Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




47 posts

Geek


# 143312 10-Apr-2014 10:50
Send private message

Hi,

I have a small client who, apparently, has had their website compromised, and they have asked me to assist.

I am no web developer, and the guy who put the site together is long gone, but I am hoping this is something simple.

The site is hosted with OpenHost.net.nz who have shut off the site, with the following message:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Your website above has been compromised and is being used to send out spam and phishing attacks to others on the Internet. As such we have had to temporarily disable your website to avoid further damage to our server and visitors to your site.

Any visitors to your website will be directed to a maintenance page for the time being.

To resolve the problem, please visit http://myip.co.nz/ and reply back to this ticket with your IP address so that we can allow you access to your website in order to begin fixing it. From here you will need to run through the steps below and reply back to us confirming they have been completed.

* Update your CMS to the latest possible version
* Update your plugins, themes and modules to the latest possible version
* Remove any compromised files that may have been uploaded (see below)

We have detected the following files have changed recently or are deemed to be malicious.

Found4: ./catalog/control/config.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/ocVTS.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/ocVTSa.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/sitemonitor_configure_0.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/includes/functions/sitemonitor_functions.php (*** Must be cleaned manually ***)

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


We figured it would be easy - I have a backup of the entire site including those files from Nov 2013, so I'd just restore from backup, and it would fix the problem (although of course it could happen again, but that would be something to fix going forwards, not just for today).

However, when I downloaded those files from the site this morning, and compared to the backup, all the files are identical (I even MD5 hashed them to be 100% sure), and have not been modified recently.


I have pasted the contents of the config.php file to the bottom of this post in case someone wants to see that.  Please take care in case there is anything in there that is of concern - I can't see how as plain text file, but just saying.


Can anyone advise what we should do next?  How can I tell if they are using a CMS?  On the OpenHost site, if I go into the 'Applications & Services - Web Applications' section, it says that there are No Web Applications installed.  I am guessing that if there is no CMS, there are no 'plugins, themes and modules' either?


Thanks for any pointers you can provide.

Alan.


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Config.php

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?php

$ver = 'v1.0.12';

// Font colors for ocVTSa
$fb1 = '<font color="#FF0000"><b>'; // color ERROR description
$fe1 = '</font></b>';
$fb2 = '<font color="#CC3300">'; // color SUSPECTED (shell execution)
$fe2 = '</font>';
$fb3 = '<font color="#0000FF">'; // color ERROR filename
$fe3 = '</font>';
$fb4 = '<font color="#FF00FF">'; // color SUSPECTED (eval/base64_decode found)
$fe4 = '</font>';


//
// Example configuration file for osCommerce V&TS
// Please read readme.txt before editing this file.
//

// DEBUG MODE
// ----------
// Uncomment this option to enable 'debug' mode
// You will receive verbose reports including clean & infected
// files, as well as debug information for file reading and
// database connections.
// Default: Off (0)

$CONFIG['debug'] = 0; // OFF
//$CONFIG['debug'] = 1; // ON

// ROOT PATH TO SCAN
// -----------------
// This can be a relative or full path WITHOUT a trailing
// slash. All files and folders will be recursively scanned
// within this path. NB: Due to your web host's configuration
// it is likely this script will be terminated after 30-60
// seconds of continuous operation. Please keep an eye on
// the number of files inside this directory - if it is too
// large it may fail.
// Default: Document root defined in Apache

$CONFIG['scanpath'] = $_SERVER['DOCUMENT_ROOT'];

//$CONFIG['scanpath'] = $_SERVER['DOCUMENT_ROOT']."/catalog";


// SCANABLE FILES
// --------------
// The next few lines tell PHP AntiVirus what files to scan
// within the directory set above. It does it by file
// extension (the text after the period or dot in the file
// name) - for example "htm", "html" or "php" files.
// Default: None

// Static files? This should be a comprehensive list, add
// more if required.

$CONFIG['extensions'][] = 'htm';
$CONFIG['extensions'][] = 'html';
$CONFIG['extensions'][] = 'shtm';
$CONFIG['extensions'][] = 'shtml';
$CONFIG['extensions'][] = 'css';
$CONFIG['extensions'][] = 'js';
$CONFIG['extensions'][] = 'vbs';
$CONFIG['extensions'][] = 'ess'; // This will check the .htaccess file


// PHP files? This should be a comprehensive list, add more
// if required.

$CONFIG['extensions'][] = 'php';
$CONFIG['extensions'][] = 'php3';
$CONFIG['extensions'][] = 'php4';
$CONFIG['extensions'][] = 'php5';

// Text files? Virus code is harmless but invasive,
// although uncommenting these lines may cause false
// positives.

// $CONFIG['extensions'][] = 'txt';
// $CONFIG['extensions'][] = 'rtf';
// $CONFIG['extensions'][] = 'doc';
// $CONFIG['extensions'][] = 'conf';
// $CONFIG['extensions'][] = 'dat';

// Flat file data? Only enable these if you regularly store
// data in flat files.

// $CONFIG['extensions'][] = 'conf';
// $CONFIG['extensions'][] = 'config';
// $CONFIG['extensions'][] = 'csv';
// $CONFIG['extensions'][] = 'tab';
// $CONFIG['extensions'][] = 'sql';

// CGI scripts? Unlikely but entirely possible.

