News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Can't get rid of Trojan.PHP-43

Started by Мel, July 13, 2012, 06:02:26 PM

Previous topic - Next topic

Мel

Well, this is the problem. I can't get rid of the Trojan.PHP-43 - when I do virus scan from my cPanel it finds it and I destroy it, but some time later it just reappears.
FTP Access switched on only for my single IP address, I've changed passwords and stuff - no effect.
And now some messages on my form just turns out to be empty :(
Where should I look kill this trojan once and for all?
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Colin

Is SMF the only thing you have on your web server? Has your host been of any help?
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Мel

I've got 2 WP blogs and one more SMF on my server, they're all clean, this particular trojan resides only in this one certan forum. Once I catched it in the root directory, but it didn't go anywhere else.
Ans yes, my host provides no help.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

NanoSector

Do you have a lot of mods installed?
Also, what file does it say is infected?
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Мel

There are not many mods, just a several and all of them are from here. I could get a list, if needed.
Infected files are every time different.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

NanoSector

Quote from: Мel on July 14, 2012, 05:39:01 AM
There are not many mods, just a several and all of them are from here. I could get a list, if needed.
Infected files are every time different.
Can you attach the file it reports the next time, then, so we can check if anything's wrong with it?
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Мel

I've run a scan and it's clear for now. Whenever I'd find a trojan, I'd attach an infected file.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Ricky.

Generally, there are some idiotic figures in this world who maintain list of sites they hack or infect in their hacking community or forums, users regularly checks them and someone clean or fixes their forum, they again intimate hacker and then hacker again try to heck it. Generally they leave some script which is undetectable to programs but when they execute them, they get full access to your serer through http based file browser. .. so, it may be clean for now , if it infects again then must be some hidden script in your files. They even hide them encrypted so that remains undetected to scanners.. (happened with me.. I have been behind these trolls from a good time).. ~~

Мel

Ricky, so what am I supposed to do about that?
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Ricky.

If it appears again then you have to figure out its origin. I had simply deleted everything apart of db and had even checked db to see if there is anything unusual , then downloaded everything fresh and uploaded. Since then I never saw them again. In my site, they came in through an old WP installation.

NanoSector

Quote from: Ricky. on July 14, 2012, 07:35:43 AM
If it appears again then you have to figure out its origin. I had simply deleted everything apart of db and had even checked db to see if there is anything unusual , then downloaded everything fresh and uploaded. Since then I never saw them again. In my site, they came in through an old WP installation.
Which indicates that you need to keep your software updated ;)
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

SMURF6060

#11
what you have is basically an iframe trogan.

It wrote itself to every single php file you have on that server.

Depending on the version, your more than likely to find it in all the footers of all your php files.

If you hosting service provider wasn't compromised, and you didn't give your c/panel - ftp credentials to some third world dirtbag programmer,...you caught the bug by:

1.  your machine was/is infected, it gained access to all your saved passwords.
2.  you downloaded and installed NULLED scripts-mods-plugins -  / had work done by someone who used nulled scripts,mods,plugins
3. your smf theme is the cause.

a. scan your machine multiple times
b. double check the source of anything you installed
c. double check your smf theme.

The only reason Ive included the SMF theme into the equation is for the simple fact that my host a few years back caught  it in action  in the theme itself( wasnt the smf script or settings) and immediately changed all file permissions to block it from writing itself to all my php files

Unless you have great service with your plan, your hosting service will not help you ( maybe for a fee )

Considering you still havnt solved the issue, you will need to find someone to install / perform a server side scan

the best way is to delete EVERYTHING off the server ..and check for hidden files...aswell.

best if you have root access.


this can also be caused intentionally..with you being a "mark"
how do you know if your a "mark"?

if your sites are successful enough to the point where your taking money out of the pockets of your competitor...
an example would be a well placed search engine rank.

but by my logic, thats highly unlikely in your case considering your on the board asking for assistance when you could of easily taken some of your riches and had a pro clean it.

