IMPORTANT: any of your servers hitted by this? - GoFuckYourself.com

devine · 04-20-2009, 07:48 PM

So we were hitted by a fucking trojan that appends a script at the beginning of several php files and at the end of all .js files. This mofo apparently comes on pdf files and some swf using an Acrobat vulnerability. It will then create a pdf and 2 swf files which will be used to infect your server, from there your site will try to load 94.247.2.195/news/?id=100 and/or 94.247.2.195/news/?id=101 . If successful, it will infect your visitor and so on and so on. It's spreading wildly and last week the count of affected websites was over 20000 (and counting). The only remedy is to wipeout everything in your server, change passwords and such, just take a look to your php files, it will append to most (or all) php files containing index or config in the name, which makes Wordpress, Drupal and Joomla extremely vulnerable

Just look for this (don't worry, it's just a tiny bit of the code, but enough to find out) in your hosted files:

Code:

<?php if(!function_exists('tmp_lkojfghx'))

in WP you'll find it in index.php for sure, if you don't have it, you're safe

it's not confirmed if it attacks databases and some people says it also attacks filezilla, so be careful

LiveDose · 04-20-2009, 07:53 PM

Wow, thanks for the thread.

devine · 04-20-2009, 10:47 PM

no problem, we're researching on what this crap intends to do, will keep you updated, in the meanwhile, no need to panic or anything, just check your files

ztik · 04-20-2009, 10:54 PM

normally that comes from your computer when you upload things to your server

mynameisjim · 04-20-2009, 10:59 PM

Quote:

Originally Posted by ztik

normally that comes from your computer when you upload things to your server

Yeah, a doctor friend of mine runs a little website that had some code injected into all the pages. I cleaned it all out, but it came back. I cleaned it again and switched servers, and it came back. Then he told me has someone do some minor HTML work now and then. Turns out his computer had some kind of virus that was adding the code when he uploaded via Filezilla. I made him stop uploading and the problem went away. Very strange.

devine · 04-21-2009, 12:04 AM

Quote:

Originally Posted by ztik

normally that comes from your computer when you upload things to your server

yes, you're right, initially it was uploaded by one of our guys, but after cleaning the infected computer and what we thought all affected files in the server it waited in the server one week or so and then infected everything again. The file that re-infects everything is installed 2 or 3 levels before the affected file, although it seems it's a random behavior. According to most people asking for help, the usual file it looks for to start is jquery.js. We had that file affected, although not sure if it's where it started.

This trojan is quite obnoxious once you have it in your computer, it will disallow regedit, will fake program uninstall and slow down your computer A LOT, so it's quite easy to know you have it, and as far as I know, it uses several names, although Superantispyware catchs it. Anyway, just letting you guys know since it's spreading fast, at least our headaches may help someone here

04-20-2009, 07:48 PM	#1
devine Confirmed User Join Date: Jul 2006 Posts: 620	IMPORTANT: any of your servers hitted by this? So we were hitted by a fucking trojan that appends a script at the beginning of several php files and at the end of all .js files. This mofo apparently comes on pdf files and some swf using an Acrobat vulnerability. It will then create a pdf and 2 swf files which will be used to infect your server, from there your site will try to load 94.247.2.195/news/?id=100 and/or 94.247.2.195/news/?id=101 . If successful, it will infect your visitor and so on and so on. It's spreading wildly and last week the count of affected websites was over 20000 (and counting). The only remedy is to wipeout everything in your server, change passwords and such, just take a look to your php files, it will append to most (or all) php files containing index or config in the name, which makes Wordpress, Drupal and Joomla extremely vulnerable Just look for this (don't worry, it's just a tiny bit of the code, but enough to find out) in your hosted files: Code: <?php if(!function_exists('tmp_lkojfghx')) in WP you'll find it in index.php for sure, if you don't have it, you're safe it's not confirmed if it attacks databases and some people says it also attacks filezilla, so be careful

04-20-2009, 07:53 PM	#2
LiveDose Show Yer Tits! Industry Role: Join Date: Feb 2002 Location: Somewhere Out there... Posts: 25,792	Wow, thanks for the thread. __________________ Scammer Alert: acer19 acer [email protected] [email protected] Money stolen using PayPal

04-20-2009, 10:54 PM	#4
ztik Confirmed User Industry Role: Join Date: Aug 2001 Location: Nomad Posts: 5,196	normally that comes from your computer when you upload things to your server __________________ .

04-20-2009, 10:47 PM	#3
devine Confirmed User Join Date: Jul 2006 Posts: 620	no problem, we're researching on what this crap intends to do, will keep you updated, in the meanwhile, no need to panic or anything, just check your files