Jump to content

Recommended Posts

Do you think it makes sense to post something you know to be malicious on a public forum? Are you trying to share it with anyone who comes along?

It's bad, 'nuff said. I actually would explain what it did except my virus scanner picked it up and removed it, and after I had edited it out of your post.

If you think you've been compromised then your entire website and database are suspect. Trash it all and restore from backups. Then audit your code with a fine-toothed comb.

Sorry, I had seen another post where someone had done the same thing and thought it was ok.

So far we believe the attacks have been unsuccessful as we caught them quickly. They tried SQL injection on our forms that did not work. The only success they had was uploading a file via an image upload in a form. But as far as we can tell that file was never processed.

The only question remaining is knowing what this file was trying to do so we can check if it was processed and was successful.

If i upload the file could you tell me what it was trying to do?

Let me know .  And, again, sorry for posting that code.

Thanks,

Rich

29 minutes ago, richm9999 said:

Sorry, I had seen another post where someone had done the same thing and thought it was ok.

It's not against the rules per se, it's just not a good thing.

Which post?

29 minutes ago, richm9999 said:

So far we believe the attacks have been unsuccessful as we caught them quickly. They tried SQL injection on our forms that did not work. The only success they had was uploading a file via an image upload in a form. But as far as we can tell that file was never processed.

The only question remaining is knowing what this file was trying to do so we can check if it was processed and was successful.

If i upload the file could you tell me what it was trying to do?

If you really must know you can PM me. But I can tell you they all work the same way: a bit of built-in functionality, but mostly the ability to run arbitrary code passed in through the request.

No we don't want an active virus uploaded to our forum, which could then lead to someone downloading it and becoming infected.

What type of file is it?  If it isn't a *nix script or php script, then that is out of scope for our forum.   If it's a php script, then it would be possible for you to cut some snippets of the code and put them into a code block for investigation, but I've also found that these scripts typically use obfuscation techniques like decrypting an encrypted payload and surface investigation isn't valuable.

 

 

 

This very much depends on the server OS,  and how you have configured things, but typically what these scripts do (and virus isn't usually the right description) is that they rootkit your server.  The rootkit strategy is to replace important OS programs with versions that have backdoors installed.  They will replace the ssh programs, login etc.

They next replace tools that are typically used to find them like ps, top and ls.  

A frequent strategy is to then run a customized or scripted irc client that will attach to a control channel.  At that point your server becomes a node that they can utilize in their botnet and use it to participate in DoS attacks, vpn endpoints, spam distribution and whatever they want.

For this reason there are tools like tripwire that exist which fingerprint everything on the server and let you know what has changed.  I can't speak to every OS, but for example, in the redhat ecosystem (which includes Fedora and Centos) the traditional package management is done via rpm.  Rpm comes with a fingerprint/verification feature rpm -V {package}.

The first thing you need to figure out is if rpm itself was replaced, but even if it was, if you know what you are doing you can get the original package and use it to reinstall the compromised package.  At any rate the idea is, that if you have a tool that can tell you if things have changed, you can find out exactly what was overwritten and replace those compromised files with the originals from the distribution.

This is all meant as general information to give you an idea of the strategies the rootkits employ.   If they've managed to accomplish replacement, you are in big trouble, and you can assume that they have full access to that machine, and may also have used it to compromise other machines that may have trust via keys. You can also assume that they are keylogging and sending logs of everything you typed on the compromise machine.  

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.