Quote from: Ricky. on July 14, 2012, 07:06:54 AM
Generally, there are some idiotic figures in this world who maintain list of sites they hack or infect in their hacking community or forums, users regularly checks them and someone clean or fixes their forum, they again intimate hacker and then hacker again try to heck it. Generally they leave some script which is undetectable to programs but when they execute them, they get full access to your serer through http based file browser. .. so, it may be clean for now , if it infects again then must be some hidden script in your files. They even hide them encrypted so that remains undetected to scanners.. (happened with me.. I have been behind these trolls from a good time).. ~~
its not hidden per say..it re writes itself and changes its name.
huh? you've been behind these trolls?
what part of the con did you play? the savior or the infector?? or both?

to the o.p:

do yourself a favor, this kind of job isnt for an amateur...you need a pro.
dont waste your money on paying someone unless you are physically able to walk into their office.

the reason i say that because it takes a high level of skill to clean and chase this bug down. ..and if your willing to handover access to your server to an entity over the internet..chances are your going to get screwed BIG TIME.

either strip the server down completely..or get a pro...WITH AN OFFICE...in the real world...who doesnt use a google number  lol.

best of luck


i think its best to keep a few personal thoughts to myself. nevermind.

Мel

Ricky
Yeah, I suppose so. Still clean.
But I'm not a master of a DB, that's the problem.

Yoshi2889
My software is pretty much updated. I suppose all this was caused by my specific config, something to do with Php, there were a message not long ago about this.

SMURF6060
Maybe it's the theme, I use Curve Multi Color by MrGrumpy.  All the access is in my hands, FTP Access set up only for me and my PC is clean.
I don't know anything about a mark - my forum is just a fan community, nothing more, no money involved.
Thanx for your advice.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

SMURF6060

Quote from: Мel on July 14, 2012, 04:26:04 PM
SMURF6060
Maybe it's the theme, I use Curve Multi Color by MrGrumpy.  All the access is in my hands, FTP Access set up only for me and my PC is clean.
I don't know anything about a mark - my forum is just a fan community, nothing more, no money involved.
Thanx for your advice.

I hate to be the grim reaper Mel...you wont have peace of mind till you wipe it all out and start fresh.  This will help you out:

check the dates of any modified files through your ftp.
if you werent doing any work...and that file isnt read and write and it was modified...you just caught your first foot print.

submit your site to google through the "webmaster" product and have google scan your files for any infections. I think its under health or scan for malware ( risk with that is you get a big fat  THIS WEBSITE WILL HARM YOUR COMPUTER label ) ..but you can use google to help you out...and you are correct; the darkside is stronger than everyone ;) good luck Mel

p.s. I forgot the theme that got me..but it was from a turk ( not that im bashing turks )..this was like 7 years ago..

nend

Quote from: SMURF6060 on July 14, 2012, 09:23:15 AM
do yourself a favor, this kind of job isnt for an amateur...you need a pro.
dont waste your money on paying someone unless you are physically able to walk into their office.

the reason i say that because it takes a high level of skill to clean and chase this bug down. ..and if your willing to handover access to your server to an entity over the internet..chances are your going to get screwed BIG TIME.

either strip the server down completely..or get a pro...WITH AN OFFICE...in the real world...who doesnt use a google number  lol.

best of luck


i think its best to keep a few personal thoughts to myself. nevermind.


Yeah you shouldn't trust me as I don't have a office you can walk into and I do have a Google number also. Maybe you should hire someone that has a office you can walk into that may or may not be a disgruntle employee and may or may not help you at all. You know there is a couple times I have walked into a shop before and asked about their procedures after figuring out I wouldn't trust them with one thing I own. Not saying every place is the same but your going to find just as good help here as anywhere else.

Most people here do not have a workplace that specifically deals with development of server side software but they have designed some of the best software on the web.  :-\

SMURF6060

Quote from: nend on July 14, 2012, 05:19:20 PM
Quote from: SMURF6060 on July 14, 2012, 09:23:15 AM
do yourself a favor, this kind of job isnt for an amateur...you need a pro.
dont waste your money on paying someone unless you are physically able to walk into their office.

the reason i say that because it takes a high level of skill to clean and chase this bug down. ..and if your willing to handover access to your server to an entity over the internet..chances are your going to get screwed BIG TIME.

either strip the server down completely..or get a pro...WITH AN OFFICE...in the real world...who doesnt use a google number  lol.

best of luck


i think its best to keep a few personal thoughts to myself. nevermind.


