I hate hackers,
A month or so I was hit by a hack attack, although I didn’t realise until a few weeks after. If you are reading this it is most likely that you’ve found that your system has been over run by a malicious hack script.
In this blog post I’m going to explain a little about what this hack does, how it effects your website and how to get rid of it and avoid reinfection.
What does it do?
This attack basically exploits a weakness in the OS Commerce admin directory, which is known issue but the details of which should be kept under wraps for obvious reasons, and uploads a collection of files;
cnf
csi
dg.php
kwd
lock
s.php
skwd
style.css.php
swf
t
Once uploaded these files will essentially create a 50 page wordpress style blog on your server and then tell every page on your website to link to these pages. The blog pages contain links to other infected websites,
using “Forex” related keywords in the anchor text. You will find that your site is linking out to hundreds of sites that are in turn linking out to hundreds more infected sites, each using “Forex” related keywords in the
anchor text of each link. This creates a web like network of infected websites.
A little detail on the files uploaded;
cnf
csi
contains a list of IP addresses
dg.php
A heavily encoded line of script, when decoded …
kwd
contains a list of keywords used for creating subject titles of the blog style pages created by the hack script.
lock
is a blank file
s.php
A heavily encoded line of script, when decoded …
skwd
Is a huge list of over 9600 words used for populating the blog style pages with content.
style.css.php
This is the main file and contains a rather long heavily encoded line of script, when decoded the script essentially …
swf
unicode ?
t
This file contains the template of the wordpress blog style pages that the hack creates.
These files once uploaded proceed to create 50 pages of the hack-blog using the words and keywords in the above mentioned files. These files are created in the same directory as the parent files.
Once completed the hack then finds the root of the server, and systematically searches out every php file on the server space and injects a new line of code at the start of the file. This effects every domain registered on the server space.
The line will look some thing like this:
“<? /**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdM … aCcpO319fQ==’)); ?>”
The line once decoded essentially tells the hack code to search out the file “style.css.php” which then gives instructions to insert and create a “display:none” <div> just below the <body> tag.
Inside this line the code creates a list of links with appropriate keywords to the blog pages created by the hack code. Because this <div> is invisible to the user unless the source code is queried, which most people rarely do, this hack may go unnoticed for a long time.
No prizes for guessing that the hack is very bad for a website, one reason being that search engines can see this code, and will penalise the domain for spammy behaviour efffecting its search rankings.
Other issues created by the attack centre around the hacker now having control over every file infected and having access to all the information housed on the server, which if you didn’t know is VERY BAD.
This hack is created to be stealthy and does not want to be found, that is why all its effects are hidden and all its programming is uploaded into an obscure directory on your server and named rather inoculously.
Which may be cause you trouble in dealing with it, however this hack does have a weakness which will allow you to wipe it from your server.
First you need to find where the file “style.css.php” is, this is the nerve centre of the hack, and the simplest way to do this is to decode the line of code that is injected into all your php files. You can do this easily an for free at …
When decoded the line will look something like this … This is the directory of where the hackcode is found, you need to navigate to the directory via FTP and you will find the list of files as above along with files numbered 0 to 49 (the blog pages),
and another file with a random number name such as “7f65b81869b67d04f2feb493bcb2e883″. These files need to be deleted.
Second you need to stop re-infection, rename your admin directory and associated files (such as …), chose a weird name the random the better, this hack relies on the fact that your admin directory is called “admin” so changing it will make it alot less likely
you’ll be reinfected. At this stage you may wish to impliment some other sercurity measures on your admin area and/or your site as a whole (link to OSC sercurity measures). If you don’t rename your directory you will be reinfected. I experimented a little with this hack,
and it comes back fairly quickly.
Third you now need to remove all of the injected lines of code on your server. Provided all you have on your server space is the your OSC shop this shouldn’t be too difficult to remidy, and there are a few methods which could be used.
Method one, if you are a prudent web master you’ll have a regular backup of the site which you would simply upload and replace all the bad files. This would also work if you are a not so prudent webmaster but have an unaltered OSC system, simply upload the same files as you did in installation.
Bare in mind that you changed the name of your admin directory so when uploading the files you’ll need to avoid creating a new admin directory named “admin”.
