| Posted by HostFriendly, 09-06-2012, 06:16 AM | | Hi.
In those last days i started receiving blacklist notice when i try to enter my and client's sites.
We find javascript malware.
Here is the code (i edited the code because it may be agains the forum rules to post full )
We remove the code from the files, but it gets inserted there after a time.
i tried changing root password.
But no result.
Any advice ?
Regards.
|
| Posted by khunj, 09-06-2012, 08:00 AM | | You probably have been backdoored and as long as you don't find the backdoor, they will keep injecting their code.
Check your HTTP (and FTP) logs.
|
| Posted by BestServerSupport, 09-06-2012, 09:06 AM | | 1. Secure your /tmp partition with noexec.
2. Enhance PHP security via enabling mod_security.
3. Enable FTP over SSL/TLS.
4. Install Firewall in your server like CSF.
5. Install Suhosin.
6. Install rootkit scanner tool like RootkitHunter.
|
| Posted by localdata, 09-06-2012, 10:38 AM | | I would recommend Clam AV for your linux server and csf firewall, there are both free to use and very useful.
|
| Posted by kevinnivek, 09-06-2012, 12:07 PM | | I'd also recommend writing a quick script to scan all web files for identifiable signatures of the injected code. Chances are they just injected as many sites/folders as possible on your system.
Secondly I'd recommend temporarily turning FTP off completely, and restricting SSH to IP based addresses. I've seen code like this be injected via vulnerable (insecure password) FTP accounts.
The other suggestions (securing /tmp, noexec) are great as well. Moving forward with new systems, I'd recommend you use a system like tripwire that keeps track of all file modification dates/times so it can make restoring way easier by determining all the affected/modified files based on the unauthorized modification dates / times.
Thanks
|
| Posted by BestServerSupport, 09-06-2012, 12:34 PM | | I would like to add few more here:
1. Disable direct root access to your server.
2. Avoid providing 777 permissions to files/folders.
3. Use strong passwords of cPanel/FTP. Do not share passwords with others.
4. Keep your local system up to date. Install anti-virus and regularly scan your local machine.
|
| Posted by HostFriendly, 09-07-2012, 01:00 AM | | Thanks for reply,
1. CFS is already installed.
2. Suhosin installed
3. Mod_sec enabled
4. SSH port changed to non-default. And in each whm/ssh access i receive mail, but i havent received any mail about someone's logging.
5. tmp is already secured
6. only ClamAV and RootKitHunter is unavailable. i will install and update later.
Regards. By the way, is there any paid antivirus which is scanning files automatically ? like the antiviruses we use in PC's ? I think automatic scan would be better than manual scan.
Regards.
|
| Posted by Srv24x7, 09-07-2012, 01:37 AM | | You need to figure out how these files are getting infected, firewall and other things sometimes won't help with these types of attacks. Check the message logs for any FTP connection uploading the infected files.
I will suggest you to install Maldet and run a complete scan inside /home , You might be able to detect any back doors present inside any folder.
|
| Posted by Ramprage, 09-07-2012, 02:33 PM | | What application is your site running on? A PHP CMS or straight HTML?
It could be a hole in the CMS itself, or someone has managed to upload a PHP shell which gives them access to keep making modifications.
|
| Posted by HostFriendly, 09-07-2012, 02:40 PM | | Well, i think there is root related issue.
Because the same malware is not only in one account, but too many cpanel accounts.
The customers use standart scripts, vb,jom,dle,wp and so on.
Regards
|
| Posted by SPINIKR-RO, 09-07-2012, 02:44 PM | | Were you emailed of any root or escalated (su) logins?
Last edited by SPINIKR-RO; 09-07-2012 at 02:48 PM.
|
| Posted by dareORdie, 09-07-2012, 03:21 PM | | You have to remove the addtinal code from your script. You can contact your web-developer for the same.
1) Protect your control panel authentication by using a difficult password, which only you or your client knows.
2) Do not make your control panel password public.Also Keep changing your FTP and control panel passwords at regular intervals.
3) If you have installed joomla,wordpress and vbulletin manually then you will need to check with the script vendor to see if they are of the latest version/ upgraded version, patch or updates available and imply them to your scripts.
|
| Posted by ssfred, 09-08-2012, 06:14 AM | | Hello
As an immediate step, install Maldet and clamav on your server. Once it is installed perform a malware scan. This will identify the infected files and you should be able to remove them using the application itself.
|
| Posted by HostFriendly, 09-08-2012, 04:35 PM | | Thanks very much for all advices
we installed maldetect-1.4.1
it found and remove the malware,
But i want to trace how hackers managed to infect server with that malware ? If they can place their malware, it means that they have full controll over the server and they can access whatever they want in the server including databases and so on ?
And what you advice to prevent this in the future except secure password?
Regards.
|
|
 Add to Favourites
 Print this Article
|