// $CONFIG['extensions'][] = 'pl';
// $CONFIG['extensions'][] = 'perl';
// $CONFIG['extensions'][] = 'cgi';
// $CONFIG['extensions'][] = '';

// Image files for the truely paranoid
// $CONFIG['extensions'][] = 'jpg';
$CONFIG['extensions'][] = 'gif';
// $CONFIG['extensions'][] = 'bmp';
?>



XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Create new topic
612 posts

Ultimate Geek

Trusted
Prodigi

  # 1022686 10-Apr-2014 10:55
Send private message

You definitely have a system in place. It's osCommerce judging by those files.

Your best bet is probably to get someone who knows about PHP to have a look.

The config.php file looks OK to me, but openhost must have a reason for saying your site has been compromised.

OpenHost not showing any applications installed just means it was done manually.




Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.




47 posts

Geek


# 1022692 10-Apr-2014 11:12
Send private message

Hi Daniel,

danielfaulknor: You definitely have a system in place. It's osCommerce judging by those files.


Yes - I should have mentioned that in my OP - they are using osCommerce.


danielfaulknor: Your best bet is probably to get someone who knows about PHP to have a look.


That is the aim, but I was hoping to see if I coudl get it up and running again today for them, and then they can look for a new developer proper.


danielfaulknor: The config.php file looks OK to me, but openhost must have a reason for saying your site has been compromised.

OpenHost not showing any applications installed just means it was done manually.


Yeah - its odd really, since nothing has changed in the last five months undecided


Thanks for your help.

Alan.

 
 
 
 


612 posts

Ultimate Geek

Trusted
Prodigi

  # 1022693 10-Apr-2014 11:14
Send private message

If you wanted to upload a couple more of those files I could have a nosy for you.
It may be that openhost have fired a false positive




Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.




47 posts

Geek


  # 1022731 10-Apr-2014 11:55
Send private message

danielfaulknor: If you wanted to upload a couple more of those files I could have a nosy for you.
It may be that openhost have fired a false positive


Thanks Daniel - Much appreciated.

The GeekZone forum is rejecting when I try pasting in some of the content - perhaps that is indicative of something being wrong in one of them??

I have therefore put them here:

ocVTS.php    ->    http://pastebin.com/Bw6SXqVP
ocVTSa.php    ->    http://pastebin.com/yufUGEaa
sitemonitor_configure_0.php    ->    http://pastebin.com/EzK5SY47
sitemonitor_functions.php    ->    http://pastebin.com/zUYTq5SN


I have no idea if there is any security risk with posting these, but just in case, I have replaced the domain name with example.com in each occurance.

I hope that works for you.

Alan.




8035 posts

Uber Geek

Trusted

  # 1022742 10-Apr-2014 12:12
Send private message

Looks like VTS is a addon for osCommerce that checks for malicious files.
http://addons.oscommerce.com/info/7279

Likely to be a false positive, openhosts security software detecting the filenames/paths referred to in the VTS code and thinking they are the real thing.

However if the site has been left without regular updates for a long time it could also be compromised in some other way.

Firstly, have you contacted OpenHost's support?

I would probably pull down a copy of their database and current files, setup a dev environment your local machine. Remove VTS, upgrade the osCommerce then re-upload.



612 posts

Ultimate Geek

Trusted
Prodigi

  # 1022752 10-Apr-2014 12:17
Send private message

It's a false positive I would say.
It has some code inside the checker that is actual malicious code that is uses for checking for those malicious additions but does not run.




Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.




47 posts

Geek


  # 1022773 10-Apr-2014 12:26
Send private message

Ragnor: Looks like VTS is a addon for osCommerce that checks for malicious files.
http://addons.oscommerce.com/info/7279

Likely to be a false positive, openhosts security software detecting the filenames/paths referred to in the VTS code and thinking they are the real thing.

However if the site has been left without regular updates for a long time it could also be compromised in some other way.

Firstly, have you contacted OpenHost's support?

I would probably pull down a copy of their database and current files, setup a dev environment your local machine. Remove VTS, upgrade the osCommerce then re-upload.




Hi Ragnor,

I have spoken to OpenHost's support, but they are explicit that they are not web developers, and can't really help - to be expected I suppose.

I will have a look at doing as you suggest, but I may be in over my head.  I strongly suspect that the osCommerce install is outdated like you say.  Could be a good learning opportunity for me :-)

Thanks,

Alan.



 
 
 
 




47 posts

Geek


  # 1022777 10-Apr-2014 12:28
Send private message

danielfaulknor: It's a false positive I would say.
It has some code inside the checker that is actual malicious code that is uses for checking for those malicious additions but does not run.


Hi Daniel,

Thanks for that.  I will go back to OpenHost and ask them if they can be more specific, but I am not expecting them to be in a position to help in that respect.

I am going to have a go at downloading the site and running it locally, updating osCommerce and re-uploading.  I figure as long as I retain a zip of the site as it is now, worst case, I can delete it totally from OpenHost and re-upload the zipped backup, warts and all, so I cannot do any harm, and I might learn something!

Alan.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09


Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32


Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30


Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.