Method two, if you’ve made changes to your files but haven’t saved them or if you updated your files online using the OSC file manager, then the surest method of destroying the code and retaining your edits to the site is to download every file on the server (which could take a while and is a
little risky as there is a chance you may miss some infected files) and perform a search and replace on the code.
Alternatively if you are a little bit more aufait with the internets you could make a few adjustments to your apache configuration (if you are using apache, and you should be ;D) to block access to the admin area from
anywhere but the local network:
<Directory “/var/www/path/to/your/webshop/admin-directory”>
AllowOverride Limit
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128 <Your “LAN”-SUBNET here>
Options -Indexes
satisfy all
</Directory>
This tells apache to block access to the admin section from anywhere but
127.0.0.0/255.0.0.0 (IPv4 Local Host) ::1/128 (IPv6 Local Host) and your
“LAN”-subnet, and to not create indexes (ie directory listings) for any
directories below this…
Then used a bit of bash-scripting to automate finding and cleaning the
.php files:
for file in `grep -iRl “<\? \/\*\*\/eval(base64.*\?>” /var/www/* | sed
-e ‘s/[[:space:]]/\\ /g’`;
do
vim “$file” -c”:%s/<? \/\*\*\/eval(base64.*?>\n//” -c”x”;
echo done “$file”;
done
The lines explained:
for file in `grep -iRl “<\? \/\*\*\/eval(base64.*\?>” /var/www/* | sed
-e ‘s/[[:space:]]/\\ /g’`;
Find any file on the webserver that has the base64 encoded crap in it
vim “$file” -c”:%s/<? \/\*\*\/eval(base64.*?>\n//” -c”x”;
open the file found above in vim, do a search and replace for the
base64 encoded stuff, and save the file
echo done “$file”;
Let me know which one you’ve done
do and done are part of the loop setup
DISCLAIMER: I tested this on *my* setup, but that will not guarantee it
will work for anyone else’s, so make a backup, and check everything
after it is done. This will not work properly if the full filename
contains spaces!
So, now you’ve learned how to get rid of the nastieness on your own website, it would be a neighbourly thing to let other people who are infected know that they are.
You don’t have to contact every one that your site links to, but at least let a few people know about it, and hopfully they’ll take action and in the process tell a few more people.
It would be good to see a time when hacking is a thing of the past, but for the moment at least we can do some thing about this one specifically.
A while or so I was hit by a hack attack, although I didn’t realise until a few weeks after. If you are reading this it is most likely that you’ve found that your system has been over run by a malicious hack script.
In this blog post I’m going to explain a little about what this hack does, how it effects your website and how to get rid of it and avoid reinfection.
A sample of the blog style spam you're site is filled with
What does it do?
This attack basically exploits a weakness in the OS Commerce admin directory, which is known issue but the details of which should be kept under wraps for obvious reasons, and uploads a collection of files;
cnf
csi
dg.php
kwd
lock
s.php
skwd
style.css.php
swf
t
Once uploaded these files will essentially create a 50 page wordpress style blog on your server and then tell every page on your website to link to these pages. The blog pages contain links to other infected websites, using “Forex” related keywords in the anchor text. You will find that your site is linking out to hundreds of sites that are in turn linking out to hundreds more infected sites, each using “Forex” related keywords in the anchor text of each link. This creates a web like network of infected websites.
A little detail on the files uploaded;
cnf
csi
contains a list of IP addresses
dg.php
A heavily encoded line of script
kwd
contains a list of keywords used for creating subject titles of the blog style pages created by the hack script.
lock
is a blank file
s.php
A heavily encoded line of script
skwd
Is a huge list of over 9600 words used for populating the blog style pages with content.
style.css.php
This is the main file and contains a rather long heavily encoded line of script, when decoded the script essentially …
swf
unicode
t
This file contains the template of the wordpress blog style pages that the hack creates.
Then What?
These files once uploaded proceed to create 50 pages of the hack-blog using the words and keywords in the above mentioned files. These files are created in the same directory as the parent files.
Once completed the hack then finds the root of the server, and systematically searches out every php file on the server space and injects a new line of code at the start of the file. This effects every domain registered on the server space.
The line will look some thing like this:
“<? /**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdM … aCcpO319fQ==’)); ?>”
The line once decoded essentially tells the hack code to search out the file “style.css.php” which then gives instructions to insert and create a “display:none” <div> just below the <body> tag.