Yeah you shouldn't trust me as I don't have a office you can walk into and I do have a Google number also.
exactly. why should I trust you? because you have a high post count? or because Ive flipped through your pasts posts and you seem to be such a nice guy/gal? The O.P didnt mention anything as far as if its an income generating site or not...WOULD YOU TRUST A COMPLETE STRANGER  OFF THE STREET TO HANG ON TO YOUR CHECK BOOK & DEBIT CARDS?.. BECAUSE THEY DRESSED WELL AND SMELLED NICE?  Why should  anyone trust anyone on the internet. I dont even trust the SMF software. Nothing is for free in this world. And if it is, its because something comes attached to it that your unaware of. Are they great programmers and architects ? Absolutely...but that doesn't mean they are mother Theresa .


Maybe you should hire someone that has a office you can walk into that may or may not be a disgruntle employee and may or may not help you at all.

with all due respect, you cant compare the odds of getting screwed by a disgruntled employee versus a complete anonymous person through the internet.  That comparison is illogical- and im not even dr.spock.

You know there is a couple times I have walked into a shop before and asked about their procedures after figuring out I wouldn't trust them with one thing I own. Not saying every place is the same but your going to find just as good help here as anywhere else.

Thats my entire point. You physically saw ..heard..smelled...your mind didn't  fill in the blanks like it does online. Your guard wasn't down. I could be sitting typing my response to you while some chick is chained to the wall...bleeding out after 2 weeks of torture. The best you can do is try to profile me by my typing..and even then you would be 99.9% wrong. Your not a behavioral analyst by trade .


Most people here do not have a workplace that specifically deals with development of server side software but they have designed some of the best software on the web.  :-\

My statement to the O.P was said out of brotherhood. Your the creative..you create what the O.P and I use;whether its for profits or entertainment. You know this stuff and we don't., We wish we knew what you knew. We have to rely on the programmers, coders..what ever it is you want to call yourself. We rely on you to give us a fair and balanced cost. But those odds are astronomically not in our favor... Because you do not exist. ..and you have issues just like we do. You need to eat..you need a roof over your head. Because we not familiar with your knowledge, you have the power to take a 5 minute job and make it into a 2 week gig. And that advantage and power runs unchecked in this community.  The fact that I told the O.P to find someone that had an office ment that if the person screwed him..he or she at least has the option of catching him after hours and breaking his neck for ripping him or her off.   I wasn't saying that a person with an office and a real phone number was more credible than a person without.  You misunderstood.

You expect me to chase after some dirtbag in india..or romania. ? I almost got conned here today by a scumbag who expected me to pay for his coke habit.  I needed 4 lines of code..he needed 4 lines for his nose. 

Dude, im not trying to take money out of your pocket..im trying to put money in it.





NanoSector

Guys, keep this on topic, this is about the trojan, not who makes profit. In fact I don't think the OP cares whether SMURF or nend makes profit, as long as his issue gets solved. I'm seriously thinking of splitting this altogether, and removing some posts.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

nend

Don't split just remove these useless post, mine included.  ;)

Arantor

That's the thing, it is totally relevant. Dealing with a server infection is a very complex and skilled art, and you absolutely DO NOT want an amateur doing it.

I actually agree with the sentiments about getting a paid professional - because if there is a foul-up down the line, the business will have things like business liability insurance to cover damages and costs of getting it fixed, and an individual may or may not have that.

NONE of the posts in this thread are useless. Please do not do the community an injustice by removing them.

NanoSector

Quote from: nend on July 14, 2012, 06:42:00 PM
Don't split just remove these useless post, mine included.  ;)
Lol not all are useless, but it's enough to just say it once, don't keep going on about it.

Quote from: Arantor on July 14, 2012, 06:43:13 PM
That's the thing, it is totally relevant. Dealing with a server infection is a very complex and skilled art, and you absolutely DO NOT want an amateur doing it.

I actually agree with the sentiments about getting a paid professional - because if there is a foul-up down the line, the business will have things like business liability insurance to cover damages and costs of getting it fixed, and an individual may or may not have that.

NONE of the posts in this thread are useless. Please do not do the community an injustice by removing them.
It may be relevant, but as I said, don't keep going on about it and then driving crazy at some point. That drives moderators to splitting and removing. I agree with the point of getting a professional too, but the *discussion* just isn't relevant in here, being told once is enough.
I wasn't talking about useless posts though, rather offending posts.

Anywayzz, you guys are driving me too far into the discussion, xcuse me for the clutter.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Advertisement: