vBulletin hacked forums: Clean Up Time
Step 10. Checking if any nasty files left over from breach i.e. php back doors and other malware. For Linux based servers if you have SSH telnet root access i.e VPS or dedicated server hosting, I’d highly recommended a combination of
AVG Anti-Virus free edition for Linux
1). AVG Anti-Virus free edition for Linux http://free.avg.com/us-en/download.prd-alf passive anti-virus and malware scanner. Script installer for my Centmin Mod users at http://centminmod.com/avg_antivirus_free.html. Although it’s just a rpm install should be easy. It’s passive because the default out of the box installed option means you have to manually run it for scans and definition updates. There’s no automation unless you script it yourself i.e. cron jobs etc.
- Very fast scan speed compared to Linux Malware Detect and picked up additional viruses in email inboxes too on Linux which Maldet didn’t.
- Speed for 180,000 file/directory scan ~750 seconds.
- Most common infections I have found on client’s servers for scripts from openx/phpads, wordpress, vbulletin etc include PHP/BackDoors and alot of virus worms embedded in email inboxes i.e. FakeAlert and Win32/Cryptor.
Linux Malware Detect
2). Linux Malware Detect (maldet) http://www.rfxn.com/projects/linux-malware-detect/. Active in that it runs daily at pre-scheduled time via cron job (cron daily /etc/cron.daily/maldet) and automatically updates it’s definitions. May need to edit or customise the maldet config file at /usr/local/maldetect/conf.maldet. The daily scan supports Ensim virtual roots or standard Linux /home*/user paths, such as Cpanel. The default is to just scan the web roots daily, which breaks down as /home*/*/public_html or on Ensim /home/virtual/*/fst/var/www/html and /home/virtual/*/fst/home/*/public_html.
- Much slower scan speed compared to AVG Anti-virus but picked up a few more malware than AVG.
- Speed for 180,000 files/directory scan ~24,000 seconds.
- Most common infections I have found on client’s servers for scripts from openx/phpads, wordpress, vbulletin etc include base64.inject.* and php.cmdshell.*.
Install and setup both and you have a first responder warning when and if malware finds its way onto your server. Not 100% guarantee, but it’s a start to allow to more closely examine suspect files which you might otherwise not even look at.
Sample AVG Anti-Virus scan output where infections found included PHP/BackDoor left over malware files which can potentially open up your entire server to compromise. If you find these types of files, the best thing to do is totally nuke your server and reload the operating system and all files from recent backup if possible. If not possible, then you still have s chance of compromised system even after clean up steps outlined above.
avgscan . AVG command line Anti-Virus scanner Copyright (c) 2013 AVG Technologies CZ Virus database version: 3204/6473 Virus database release date: Mon, 08 Jul 2013 05:59:00 +0000 ./realaudio Object scan failed; Specified file was not found. ./faq.html Object scan failed; Specified file was not found. ./wusage Object scan failed; Specified file was not found. ./includes/class_postbit_blog.php Virus found PHP/BackDoor ./majorcoolimages Object scan failed; Specified file was not found. ./print.php Virus found PHP/BackDoor ./phpMyAdmin Object scan failed; Specified file was not found. ./imagesoldindex/monstercontrols/images Object scan failed; Specified file was not found. ./imagesoldindex/images Object scan failed; Specified file was not found. ./mc_limited_help.htm Object scan failed; Specified file was not found. ./cgi-bin/wmail/etc/users/username/saved-messages:/0001_body.html Virus identified HTML/Framer.FA ./cgi-bin/wmail/etc/users/username/saved-messages:/Doll.scr Virus identified I-Worm/Bagle.BDE ./cgi-bin/wmail/etc/users/username/saved-messages Virus identified HTML/Framer.FA ./cgi-bin/wmail/etc/users/username/mail-trash:/message.scr Virus identified I-Worm/Netsky ./cgi-bin/wmail/etc/users/username/mail-trash:/message.scr Virus identified I-Worm/Netsky ./cgi-bin/wmail/etc/users/username/mail-trash Virus identified I-Worm/Netsky ./images/monstercontrols/images Object scan failed; Specified file was not found. ./images/images Object scan failed; Specified file was not found. Files scanned : 52960(52401) Infections found : 8(4) PUPs found : 0 Files healed : 0 Warnings reported : 0 Errors reported : 10
Output of AVG after trying to heal and clean infections:
avgscan -lU . AVG command line Anti-Virus scanner Copyright (c) 2013 AVG Technologies CZ Virus database version: 3204/6473 Virus database release date: Mon, 08 Jul 2013 05:59:00 +0000 ./cgi-bin/wmail/etc/users/username/saved-messages:/0001_body.html Virus identified HTML/Framer.FA ./cgi-bin/wmail/etc/users/username/saved-messages:/Doll.scr Virus identified I-Worm/Bagle.BDE ./cgi-bin/wmail/etc/users/username/saved-messages Virus identified HTML/Framer.FA; healed, inserted into virus vault ./cgi-bin/wmail/etc/users/username/mail-trash:/message.scr Virus identified I-Worm/Netsky ./cgi-bin/wmail/etc/users/username/mail-trash:/message.scr Virus identified I-Worm/Netsky ./cgi-bin/wmail/etc/users/username/mail-trash Virus identified I-Worm/Netsky; healed, inserted into virus vault Files scanned : 52269(51710) Infections found : 6(2) PUPs found : 0 Files healed : 2 Warnings reported : 0 Errors reported : 0
Re-scan with AVG after healing reports zero infections
avgscan -lU . AVG command line Anti-Virus scanner Copyright (c) 2013 AVG Technologies CZ Virus database version: 3204/6473 Virus database release date: Mon, 08 Jul 2013 05:59:00 +0000 Files scanned : 52265(51710) Infections found : 0(0) PUPs found : 0 Files healed : 0 Warnings reported : 0 Errors reported : 0
Sample Linux Malware Detect output scan before clean up, reporting infections in vBulletin files with embedded malware in the form of php.cmdshell (PHP backdoors) which can potentially elevate to server level compromises. For this client, I copied their entire forum database and files from compromised server to a private staging server I setup temporarily to properly clean all infections. Hence why web paths are: /home/nginx/domains/hostname.domain.com/public/
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <[email protected]>
(C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(1622): {scan} signatures loaded: 11556 (9688 MD5 / 1868 HEX)
maldet(1622): {scan} building file list for, this might take awhile...
maldet(1622): {scan} file list completed, found 51700 files...
maldet(1622): {scan} 51700/51700 files scanned: 3 hits 0 cleaned
maldet(1622): {scan} scan completed on: files 51700, malware hits 3, cleaned hits 0
maldet(1622): {scan} scan report saved, to view run: maldet --report 070913-1134.1622
maldet(1622): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 070913-1134.1622
malware detect scan report for hostname.domain.com:
SCAN ID: 070913-1134.1622
TIME: Jul 9 13:57:34 +0000
PATH: /home/nginx/domains/hostname.domain.com/public/
TOTAL FILES: 51700
TOTAL HITS: 3
TOTAL CLEANED: 0
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 070913-1134.1622
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.344 : /home/nginx/domains/hostname.domain.com/public/includes/class_postbit_blog.php
{HEX}php.cmdshell.unclassed.344 : /home/nginx/domains/hostname.domain.com/public/print.php
{MD5}php.cmdshell.rgod.4878 : /home/nginx/domains/hostname.domain.com/public/lndex.php
Sources & other recommended reading:
