Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FTP Details Compromised - My Host Suspects Malware/Virus


  • Please log in to reply
10 replies to this topic

#1 dc1000

dc1000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 June 2009 - 04:45 AM

My wordpress blog was hacked. My host (hostgator) confirmed that someone had gained FTP access, and said the likely suspect was a virus or malware that had located the FTP details on my computer.

I'm not convinced that this is the case because I have several other accounts with Hostgator that have not been hacked and I keep those FTP details on my computer as well. I'm also pretty careful with security and run malware/adware checks once a week. It seems more likely that I've forgotten to change my FTP log-in after allowing a programmer access and they have misused (or have a virus themselves).

Anyway, since I'm hardly an expert, I've run the scans recommended by Hostgator, one of which is ComboFix. Combofix did its thing without any problems and generated a log file, but Hostgator said they weren't best placed to advise me in interpreting the log file. They pointed me to this forum instead.

Since it says above, not to post a combofix log straight away, I'll wait for a request from this thread before posting it. I have however posted the images of the other scans I ran, in addition to combofix, below. They found and deleted a couple of files they defined as trojans, but these are just browser toolbar apps for some marketing programs. They're in a zip file, I've never installed them, and they've been on my hard drive for years. I don't think there's anything useful in there, but I've included them just in case.

If anyone would like to recommend I perform any other tests or checks, or provide any other information that may prove useful, please let me know and I'll be happy to oblige.

Thank you in advance for your assistance.

Best wishes,

David Congreave

Posted Image

Posted Image

Posted Image

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:08 AM

Posted 15 June 2009 - 12:59 PM

Hello David and :flowers: to Bleepingcomputer

From what you've provided, this doesn't appear to be a malware issue. Many hosts and ISPs (and even some tech support people) tend to throw around words such as virus or malware. If you have doubts, it's always good to get a second opinion from a specialist (which you're doing, so Good Job! :thumbsup:).

Still, lets run a couple additional scans. Better safe than sorry, right?

Before we begin though, a caution and a question.

First, as you've undoubtedly read by now, ComboFix (CF for short) is a highly advanced tool designed to be used only at the direction of a highly trained specialist. The truth is, CF can cause enormous amounts of damage if used incorrectly, and sometimes can cause rather serious side effects even when used in the correct manner. When you're working with a specialist trained in the use of CF these side effects can be dealt with if they arise, but the fact that the folks at hostgator were unable (or unwilling) to analyze the log after recommending the tool to you is somewhat indicative that they probably didn't know exactly what they were handing you. I'm very glad that you seem to have come out of it unscathed, and I've notified the author of the tool about what has happened in case he sees the need to take further action. But I digress. Please do not run CF again unless instructed to by someone trained in malware removal asks you to.

Secondly, are you experiencing any other symptoms that would lead you to believe that you were infected with some form of malware? (Popups, browser redirection, AV Warnings, etc)

********************************

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

********************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please provide the following
SUPERAntiSpyware Log


~Michael

Edited by Blade Zephon, 15 June 2009 - 01:01 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 dc1000

dc1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 June 2009 - 02:44 PM

Thank you for your response Michael.

I haven't seen any ill effects from using Combofix, except that my desktop background image seems to have reset to the default. I'm guessing from your post that the side effects of using CF can potentially be more serious than that. I mean, I liked my old background image and all, but it's not the end of the world.

Actually, I must confess that I saw the warnings about using CF and assumed it was just being over cautious. Hostgator had directed me to run it, so it must be quite safe, right? *sigh*

Is there any damage that CF could have done that I'm unaware of? Anything I should check for?

Anyway, in answer to your question about other signs of a virus, I haven't seen anything in the way of browser redirects, popups, or AV warnings. In fact, I don't think I've had a PC that was so problem-free. I've had a little go-slow recently, but that may be down to the number of apps I have open at any one time (8-10 is fairly regular). I've got 2 GB of RAM, but Vista is probably swallowing a big chunk of that.

I'll run the test you directed tomorrow and post the logs.

