2.9.2 site hacked

I can see permissions and owner only after I restore the file. I don’t know if they change after restoration.
Anyway permissions are 644
owner is the same as every other file. <hosting account name>:inetuser

FYI to all infected by the base 64 code:

I’ve had two sites hit by this attack 3 separate times, each about one week apart. Here are some facts:

> It seems to affect only PHP files. As far as I can tell, the database is not affected.

> It hits both WordPress and non WordPress sites. One of my sites is a simple HTML site with one PHP file to process a contact form. That one file gets hit same as the blog site.

> Changing your passwords won’t help. I have long, complex passwords for my host, login, database, and FTP, and the hack blows right past them.

> Changing your Admin to some other username won’t help.

> All the normal security measures won’t help. I hired a security consultant who specializes in WordPress and he locked down my sites hard, and none of it stopped the attack. Firewall, hiding the login page, hiding the WP version number, you name it, about 20 or 25 changes and nada. Didn’t make any difference.

> Changing hosts won’t help. I’m with GoDaddy, who is admittedly in total denial about this and blaming everything on users no upgrading, but I know people on other hosts who are having the same issue.

> Upgrading to the latest version of WP won’t help. I have always upgraded immediately when new versions have been released. I was on the latest all three times when my sites were hacked. So that explanation is invalid.

> A tech friend decoded some of the base 64 and said it was coming out of China.

> One article I read about this claims it’s an exploit on the PHP Admin panel used by GoDaddy and many other hosts. I don’t know if this is true, but if it is, then hosts are responsible for not finding this hole and fixing it or not upgrading to a better admin panel.

Personally, I’ve settled in to expect this attack until someone finds the issue and does something about it. I can now fix my sites in about 10 minutes each. Here’s how:

I backup frequently and ALWAYS have a complete database backup AND a total backup of every file on both my sites on my personal computer. If the worst happens, I can restore from these.

But since I am with GoDaddy, I use their “history” feature in the file manager. When I see that my sites are infected, I delete every PHP file in the root directory and delete ALL WP folders. Then I go back a day with the history feature and restore all these files. This takes just a few minutes. Done. Problem solved…until the next hack.

@nikosd66:
>I can see permissions and owner only after I restore the file.
>I don’t know if they change after restoration.

I guess they change. So now this info is not reliable.

By the way, what is the directory permissions?

Here is what i found out:
The time that the infection took place, all .php files were infected. As you cn see from malicious code only php files are supposed to change.
The only one file that remained uninfected was configurtion.php and that is beacause he had permissions 444.
All files with permissions 705 or 644 (index.php etc) were infected.
So hacker acts like an owner of the files.
Conclusion is that if you dont give write permissions to php files then you’ll stay clean. Maybe setting permissions to 555 or 544 is the solution?
Can anyone here tell me if this is going to affect the effectivess of the site?
By the way @useshots, directory permissions was drwx—r-x
and after I double checked, this joined_lemmie.php malicious file has permissions 644. This for sure.

I my case, if i put file permissions to 555 or 544 i obtain 500 error… hosting in Godaddy

Ok, I run many tests.
I have a dedicated server. I was trying to run hacker’s script throught browser. With all possible file permissions exept 777 is not possible to change the php files.
I was able to change php files (regardless of what the permissions are) only runing the script through SSH with superuser permission (root).
However this doesn’t happen with a Shared hosting acount. There, runing the script from a browser, it changes .php files in all combinations of permissions exept when write is not allowed at all.
Besides, in shared hosting using SSH, script doesn’t change something. Has not any effect as hosting provider doesn’t allow you to login as superuser (root).
Using hacker’s script I wrote a script that checks if php files in a website are infected with this certain malicious code and removes it.
The script reports how many files were infected and from how many of them malicious code was successfully removed. (beacause if files are not writable code can’t be removed although hacker could infect it).
I tested this script exhaustively using many combinations of dirs/subdirs and file permissions and looks like working fine.
Maybe using it with a cron or something (I’m not an expert on this field) is a good option.
I’ll give you here a link where you can download it.
It is a .zip file. You have to unzip it and upload it to your root directory. Then using your browser run the file.
Here is the link
(If hacker changes the way malicious code is written, then this script becomes of no use if not edited accordingly)

Permissions with 5’s, 7’s and “3’s are not required for files since web server doesn’t need the “execution” permissions.

In case of the dedicated server, you must have your web server working with Apache permissions. In case of GoDaddy, they have something like suexec (I believe) and scripts are executed with your user permissions.

It this point, if you are right about permissions, it looks like hackers either use some vulnerability in the scripts you use under your account (this would explain why they can create files in your directories), or know some server vulnerability that allows them to gain permissions of any user.

I Just found in my log files the IP who runs this malicious script file the date of infection.
I did a search and I found the website also.
Is it ok to post it here?
Maybe hacker uses an IP of innocent people?
What are you suggesting?

This morning i found this file in the root of my Godaddy hosting:

lune_johnette.php

The hacker put this file…

I deleted it and i think i haven’t any changes in my files…

The problem is not resolved…

Yes, it happened all over again at GoDaddy:

https://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html

Same scripts, same techniques, just a different domain ( losotrana.com ) . We have details on the script they are using here:
https://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

So, if you are at GoDaddy, check your site now.

Godaddy answer to my new ticket:

“Thank you for contacting the Hosting Security Team.

A number of websites running PHP applications, such as WordPress and Joomla, have been affected by malware. These attacks have affected many hosting providers, including Go Daddy. They are a serious threat and we’re committed to eliminating them.

While transparency is something we value, when Internet users release information about the attacks, such as the code used to create them, it really only helps the hackers. As they gain clues into our investigation, it gives the attackers more power.

The origin and characteristics of these attacks continue to change from day to day. Thanks to the efforts of our team, we’ve kept the number of affected sites to a minimum (fewer than a tenth of 1 percent of the sites we host). This means we can devote a lot of attention to the compromised websites.

Your protection is our top priority. Our team of security experts is working around the clock to monitor our systems, investigate incidents and implement counter-measures to neutralize potential threats. You can find information about who is affected, what the attack is, and ways you can fix the problem here: https://community.godaddy.com/godaddy/whats-up-with-go-daddy-wordpress-php-exploits-and-malware/

Go Daddy appreciates your concern on this critical issue. We’re here to help, and are making every effort to answer your questions and concerns.

Our goal is to help you keep your website safe and secure”.

All,

Start checking your sites. I’ve just seen code enter my sites. Although not running live yet it seems. All seems to have gone in a few hours ago.

A

After the last 2 hacks, I moved my hosting to a different provider. In fact I re-did my whole site and it doesn’t even use PHP anymore. The logs of my new web server show a request for “/—–_—–.php”, (I have replaced the actual letters with dashes in case it would identify me.) which of course was unsuccessful (404 error). But it obviously fits the pattern of the Godaddy attacks and happened at the right time. (Middle of the night May 16/17)

So anyway it’s plausible that someone created the malicious script on the Godaddy server (my hosting there is still active for a few more days, though my domain name doesn’t point to it anymore) When they tried to run the script they connected to my new server which of course failed to work.

Are we learning yet? I hope so.

I updated my script to clean up any infected .php file from a site (or subdirectory). Used it last to clean up my entire Drupal site.

Still anxious on finding a way to avoid the infection.
We pretty well know that the infection does, what the symptoms are, how to recognize and cure it, but not how to prevent it.. :-((

Peter