Inside this line the code creates a list of links with appropriate keywords to the blog pages created by the hack code. Because this <div> is invisible to the user unless the source code is queried, which most people rarely do, this hack may go unnoticed for a long time.
Below is what it looks like when you view the source code of an infected site.
<div style=”display:none”>
<a href=”http://your_domain.com/?fhcr=0″>forex trading demo</a>
<a href=”http://your_domain.com/?fhcr=1″>forex trading chart</a>
<a href=”http://your_domain.com/?fhcr=2″>forex trading book</a>
<a href=”http://your_domain.com/?fhcr=3″>forex trade signals</a>
<a href=”http://your_domain.com/?fhcr=4″>forex trade signal</a> <a href=”http://your_domain.com/?fhcr=5″>forex signal trade</a> <a href=”http://your_domain.com/?fhcr=6″>forex pivot point</a> <a href=”http://your_domain.com/?fhcr=7″>forex market hours</a> <a href=”http://your_domain.com/?fhcr=8″>forex expert advisor</a> <a href=”http://your_domain.com/?fhcr=9″>forex demo trading</a> <a href=”http://your_domain.com/?fhcr=10″>forex currency trade</a> <a href=”http://your_domain.com/?fhcr=11″>forex currency rates</a> <a href=”http://your_domain.com/?fhcr=12″>forex auto trading</a> <a href=”http://your_domain.com/?fhcr=13″>book forex trading</a> <a href=”http://your_domain.com/?fhcr=14″>trade forex news</a> <a href=”http://your_domain.com/?fhcr=15″>learning to trade forex</a> <a href=”http://your_domain.com/?fhcr=16″>currency rates forex</a> <a href=”http://your_domain.com/?fhcr=17″>chart forex trading</a> <a href=”http://your_domain.com/?fhcr=18″>best forex system</a> <a href=”http://your_domain.com/?fhcr=19″>best forex software</a> <a href=”http://your_domain.com/?fhcr=20″>what is forex trading</a> <a href=”http://your_domain.com/?fhcr=21″>www easy forex com</a> <a href=”http://your_domain.com/?fhcr=22″>live forex charts</a> <a href=”http://your_domain.com/?fhcr=23″>automated forex trading software</a> <a href=”http://your_domain.com/?fhcr=24″>forex trading forum</a> <a href=”http://your_domain.com/?fhcr=25″>forex trading brokers</a> <a href=”http://your_domain.com/?fhcr=26″>forex trader training</a> <a href=”http://your_domain.com/?fhcr=27″>forex trade software</a> <a href=”http://your_domain.com/?fhcr=28″>forex swing trading</a> <a href=”http://your_domain.com/?fhcr=29″>forex real time quotes</a> <a href=”http://your_domain.com/?fhcr=30″>forex pivot trading</a> <a href=”http://your_domain.com/?fhcr=31″>forex options trading</a> <a href=”http://your_domain.com/?fhcr=32″>forex online brokers</a> <a href=”http://your_domain.com/?fhcr=33″>forex market maker</a> <a href=”http://your_domain.com/?fhcr=34″>forex free software trading</a> <a href=”http://your_domain.com/?fhcr=35″>forex for dummies</a> <a href=”http://your_domain.com/?fhcr=36″>forex day trading training</a> <a href=”http://your_domain.com/?fhcr=37″>internet forex trading</a> <a href=”http://your_domain.com/?fhcr=38″>best forex brokers</a> <a href=”http://your_domain.com/?fhcr=39″>real time forex quotes</a> <a href=”http://your_domain.com/?fhcr=40″>day forex trading training</a> <a href=”http://your_domain.com/?fhcr=41″>day training trading forex</a> <a href=”http://your_domain.com/?fhcr=42″>online forex brokers</a> <a href=”http://your_domain.com/?fhcr=43″>learning forex trading</a> <a href=”http://your_domain.com/?fhcr=44″>learn forex free</a> <a href=”http://your_domain.com/?fhcr=45″>online forex account</a> <a href=”http://your_domain.com/?fhcr=46″>broker forex introducing</a> <a href=”http://your_domain.com/?fhcr=47″>broker forex review</a> <a href=”http://your_domain.com/?fhcr=48″>swiss forex broker</a>
<a href=”http://your_domain.com/?fhcr=49″>best forex trading system</a> </div>
What does this mean for my site?