Thanks again.

David Congreave

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:08 AM

Posted 15 June 2009 - 03:42 PM

Hello David,



Is there any damage that CF could have done that I'm unaware of? Anything I should check for?


Let me start off by saying that, since I haven't yet reached Senior status here at BC, I am still unqualified to use CF. I have however read through many threads and seen others use it many times. From what I've seen, the more serious problems that CF can cause would be readily apparent to you. Things like not being able to start Windows or pieces of hardware no longer working. So, I would say that it seems you escaped the worst case scenarios.

That being said, the only way to know exactly what CF has done is to have someone who is trained in it's use analyze the log. The Am I Infected forum is not the place where that kind of thing is done though (as you already know :thumbsup: ).

I've had a little go-slow recently, but that may be down to the number of apps I have open at any one time (8-10 is fairly regular). I've got 2 GB of RAM, but Vista is probably swallowing a big chunk of that.


Vista is very resource intensive. Depending on your version, it may be taking up roughly 25-50% of your 2GB. 8-10 apps on top of that could very well be responsible for your slowdown issues. If you're interested, there is a thread HERE that may help you in that area.

~Michael

Edited by Blade Zephon, 15 June 2009 - 03:43 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 dc1000

dc1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 June 2009 - 01:49 AM

I had a browse through that thread yesterday and made a few tweaks - which seems to have helped a little. Slow-down isn't a big problem, but I'm always happy to find ways to speed things up. I've ordered some more RAM so I can bump it up from 2GB to 4GB; that should also help.

I ran the scan you outlined and the Scan Log results are:

===========================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2009 at 10:45 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 01:01:58

Memory items scanned : 271
Memory threats detected : 0
Registry items scanned : 6589
Registry threats detected : 0
File items scanned : 131557
File threats detected : 2

Adware.Tracking Cookie
C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Cookies\bob@tracker.wakoopa[2].txt
C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Cookies\bob@serving-sys[2].txt

===========================

The only thing I wasn't sure about was the instruction in the middle section:

===========================
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):

* Close browsers before scanning.
* Scan for tracking cookies.
* Terminate memory threats before quarantining.
===========================

My literal brain had trouble with the instruction to "leave all others unchecked", when most of the others were checked. I can't "leave" them in a state that they're not in to begin with.

This would be a good place to call me a "pedantic [colourful metaphor]" but seriously, I wasn't sure which way to go. Did that mean:

1) Check these three items and leave the rest as they are?

or

2) Check these three items and uncheck everything else?

I went with option 2 but if this was incorrect, please can you clarify exactly which of the scanner options should be checked, and which should be unchecked, so I can run the scan again.

Is there another forum category where I can post my ComboFix log? I'm not experiencing any problems, but for my peace of mind it would be great if someone could give it a quick look through and see if there are any problems.

Thanks again for your help.

Best wishes,

David Congreave

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:08 AM

Posted 16 June 2009 - 05:38 PM

Hello David

My literal brain had trouble with the instruction to "leave all others unchecked", when most of the others were checked. I can't "leave" them in a state that they're not in to begin with.


:flowers: I should have caught that; my brain works the same way. Thank you for pointing that out to me. Option 2 was the way to go :thumbsup:


Well, I am happy to inform you that the chances that an infection is responsible for your being hacked are virtually nil. I've been looking into this with some colleagues here at BC and Galadriel, one of my instructors, provided me with some good insight. Quoted:

It's more than likely a social engineering hack or a vulnerability in the host or the blog itself. There are a lot of exploits for blogs out there that could, if they were used the proper way, leave tracking files in place to grab FTP logins. I've seen it happen more than once.


Galadriel suggests that you look through your blog directories for suspicious files, and upload them to Jotti or VirusTotal, online analyzers that check files using many different AV programs. I will provide instructions on doing this at the bottom of this post.

He also suggested that you immediately change your login details, and keep a regular watch over your blog folders for suspicious files.

