PHP Sites on Popular Hosting Services Exploited

[PhilD]

Disclaimer: In light of recent security news, I would like to make an informative post that may explain why some apparently up to date sites have been exploited recently. This is not to shame, defame, or attack any hosts listed. I also posted some tips as to what to do if you think your site(s) have been victim.

If you feel inclined to post comments, trash or whatnot, then remember: Posts to this thread topic that are against forum rules will be removed, the poster dealt with according to the forum rules, and the topic locked against further posting.

***********************************

Sites hosted by popular hosting companies DreamHost, GoDaddy, Bluehost and Media Temple have been affected. These are apparently the same or similar issues that affected Network Solutions recently. Of course any site hosted through a reseller who has servers at one of these hosts can also be affected.

While GoDaddy has responded that only outdated Wordpress sites are being exploited (they are), this does not appear to be the case according to security experts reports and once again like Network Solutions first did, they are barking up the wrong tree, or are trying to limit the public relations damage by denying it is their servers.

The exploited websites are infected with scripts that install malware (or attempt to install) on site visitors computers. The exploit also prevents browsers like Firefox and Google Chrome, which use Google's Safe Browsing API, from issuing an alert when users try to access the page. Googles search engine bot is also fooled, because the sites return normal code when a Google search bot is detected.

They do not need your site (Joomla super admin) admin username or password to apply the exploit to your site.

If your Joomla, ZenCart, Wordpress, forum or other PHP based site has been exploited recently then contact your host immediately and report it. Do this after you take the site offline and before you do anything else.

If you do not take your site offline, your site may attempt to silently download malware to site visitors computers, infecting them. So do your visitors and customers a favor and Take The Site OFFLINE!! Also, do not post any malicious code found or post a live link to your site to these forums.

Once this has been reported and your site taken offline follow the following for safely restoring your site (yes I know, this is standard forum post fare, but it will help recover your site).


If your site has not been exploited, then make sure you have Joomla, any extensions and any other software updated to the latest versions, your permissions are set properly, etc., and you keep a close eye on the raw logs for your site(s) for any unusual activity. This will not stop the exploit, but may slow it down. Remember it has been reported that even up to date sites have been exploited.

If anything unusual is noticed on your site, or in the logs, or visitors complain about your site doing strange things or setting their anti-virus program off, take your site offline immediately and inform your host about the activity. Then inspect your site files for added code such as:

eval(base64_decode

redirects to blank 404 pages

Lines of script code such as:
<script src="http://some [spam].xxx


If any strange code is found in any of your site files or files have been added to your site then again follow

[ ] Run the forum post assistant and security tool Instructions available here Post the results here so we can have a look at it.

[ ] Ensure you have the latest version of Joomla. Download the latest full version of Joomla and use it to replace the core files. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files.[/b]

[ ] Review Vulnerable Extensions List and update or remove (if no update is available and vulnerable extensions.

[ ] Review and action Security Checklist checklist 7 make sure you've gone through all of the steps, not just the easy ones!!

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] For the malicious code topic



References:
http://www.h-online.com/security/news/i ... 96628.html

http://www.wpsecuritylock.com/breaking- ... dreamhost/

http://www.wpsecuritylock.com/exploit-o ... -responds/

http://www.h-online.com/security/news/i ... 96628.html

Older topic about Network Solutions
http://forum.joomla.org/viewtopic.php?f=432&t=509688

[topperharley122]

Can you confirm that the hosting vulnerability is limited to shared or reseller hosting accounts?

[mandville]

you will have to ask the respective host for that information

[elialum]

Hi,

This is not a host problem for sure.
I've investigating this issue for several hosting companies that were affected -

The problem is from the client side, his computer get infected with malware that takes his ftp usernames/password from known FTP programs like FlashXP/FileZilla etc that installed on his computer.

This information is passed back to some other malicious server that will use it to log in the account and change index.html/php files (will then add the malicious JS code).

