[SOLVED] Hacked by Yunus-Incredibl

Train · 08-28-2014, 10:15 AM

A company server that has lots of outdated installes of WordPress was hacked this week by Yunus-Incredibl.

This server has no complete backup.

What would be good ways to scan for malicious php scripts?

I attached one of the malicious scripts for review.

unSpawn · 08-28-2014, 12:19 PM

Quote:

Originally Posted by Train

What would be good ways to scan for malicious php scripts?

Probably Linux Malware Detect (LMD) because it's got quite an extensive array of hashes and signatures. Be certain though the intention should not be to maintain the situation and "fix" things by cleaning up but to (have clients) migrate verified safe content to another, pristine, properly hardened machine using only current software.

Habitual · 08-28-2014, 06:15 PM

LMD is good start...

quick get 'er done recipe:

Code:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
untar it
cd into it
sudo install.sh
maldet -d; maldet -u
maldet -b -r /path/to/scan

read log when it's done.

References:

Code:

maldet --help

HOWTO : Linux Malware Detect on Ubuntu 12.04 LTS 64-bit
Install Linux Malware Detect in RHEL, CentOS and Fedora"

Red Squirrel · 08-29-2014, 12:46 AM

Could also look at date time stamps, I would treat any file with a new modify/create time stamp as malicious. There is probably a way to list these files using find/grep/sed etc, may be able to find an example online.

Habitual · 08-29-2014, 07:18 AM

Code:

malware detect scan report for my-kungfu:
SCAN ID: 082914-0736.31194
TIME: Aug 29 07:36:56 -0400
PATH: /home*/*/public_html
RANGE: 2 days
TOTAL FILES: 11
TOTAL HITS: 1
TOTAL CLEANED: 0

...
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.352 : /tmp/my-fucking-plugin.txt
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

sundialsvcs · 08-29-2014, 12:52 PM

Apparently my original comment didn't sit so well with the moderators, but ... if you don't have an authoritative copy, somewhere else, of what's supposed to be on this server, and especially if you are using outdated copies of WordPress, then you're absolutely going to need to find some source, outside of this machine, from which to begin to reconstruct it. You really can't trust anything that's here.

WordPress installations should all be brought to the most current versions of the software. Then, you must assume that all of the content has somehow been tampered-with, injecting malicious script-tags and so on. Any script that's not part of the WordPress gear that has now been replaced must also be suspect. But, really, it goes deeper than this. If a system has been hacked-into, you should assume no less than "it has been root-kitted." Remote privilege-escalation is much easier to do than you might imagine. It's not particularly difficult to replace "a tool that you trust" with a version of that tool which conceals text.

The bottom line is: you can't trust anything here. Everything must be replaced, and the replacement must come from [i]somewhere else.[/] Nothing less will do. Various "malware detectors" exist, but, like all anti-virus strategies, they are "too little, too late." (And, they tacitly assume that the underlying system is actually reliable ... not a valid assumption.

In far, far, far too many cases, people maintain systems simply by logging-in to them, making changes directly, and keeping no backup copy – no authoritative image copy – anywhere. Someone hacks into the thing, often quite thoroughly, and you have nothing apart from the now-damaged content of the system to fall back on. You must maintain all production systems using version-control and replicated, multi-version databases.

Train · 09-02-2014, 10:51 AM

Thanks for your responses.