No prizes for guessing that the hack is very bad for a website, one reason being that search engines can see this code, and will penalise the domain for spammy behaviour efffecting its search rankings.
Other issues created by the attack centre around the hacker now having control over every file infected and having access to all the information housed on the server, which if you didn’t know is VERY BAD.
This hack is created to be stealthy and does not want to be found, that is why all its effects are hidden and all its programming is uploaded into an obscure directory on your server and named rather innocuously. That fact may cause you trouble in dealing with it, however this hack does have a weakness which will allow you to wipe it from your server.
How do I get rid of it?
First you need to find where the file “style.css.php” is, this is the nerve centre of the hack, and the simplest way to do this is to decode the line of code that is injected into all your php files. You can do this easily and for free at http://www.motobit.com/util/base64-decoder-encoder.asp When decoded the line will contain the directory of where the hackcode is found, you need to navigate to the directory via FTP and you will find the list of files as above along with files numbered 0 to 49 (the blog pages), and another file with a random number name such as “7f65b81869b67d04f2feb493bcb2e883″. These files need to be deleted.
Second you need to stop re-infection, rename your admin directory and associated files (such as …), chose a weird name the random the better, this hack relies on the fact that your admin directory is called “admin” so changing it will make it alot less likely you’ll be reinfected. At this stage you may wish to impliment some other sercurity measures on your admin area and/or your site as a whole. If you don’t rename your directory you will be reinfected. I experimented a little with this hack, and it comes back fairly quickly.
Third you now need to remove all of the injected lines of code on your server. Provided all you have on your server space is the your OSC shop or wordpress blog this shouldn’t be too difficult to remidy, and there are a few methods which could be used.
Method one, if you are a prudent web master you’ll have a regular backup of the site which you would simply upload and replace all the bad files. This would also work if you are a not so prudent webmaster but have an unaltered OSC system, simply upload the same files as you did in installation. Bare in mind that you changed the name of your admin directory so when uploading the files you’ll need to avoid creating a new admin directory named “admin”.
Method two, if you’ve made changes to your files but haven’t saved them or if you updated your files online using the OSC file manager, then the surest method of destroying the code and retaining your edits to the site is to download every file on the server (which could take a while and is a little risky as there is a chance you may miss some infected files) and perform a search and replace on the code.
Alternatively if you are a little bit more aufait with the internets you could make a few adjustments to your apache configuration (if you are using apache, and you should be ;D) to block access to the admin area from anywhere but the local network:
<Directory “/var/www/path/to/your/webshop/admin-directory”>
AllowOverride Limit
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128 <Your “LAN”-SUBNET here>
Options -Indexes
satisfy all
</Directory>
This tells apache to block access to the admin section from anywhere but
127.0.0.0/255.0.0.0 (IPv4 Local Host) ::1/128 (IPv6 Local Host) and your ”LAN”-subnet, and to not create indexes (ie directory listings) for any directories below this. Then used a bit of bash-scripting to automate finding and cleaning the .php files:
<?php
for file in `grep -iRl “<\? \/\*\*\/eval(base64.*\?>” /var/www/* | sed
-e ‘s/[[:space:]]/\\ /g’`;
do
vim “$file” -c”:%s/<? \/\*\*\/eval(base64.*?>\n//” -c”x”;
echo done “$file”;
done
?>
The lines explained:
for file in `grep -iRl “<\? \/\*\*\/eval(base64.*\?>” /var/www/* | sed
-e ‘s/[[:space:]]/\\ /g’`;
Find any file on the webserver that has the base64 encoded crap in it
vim “$file” -c”:%s/<? \/\*\*\/eval(base64.*?>\n//” -c”x”;
open the file found above in vim, do a search and replace for the
base64 encoded stuff, and save the file
echo done “$file”;
Let me know which one you’ve done.
do and done are part of the loop setup
DISCLAIMER: I tested this on *my* setup, but that will not guarantee it will work for anyone else’s, so make a backup, and check everything after it is done. This will not work properly if the full filename contains spaces!
There we are, now what?
So, now you’ve learned how to get rid of the nastieness on your own website, it would be a neighbourly thing to let other people who are infected know that they are. You don’t have to contact every one that your site links to, but at least let a few people know about it, and hopfully they’ll take action and in the process tell a few more people.
