BleepingComputer.com: Infected web space

I have used this forum many times to get advice on an infected home computer, but today I am asking for advice on a possibly infected web space.

I recently received the following message from my web host:

…there is a file or script within [the public_html] directory that is causing this behaviour. You may need to check for scripts that attempt to send out large amounts of emails and throttle them…

Following this message, I took a complete local copy of the web files.

I should be very grateful if anyone can recommend a tool to parse through the files and look for a malicious script. Obviously scanning with an ordinary AV tool like AVG is no good, because the script will be written in ordinary text.

I should also be grateful for any tips on how a malicious script would get into my public_html directory. My local computer runs AVG, and I have just scanned it with ESET and found nothing.

Many thanks, and Happy Christmas to all in the forum!

If you have an older backup of the directory from before you believe the intrusion happened, you can use WinMerge to compare the two directories and show any new files as well as any differences between different versions of the same file:

Here's an example of how WinMerge show the differences between two versions of the same file:



And one where two directories are compared:

This post has been edited by Andrew: 24 December 2011 - 06:54 AM

Thanks Andrew - I wasn't expecting such a quick reply. I sort of looked at the frequency of posts in the forum and set an egg timer for 5 days.

Anyway I shall certainly download and store WinMerge.

As for my web site - it had evolved like papier mache for 12 years and needed a good spring clean. So I deleted the whole lot, and I've slowly started rebuilding it.

The Winmerge idea was a good one, but as I add/modify files every hour and take copies only once a month, it would still be a long process.

I'm not sure how the malicious script got there (if indeed there was one), but I've changed my password and I now only leave FileZilla open for a few minutes to transfer files. Previously I had been leaving it open all day and even all night.

Thanks again for your input.

Michael Carter, on 28 December 2011 - 04:18 AM, said:

Well, the fact of the matter is that I was dealing with a similar situation myself when you posted! Luckily (or lazily) the files on my site are rarely altered directly since I use a CMS which stores everything in a database. So I was able to determine that no changes had been effected to the site's files and, by running WinMerge against dumps of the database, that no malicious database entries has been made.

Did you check your hosting control panel for strange email address accounts or FTP accounts?

No cpanel or mail service runs on the server. Just vsftpd, MySQL, Lighttpd and Open-SSH. Tiger reports no anomalies, so I'm accepting that it was a false alarm.