Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected web space


  • Please log in to reply
5 replies to this topic

#1 Michael Carter

Michael Carter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:07 PM

Posted 24 December 2011 - 06:07 AM

I have used this forum many times to get advice on an infected home computer, but today I am asking for advice on a possibly infected web space.

I recently received the following message from my web host:

…there is a file or script within [the public_html] directory that is causing this behaviour. You may need to check for scripts that attempt to send out large amounts of emails and throttle them…

Following this message, I took a complete local copy of the web files.

I should be very grateful if anyone can recommend a tool to parse through the files and look for a malicious script. Obviously scanning with an ordinary AV tool like AVG is no good, because the script will be written in ordinary text.

I should also be grateful for any tips on how a malicious script would get into my public_html directory. My local computer runs AVG, and I have just scanned it with ESET and found nothing.

Many thanks, and Happy Christmas to all in the forum!

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:07 AM

Posted 24 December 2011 - 06:53 AM

If you have an older backup of the directory from before you believe the intrusion happened, you can use WinMerge to compare the two directories and show any new files as well as any differences between different versions of the same file:

Here's an example of how WinMerge show the differences between two versions of the same file:
Posted Image


And one where two directories are compared:
Posted Image

Edited by Andrew, 24 December 2011 - 06:54 AM.


#3 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:07 PM

Posted 28 December 2011 - 04:18 AM

Thanks Andrew - I wasn't expecting such a quick reply. I sort of looked at the frequency of posts in the forum and set an egg timer for 5 days.

Anyway I shall certainly download and store WinMerge.

As for my web site - it had evolved like papier mache for 12 years and needed a good spring clean. So I deleted the whole lot, and I've slowly started rebuilding it.

The Winmerge idea was a good one, but as I add/modify files every hour and take copies only once a month, it would still be a long process.

I'm not sure how the malicious script got there (if indeed there was one), but I've changed my password and I now only leave FileZilla open for a few minutes to transfer files. Previously I had been leaving it open all day and even all night.

Thanks again for your input.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:07 AM

Posted 28 December 2011 - 01:00 PM

Thanks Andrew - I wasn't expecting such a quick reply. I sort of looked at the frequency of posts in the forum and set an egg timer for 5 days.

Well, the fact of the matter is that I was dealing with a similar situation myself when you posted! :whistle: Luckily (or lazily) the files on my site are rarely altered directly since I use a CMS which stores everything in a database. So I was able to determine that no changes had been effected to the site's files and, by running WinMerge against dumps of the database, that no malicious database entries has been made.

#5 Webdoc

Webdoc

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 December 2011 - 01:23 AM

Did you check your hosting control panel for strange email address accounts or FTP accounts?

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:07 AM

Posted 29 December 2011 - 03:23 AM

No cpanel or mail service runs on the server. Just vsftpd, MySQL, Lighttpd and Open-SSH. Tiger reports no anomalies, so I'm accepting that it was a false alarm.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users