Infected PHP from recent Dreamhost FTP password hack

[Amadhia]

I'm hoping this is old news, but I wanted to offer this for inspection just in case.

I noticed something was wrong when my _iPad_ redirected me to a porn site when trying to view my own webpage.

Dreamhost had their FTP user/pass repository hacked recently.  I had changed my password, but when I tried to log-in yesterday, I found my newly requested password didn't work.

When I got into my FTP dir today, I finally noticed that _all_ of the .PHP files had had lines similar to the following "line" of code added to their head:

Malicious code have been removed

All subdirs I searched of my Gallery folders and production 'Boards had it.  (It's a bloomin' mess.)

Other than letting the people who know about these sorts of things chew on it to see how dangerous it is, I felt it important to make a little noise for other Dreamhost users to look at their own websites.

And of course, my worry is that it's more than just a redirect. 

-Ama

[Amadhia]

Oh, yes, I forgot to mention when I had to retype the message, (because it disappeared from the entry form when I didn't type the ReCapatcha correctly)....

All the infected PHP's showed a modified datestamp of 3/18/2012.

-Ama

[Pondus]

dont post suspected malware code in the forum as this will give alarm if your antivirus detect it

what is the URL you have problems with...post the link uncklickable

[!Donovan]

Hi Amadhia,

First, please remove the malicious coding from your first post as Pondus recommended! mod removed coding for you


The code you thought was suspicious is indeed malware. The decoding of it shows that it checks for OS and other key elements to hide the redirection to you. When it feels that it wants to redirect, there is another Base64 inside the previous Base64 to decode. Sneaky.

You should remove this coding ASAP. Following that, change ALL of your passwords. It is possible that the hacker got access to your email account if you use the same password for both of them.


It would also help if you posted the link to your site. Use hXtp instead of http to avoid accidental clicks.

[!Donovan]

This malware is indeed dangerous.

Possibly a new kind of exploit. No antiviruses detect even when lvl 1 decoded (as seen above).

https://www.virustotal.com/file/060598d25399a88519e316c43a2b74d3478b4cb3ea0769b68336409f94554ee1/analysis/1332593768/

[Amadhia]

Oh my! 

I'm glad to have made you all aware of it then!

I worried about what it would do if I would have posted the code... So I inserted a few spaces and then a carriage return after the <<php  thing that begins it... ...so it would look visually like what I saw in my text editor, but hopefully be defanged.....

(With revulsion I wanted to get all of it totally off my site ASAP, I didn't even think about leaving an unlinked infected file there and posting the URL made unclickable.  I will know better now, thank you.  I hope I won't have to use that knowledge soon.   )

I was able to do a System Restore on both PC's I viewed my site on, (and a full boot-time scan... But if you said that no scanners detected it...)  I'm just worried about the extent of the infection... Did it leave anything on either my PC's or my iPad?  I'm afraid to change PW's from a machine I know I viewed my site with.

(Oh, and sorry for taking so long to respond here... I had throught I'd set this post to notify me when replies were made...  Today and last night were all about trying to fix/clean/restore my site... I've been sending out resumes and my site is where my portfolio and demo reel are.

Thank you so very much for looking into this!

Ama

[essexboy]

Hi Amadhia  if you wish I can check your PC's out

 Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply

[Pondus]

Did it leave anything on either my PC's or my iPad?

to my knowledge there are no malware found for iPad / iPhone yet....... exept some jailbroken iPhones that was using apps not from itunes

[Amadhia]

Thank you, essexboy...

...um... If the systems that !Donavin threw at the code didn't register anything, how can an infection by it be cognized until a new "Virus Definitions" can be made to find and include it?

(My apologies if I seem like reeeeaaalllly skittish... But I'm really skittish now... :/  )

-Ama

[Amadhia]

Thank you Pondus.  I'd hoped that was the case... And knowing very little about the "cutting edge" of bad'uns, I had to ask.

Thank you.
-Ama

[!Donovan]

...um... If the systems that !Donavin threw at the code didn't register anything, how can an infection by it be cognized until a new "Virus Definitions" can be made to find and include it?

The malicious code that I was talking about on your website redirects to another website, as you have seen.

The website that showed instead of your website may contain additional potentially malicious coding. That is why essexboy is checking your computer for any abnormal findings.


As for the script that isn't detected by anything. That is the redirect script. Therefore nothing was done. The redirected site however can do damage if it contains malicious coding.


Hope this clears it up for you,
~Donovan

[Amadhia]

Oh!  Thank you !Donovan.  (*shakes her head*  I'm sorry to be so skittish, but I try so consciously to be safe with respect to the Internet that I'm just thrown for a loop by all this.)

Wow... all that Base64 was just redirect?  It was so big it scared me.

Thankfully... the only redirecting I saw was on the iPad, (on which I did the power-button + home-button reset thing, & cleared all cookies and history and web data so I'm hoping all traces of bad are now gone from it).  And I closed the redirected page both times I saw it happening....

(I'd been working on updating my site all day on my Avast/Firefox PC and not even once saw it redirect....)

Thanks guys.. for doing what you do to keep the rest of us safe... and thanks for your patience with folks who have been a little freaked by finding an odd thing like this.

-Ama

(I've DL'd  OTL and aswMBR and am queuing up to do those steps that Essexboy posted.)

[essexboy]

Whenever you get the time to fit them in.  I am subscribed to this topic so I will know when you answer 

[Amadhia]

Thanks, essexboy!

I'm attaching both the otl.txt and extras.text files...  (They're long so I attached rather than pasted...)

-Ama

[Amadhia]

I'm attaching the aswMBR.txt that aswMBR saved after it said that the scan had finished successfully.  (I see it also generated an MBR.dat file, but it doesn't look like it has any text characters for me to paste here.)

Thanks again so much for offering to see if all is okay..!

-Ama