I've seen it happens live -

Code: Select all

Time:     Tue Jun 22 06:35:41 2010 +0300
IP:       distributed ftpd attack on account [xxxxxx]
Failures: 10
Interval: 300 seconds
Blocked:  Yes

Log entries:

Jun 22 06:35:22  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:35:35  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:34:49  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:34:22  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:35:15  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:35:09  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:34:56  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx] 
Jun 22 06:35:00  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:34:34  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]
Jun 22 06:34:28  pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xxxxxx]

IP Addresses Blocked:

174.36.217.226 (US/United States/174.36.217.226-static.reverse.softlayer.com)
94.73.131.138 (TR/Turkey/94-73-131-138.cizgi.net.tr)
74.55.142.202 (US/United States/progrese.net) 70.32.46.180 (US/United States/70.32.46.180.rdns.ubiquityservers.com)
68.168.212.6 (US/United States/68-168-212-6.ip.static.interserver.net)
88.208.238.100 (GB/United Kingdom/server88-208-238-100.live-servers.net)
74.208.43.175 (US/United States/s15374238.onlinehome-server.com)
68.233.4.27 (US/United States/bladensburg.networkredux.net)
87.106.14.44 (DE/Germany/s15222115.onlinehome-server.info)

In that case, the attacker was blocked by the firewall.

If & When your account was hacked, the first thing to do is to CHANGE FTP DETAILS and check your computer for viruses.

Take care,
Eli.

[3zero]

Luckily I never had any issues regarding my godaddy account, but I remember hearing about a lot of sites that weren't so lucky :O, darn script kiddies.

[romas]

I have been looking for more info on this and I found this article. I think it's also worth a read as well as the article linked from it. http://badwarebusters.org/main/itemview/11284

[PhilD]

Hi,

This is not a host problem for sure.
I've investigating this issue for several hosting companies that were affected -

The problem is from the client side, his computer get infected with malware that takes his ftp usernames/password from known FTP programs like FlashXP/FileZilla etc that installed on his computer.

This information is passed back to some other malicious server that will use it to log in the account and change index.html/php files (will then add the malicious JS code).

I've seen it happens live -
~ truncated post ~
If & When your account was hacked, the first thing to do is to CHANGE FTP DETAILS and check your computer for viruses.

Take care,
Eli.

The entry method used to gain access to the server does not really matter. It became a host matter the second the script kiddie gained access to the server. Hosting companies like to officially deny responsibility as it is bad for business, just as banks deny account compromises. Would you use a bank that said we had 30 accounts drained of 500,000 this week, but that is down from the 45 last week? Would you use a domain host that said we had 30 servers rooted this week, but that is down from the 50 last week?

The attempt posted in your post is an example of how a domain account can be compromised and a persons website defaced. Likely, the server logs showed many others just like this, some successful some not. This can also then be an entry point on a poorly configured or secured server.

In the server compromises I posted about, it is/was just as likely a malware infected customer as it could be an exploited account where access was initially gained. Entry method aside though, the information I posted was a server attack. I think the attacks were designed to prove a point, bring some issues at some hosting services to light, and to have a little fun. If you take the time to view some of the video links in the article reference links I provided (http://www.wpsecuritylock.com/breaking- ... dreamhost/) or that are available on [youtube], you would see a person (script kiddie) "browsing" a remote server with 100% full access to all accounts (no password/login needed) and every other directory on the server as if it were a local drive on the script kiddies computer. In other words the server has been "rooted" The video in the link above shows just how easy once access is gained to totally compromise a server and every account on that server if desired. Other [youtube] videos you can easily find show various methods of entry to the server so the exploit pack software can be installed. They also show just how easy the exploit pack can be installed. This is exploit pack software is written for one specific purpose and that is the remote exploitation of servers. There is big money in gaining access to a server (think organized crime syndicates) so there is big time development of the software and a lot of competition between server exploit pack developers to make a better easier to use exploit pack.

Script kiddies can also purchase the same exploit pack software as the price is reasonable (provided they sell some info they gather) and use the software for their own agendas, thrills, prove a point, or to just harass hosting services.

[robertstu]

I am also using a shared web hosting provider but one you did not mention in your post. Nevertheless I definitely have to check if my provider has also been affected. Until now I have not noticed any severe changes on my website but you never now until you check it. Thanks for your informative post. Hopefully my provider has not been affected.