Hi,
I have a small client who, apparently, has had their website compromised, and they have asked me to assist.
I am no web developer, and the guy who put the site together is long gone, but I am hoping this is something simple.
The site is hosted with OpenHost.net.nz who have shut off the site, with the following message:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Your website above has been compromised and is being used to send out spam and phishing attacks to others on the Internet. As such we have had to temporarily disable your website to avoid further damage to our server and visitors to your site.
Any visitors to your website will be directed to a maintenance page for the time being.
To resolve the problem, please visit http://myip.co.nz/ and reply back to this ticket with your IP address so that we can allow you access to your website in order to begin fixing it. From here you will need to run through the steps below and reply back to us confirming they have been completed.
* Update your CMS to the latest possible version
* Update your plugins, themes and modules to the latest possible version
* Remove any compromised files that may have been uploaded (see below)
We have detected the following files have changed recently or are deemed to be malicious.
Found4: ./catalog/control/config.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/ocVTS.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/ocVTSa.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/sitemonitor_configure_0.php (*** Must be cleaned manually ***)
Found4: ./catalog/control/includes/functions/sitemonitor_functions.php (*** Must be cleaned manually ***)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
We figured it would be easy - I have a backup of the entire site including those files from Nov 2013, so I'd just restore from backup, and it would fix the problem (although of course it could happen again, but that would be something to fix going forwards, not just for today).
However, when I downloaded those files from the site this morning, and compared to the backup, all the files are identical (I even MD5 hashed them to be 100% sure), and have not been modified recently.
I have pasted the contents of the config.php file to the bottom of this post in case someone wants to see that. Please take care in case there is anything in there that is of concern - I can't see how as plain text file, but just saying.
Can anyone advise what we should do next? How can I tell if they are using a CMS? On the OpenHost site, if I go into the 'Applications & Services - Web Applications' section, it says that there are No Web Applications installed. I am guessing that if there is no CMS, there are no 'plugins, themes and modules' either?
Thanks for any pointers you can provide.
Alan.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Config.php
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
<?php
$ver = 'v1.0.12';
// Font colors for ocVTSa
$fb1 = '<font color="#FF0000"><b>'; // color ERROR description
$fe1 = '</font></b>';
$fb2 = '<font color="#CC3300">'; // color SUSPECTED (shell execution)
$fe2 = '</font>';
$fb3 = '<font color="#0000FF">'; // color ERROR filename
$fe3 = '</font>';
$fb4 = '<font color="#FF00FF">'; // color SUSPECTED (eval/base64_decode found)
$fe4 = '</font>';
//
// Example configuration file for osCommerce V&TS
// Please read readme.txt before editing this file.
//
// DEBUG MODE
// ----------
// Uncomment this option to enable 'debug' mode
// You will receive verbose reports including clean & infected
// files, as well as debug information for file reading and
// database connections.
// Default: Off (0)
$CONFIG['debug'] = 0; // OFF
//$CONFIG['debug'] = 1; // ON
// ROOT PATH TO SCAN
// -----------------
// This can be a relative or full path WITHOUT a trailing
// slash. All files and folders will be recursively scanned
// within this path. NB: Due to your web host's configuration
// it is likely this script will be terminated after 30-60
// seconds of continuous operation. Please keep an eye on
// the number of files inside this directory - if it is too
// large it may fail.
// Default: Document root defined in Apache
$CONFIG['scanpath'] = $_SERVER['DOCUMENT_ROOT'];
//$CONFIG['scanpath'] = $_SERVER['DOCUMENT_ROOT']."/catalog";
// SCANABLE FILES
// --------------
// The next few lines tell PHP AntiVirus what files to scan
// within the directory set above. It does it by file
// extension (the text after the period or dot in the file
// name) - for example "htm", "html" or "php" files.
// Default: None
// Static files? This should be a comprehensive list, add
// more if required.
$CONFIG['extensions'][] = 'htm';
$CONFIG['extensions'][] = 'html';
$CONFIG['extensions'][] = 'shtm';
$CONFIG['extensions'][] = 'shtml';
$CONFIG['extensions'][] = 'css';
$CONFIG['extensions'][] = 'js';
$CONFIG['extensions'][] = 'vbs';
$CONFIG['extensions'][] = 'ess'; // This will check the .htaccess file
// PHP files? This should be a comprehensive list, add more
// if required.
$CONFIG['extensions'][] = 'php';
$CONFIG['extensions'][] = 'php3';
$CONFIG['extensions'][] = 'php4';
$CONFIG['extensions'][] = 'php5';
// Text files? Virus code is harmless but invasive,
// although uncommenting these lines may cause false
// positives.
// $CONFIG['extensions'][] = 'txt';
// $CONFIG['extensions'][] = 'rtf';
// $CONFIG['extensions'][] = 'doc';
// $CONFIG['extensions'][] = 'conf';
// $CONFIG['extensions'][] = 'dat';
// Flat file data? Only enable these if you regularly store
// data in flat files.
// $CONFIG['extensions'][] = 'conf';
// $CONFIG['extensions'][] = 'config';
// $CONFIG['extensions'][] = 'csv';
// $CONFIG['extensions'][] = 'tab';
// $CONFIG['extensions'][] = 'sql';
// CGI scripts? Unlikely but entirely possible.
// $CONFIG['extensions'][] = 'pl';
// $CONFIG['extensions'][] = 'perl';
// $CONFIG['extensions'][] = 'cgi';
// $CONFIG['extensions'][] = '';
// Image files for the truely paranoid
// $CONFIG['extensions'][] = 'jpg';
$CONFIG['extensions'][] = 'gif';
// $CONFIG['extensions'][] = 'bmp';
?>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX