richm9999 Posted July 25, 2018 Share Posted July 25, 2018 (edited) [redacted] Edited July 26, 2018 by requinix Quote Link to comment Share on other sites More sharing options...
requinix Posted July 26, 2018 Share Posted July 26, 2018 Do you think it makes sense to post something you know to be malicious on a public forum? Are you trying to share it with anyone who comes along? It's bad, 'nuff said. I actually would explain what it did except my virus scanner picked it up and removed it, and after I had edited it out of your post. If you think you've been compromised then your entire website and database are suspect. Trash it all and restore from backups. Then audit your code with a fine-toothed comb. Quote Link to comment Share on other sites More sharing options...
richm9999 Posted July 26, 2018 Author Share Posted July 26, 2018 Sorry, I had seen another post where someone had done the same thing and thought it was ok. So far we believe the attacks have been unsuccessful as we caught them quickly. They tried SQL injection on our forms that did not work. The only success they had was uploading a file via an image upload in a form. But as far as we can tell that file was never processed. The only question remaining is knowing what this file was trying to do so we can check if it was processed and was successful. If i upload the file could you tell me what it was trying to do? Let me know . And, again, sorry for posting that code. Thanks, Rich Quote Link to comment Share on other sites More sharing options...
requinix Posted July 26, 2018 Share Posted July 26, 2018 29 minutes ago, richm9999 said: Sorry, I had seen another post where someone had done the same thing and thought it was ok. It's not against the rules per se, it's just not a good thing. Which post? 29 minutes ago, richm9999 said: So far we believe the attacks have been unsuccessful as we caught them quickly. They tried SQL injection on our forms that did not work. The only success they had was uploading a file via an image upload in a form. But as far as we can tell that file was never processed. The only question remaining is knowing what this file was trying to do so we can check if it was processed and was successful. If i upload the file could you tell me what it was trying to do? If you really must know you can PM me. But I can tell you they all work the same way: a bit of built-in functionality, but mostly the ability to run arbitrary code passed in through the request. Quote Link to comment Share on other sites More sharing options...
richm9999 Posted July 26, 2018 Author Share Posted July 26, 2018 how do I pm you? Quote Link to comment Share on other sites More sharing options...
richm9999 Posted July 26, 2018 Author Share Posted July 26, 2018 I see how to message you but I don't see how to attach the code as it is in text not one of the accepted file types. Quote Link to comment Share on other sites More sharing options...
richm9999 Posted July 26, 2018 Author Share Posted July 26, 2018 I could paste the code into the message box again. Is that ok in a PM? Quote Link to comment Share on other sites More sharing options...
gizmola Posted July 26, 2018 Share Posted July 26, 2018 No we don't want an active virus uploaded to our forum, which could then lead to someone downloading it and becoming infected. What type of file is it? If it isn't a *nix script or php script, then that is out of scope for our forum. If it's a php script, then it would be possible for you to cut some snippets of the code and put them into a code block for investigation, but I've also found that these scripts typically use obfuscation techniques like decrypting an encrypted payload and surface investigation isn't valuable. Quote Link to comment Share on other sites More sharing options...
requinix Posted July 26, 2018 Share Posted July 26, 2018 It was an obfuscated PHP script. Quote Link to comment Share on other sites More sharing options...
gizmola Posted July 28, 2018 Share Posted July 28, 2018 This very much depends on the server OS, and how you have configured things, but typically what these scripts do (and virus isn't usually the right description) is that they rootkit your server. The rootkit strategy is to replace important OS programs with versions that have backdoors installed. They will replace the ssh programs, login etc. They next replace tools that are typically used to find them like ps, top and ls. A frequent strategy is to then run a customized or scripted irc client that will attach to a control channel. At that point your server becomes a node that they can utilize in their botnet and use it to participate in DoS attacks, vpn endpoints, spam distribution and whatever they want. For this reason there are tools like tripwire that exist which fingerprint everything on the server and let you know what has changed. I can't speak to every OS, but for example, in the redhat ecosystem (which includes Fedora and Centos) the traditional package management is done via rpm. Rpm comes with a fingerprint/verification feature rpm -V {package}. The first thing you need to figure out is if rpm itself was replaced, but even if it was, if you know what you are doing you can get the original package and use it to reinstall the compromised package. At any rate the idea is, that if you have a tool that can tell you if things have changed, you can find out exactly what was overwritten and replace those compromised files with the originals from the distribution. This is all meant as general information to give you an idea of the strategies the rootkits employ. If they've managed to accomplish replacement, you are in big trouble, and you can assume that they have full access to that machine, and may also have used it to compromise other machines that may have trust via keys. You can also assume that they are keylogging and sending logs of everything you typed on the compromise machine. Quote Link to comment Share on other sites More sharing options...
richm9999 Posted July 28, 2018 Author Share Posted July 28, 2018 Wow. Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.