications available on my server, so I am unsure how the attack was performed.
|
| Posted by Beast5, 05-24-2013, 09:48 PM | | scan your local machine, it could have originated from malware on the developers workstation.
|
| Posted by Zixt, 05-24-2013, 10:06 PM | | Scan is currently in progress. I've combed the logs and found no suspect requests that could have been made if a web application was found.
|
| Posted by Steven, 05-24-2013, 11:21 PM | | Scan your work stations if windows with 'hitman pro'.
http://www.surfright.nl/en/hitmanpro/
|
| Posted by tuxandrew, 05-25-2013, 01:13 PM | | Just clean your scripts and reset all passwords.
|
| Posted by Zixt, 05-25-2013, 02:38 PM | | Cheers for the tip Steven. The first scan had a few malware detections that have all now been removed, Hitman Pro is now scanning also.
Tuxandrew, that would clean my scripts but that would not give me insight as to how the attack was perpetrated since there is no publicly visible systems where files can be edited. The cleaning part was easy, it's discovering how that is harder.
|
| Posted by tuxandrew, 05-26-2013, 05:10 AM | | If the scripts were not published and it was infected within your local (if I understood correctly) I suspect your machine was already infected, this can be easily happens when the machine is not anti-virus protected. The IP 94.242.251.211 seems to be culprit, make sure that the IP is blocked in the live servers to which you are connecting frequently. Also if possible please audit the FTP as well as domain logs of these servers to get more clues regarding the attack and do scan the temporary folders for any malicious uploads. Also scan the local machine thoroughly to get all infected contents(if any exists). Please rest all FTP, Admin and Machine passwords to stronger one. If you need better assistance then please check this with a system administrator to get more confirmation regarding this.
|
| Posted by zoid, 05-26-2013, 05:53 AM | | It also would not ensure the machine is not further compromised.
No, this is the webserver where it redirects to. There is no indication any attack whatsoever originated from there.
|
| Posted by tuxandrew, 05-26-2013, 07:39 AM | | This is correct and is a known fact which was already mentioned in the first post in this thread. But to find the root cause of the problem and for preventive measures, I believe a detailed check with the logs might help you on this.
|
| Posted by zoid, 05-26-2013, 09:16 AM | | I dont know what you refer to.
|
| Posted by mileweb, 05-26-2013, 11:37 PM | | What OS install?
|
| Posted by voidSecurity, 05-28-2013, 05:07 PM | | You forget the most important part, patch the vulnerability/fix the system misconfiguration that was used to penetrate the machine in the first place.
|
| Posted by BestServerSupport, 05-29-2013, 01:01 PM | | To avoid this kind of issues in future, I would suggest you to install Mod_Security for PHP. This will not allow users to upload exploited PHP scripts.
|
| Posted by WeWatch, 05-29-2013, 01:56 PM | | If you have no publicly facing applications (WordPress, Joomla, etc.) and you don't allow FTP, or any of it's variants and you have found malware on your desktop/laptop, then I believe it could be a case of a password stealing trojan.
We've found that to be typical of the "DQ..." type infections - stolen passwords. The problem is that it sounds like the hackers may have stolen your hosting account password. If you have cPanel you check the .lastlogin, but if you've logged in then that will be your IP address.
I would recommend: finish scanning your local computer. I would suggest Malwarebytes, but that's just a personal preference.
Then, change all passwords: hosting account, any FTP accounts, even if they're not used, and all others.
Then make particular there aren't any backdoor shells left behind by the hackers. We typically see many base64_decode type shells in this type of infection. If you have a known, good, clean back-up I would restore that rather than a cleaning. It's impossible to provide a list of all the different backdoor shells available and how to find them so you could do all this cleaning and still get re-infected. Although if you don't have any outward facing applications that would be difficult.
Please keep the thread going with what you end up doing.
|
| Posted by zoid, 05-29-2013, 01:57 PM | | mod_security has nothing to do with PHP, its an Apache security module and does not harden PHP. It can filter user input and therefore possibly prevent particular typical attacks but thats it. Foremost the code needs fixing, only then additional security layers should be considered.
|
|
 Add to Favourites
 Print this Article
|
