PHP Exploits

[malaprop]

Just had a problem with the company website, Google was reporting it as dangerous. The Safe Browsing diagnostic page said the malicious software included 11 scripting exploits and 7 trojans. I downloaded the entire public directory to a laptop with mbam 1.41, db v3198 on it and scanned it several times. Mbam did not find anything. After opening a ticket with the hosting provider, I learned that they disabled 2 exploits, same file, 2 locations /public/images/gifimg.php and /public/web/images/gifimg.php. When I uploaded the file to virustotal and only one (Sophos) scanning engine found Troj/PHPMod-C. Looks like it may be a Gumblar residual/variant. Should mbam have picked that up? (neither sas or mse caught it)

Also, the IP Protection blocked it. Not that thats a surprise. (but I did wonder how it picked that up so quick) Ive put in an Incorrect Forgery Alert to Google, dont know how that takes to go through. The IP protection is still blocking it but when it pops up with the IP address in it, the address is wrong. It displays 195.47.247.178 which is in Denmark. In a browser, it opens a page with "This domain is not yet ready - Please try again later. Hosted by One.com" on it. That is miles from the IP of my site. Whats up with that?

Thank you. Thank you very much.

[GT500]

Possibly malicious code injected into your site that is trying to load something from that IP. I'll point Steven to this, and we'll see if he has any thoughts.

[MysteryFCM]

Apologies for taking so long.

I've got 3 records of exploits on 3 different domains on 195.47.247.178. Could you give me your sites IP please?

[malaprop]

Apologies for taking so long.

I've got 3 records of exploits on 3 different domains on 195.47.247.178. Could you give me your sites IP please?

64.29.145.73 but its on shared hosting, not dedicated.

Also, any thoughts on my first question regarding the scan?

[MysteryFCM]

I actually wrote about that infection on my blog not so long ago;

http://hphosts.blogspot.com/2009/05/martuz...press-does.html

It's important to note, gifimg.php is usually NOT the only infected file present, so I'd urge you to go through the rest of the files content to ensure it's as it should be (if you need any help, feel free to ask)

The IP you posted currently has at two sites with exploits on them according to my records, however, the IP itself is not blocked by us as there's far too many legit non-infected sites present.

[malaprop]

Yes, your posting was what got me onto the Gumblar trail

What should I use to scan a copy of my public folder to verify that it is clean before I upload it back? The site is hosted on a Linux box but since its shared hosting, I cant scan it myself with something like clamd. I need a Windows app that I can trust to be effective so I can scan it on my pc first.

[MysteryFCM]

I'd not actually suggest scanning it with anything. I'd instead strongly urge you go through the files manually. This may take longer, but it's far better.

[malaprop]

How does one do that?

[GT500]

How does one do that?

Having a website, I assume you know how to edit HTML and/or PHP? If so, look through each HTML and PHP file to verify that changes have not been made to them.

Virus scanners can sometimes find the malicious scripts, iframes, etc. but you don't want to rely on them, as they only find what they already know is bad.

[malaprop]

Its the company website. I'm the just the lowly sysadmin. I'm not involved in the day to day upkeep/updating of the site, I rarely even look at it. Managing the Windows 2008 Domain Controllers, Terminal Servers, Exchange 2007 and LAN/WAN for 150 users pretty much punches my dance card. The site was professionally built some time ago; maintenance and updating consists of not much more than uploading documents and images to the desired directories. FrontPage a la Filezilla. My recreational HTML editing skills are intermediate at best and thats pushing it. I wouldnt know PHP if I sat on it, which is ok because there isnt (supposed to be) any PHP on it.

So when the guy that does it tells me theres a problem with the site, I look at it. Yup, that would be a problem. So now I have to clean it up, upload a 'certified clean' copy and then explain a few common sense security procedures and enforce them. Of course this would be much simpler if Google would follow through on the Review Request I submitted almost 72 hours ago. Through Google's Webmaster Tools, I scanned it with Norton Websafe-clean, Unmask Parasites' report mentions an "external reference" about a Belgian Porsche dealer and Dasient's Web Anti-Malware shows it clean but had several "possible sensitive directories".

So I guess that kinda leaves me in limbo until Google does what its supposed to do...

[MysteryFCM]

I'll be happy to help if required?

[malaprop]

I'll be happy to help if required?

Thank you very much. I posted to Googles Webmasters Tools help group inquiring as to the status of my request, I'll let you know if a I get a response.

Any opinion on Norton Websafe, Unmask Parasites and Dasient's Web Anti-Malware?

[tedivm]

One of the things to pay attention to with this is the handling of the GIF files themselves. The gif format begins with a header thats in ascii, meaning that if your server isn't locked down in what it considers a script file, or one of the php programs on your site is sloppy in its handling of files, php embedded in an otherwise perfectly usable image could be run.

The best way to deal with your current depends greatly on your setup. These guys are right when they say going through everything is needed, and a pain. If you're running something like Wordpress you should just wipe the directory completely (but not the database!) and do a fresh install of the same version you're running. From there just update (always always always keep your program up to date!).

If its not boxed code (something inhouse/custom) then you're going to need to audit your code base. Its not necessarily the fault of the in house devs, as even the most experienced companies get exploited (gmail had an XSS sploit a while back). Even still, its a good excuse to look at the in house dev process to make sure all the tools are available (source control, bug tracking) and the developers are proactive about keeping up with the latest security issues.

Finally, you as a sys admin can put some protections in place yourself. There are a lot of http-level firewalls (such as mod_security for Apache) that will block potential attacks and even uploaded scripts from going through. These can be very useful, although for more complex sites (such as a forum where people are constantly posting malware discussions and infection logs . . . .) it can require a bit of tweaking.