If you want to do some investigation on the origins of the hack, Galadriel mentioned that most hosts have IP logging enabled, so you might be able to grab the IP address of whoever it was that hacked you. IP tracking can be long and tedious work though.

***************************************************

As for the CF log, we should be able to get one of our guys to analyze it, but we'll need to do it so that we observe proper protocol here in the forums. You also may have to wait a couple days for a response; our helpers stay very busy.


Please read this thread. You will notice that you've already completed some of the steps it lists. I need you to complete steps 6.

Once that's done you'll need to create a new thread in the Malware Removal forum.
In your initial post include a description of the problem (just as you did here, you could mostly just copy/paste it though it won't be necessary to include the snapshots of the various scanners), a link to this thread (very important), a list of steps you've taken (including what we did here in AII), and paste the DDS logs you generated. Please do not post your CF log yet as this may result in one of the moderators deleting your topic; we require that CF logs not be posted unless requested by a helper.

Once you've created the thread, don't post to the thread again until a helper responds. Doing so will increment the thread's reply counter from 0 to 1, and cause helpers to overlook your topic. If you need to supply additional information, you may edit your original post by clicking the edit button in the bottom right corner of the post.

A final thing to do: after you've created your thread in the Malware Removal forum, post a link to your new thread here. This thread will be closed shortly after you create one in the Malware Removal forum; if this occurs before you are able to post the link, you may send it to me via PM instead. Use this link to send me a PM. Send Message

***************************************************

Now, as I promised, here are instructions on uploading to Jotti or VirusTotal. If you upload a file and it comes back as infected, please retain a copy of the log produced and inform whoever helps you in the Malware Removal forum; they will need to see it.



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

suspect.files

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



If you have any further questions for me, please post them back here before you create your new thread. Otherwise, good luck!

~Michael

Edited by Blade Zephon, 16 June 2009 - 05:39 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 dc1000

dc1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 June 2009 - 02:09 AM

Well that's a relief - thank you very much for your help with this.

I've already changed my FTP log-in for this account and, now that I'm satisfied I'm virus-free, I'm going to change all the others as well.

I had my blog checked over by a wordpress expert - he was the one that found the hacked code in the first place - and it seems that all the malicious code had been placed in files in the plug-ins folder. The ownership of that folder had also been changed so nothing in the folder could be deleted and edited (hostgator have fixed this now).

He also re-installed fresh versions of all the wordpress files (apart from the plug-ins folder), in all the folders, just to be on the safe side. Is it still worth doing the "Jotti or VirusTotal" check on the blog?

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:08 AM

Posted 17 June 2009 - 09:57 AM

I would keep watch over the blog just in case someone attempts to hack you again.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 dc1000

dc1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 June 2009 - 12:32 PM

Will do.

Thanks again for walking me through - this was really helpful.

What's the preferred way to show appreciation? Donation, backlink, Twitter post?

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:08 AM

Posted 17 June 2009 - 03:24 PM

It was my pleasure. :thumbsup:

As far as I'm concerned, thanks is more than enough :flowers:

If someone you know has computer issues, feel free to send them to us!

Edited by Blade Zephon, 17 June 2009 - 03:25 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:05:08 AM

Posted 22 June 2009 - 01:57 PM

Sorry, I forgot this thread.... If you're still around dc1000, I wonder what version of Wordpress you had installed on the host? If it's not the latest, you'd be well advised to update it.

Here's a couple things to keep in mind with content management systems (CMS such as Wordpress and others). It's a good idea to install in a location other than the default one (can't hack what you can't find). It is also a good idea to remove the link to the login page from your main page. If you haven't done so, that'd be another safeguard. I strongly suspect that the 'hacker' came in through an exploit on the blog itself, and not necessarily through FTP. It's much easier to find holes in the CMS than it is to hack a strong password. Keeping close tabs on the different "uploads" or "plugins" or "addons" folders (whatever they are named) is also a good way to prevent spread if such a hack occurs.

Hope this helps.

Glad to hear you have some peace of mind back. :thumbsup:
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users