Last weekend, one of my friend called me in a hurry, that my intranet official site is being hacked and suspended by the hosting service due to phishing. What to do next … Here is the process, i used to finding the root cause and recover …
—
Hosting service indicated this in email …
Reported Malicious Content:
http://www.web.com/. script s/SIIBIC/index.processa
Other Potential Malware:
/home1/web/public_html/tmp/x.txt
/home1/web/public_html/tmp/up.php
—
Root Cause
in /tmp/x.txt …. hacker left his name as a signal. it was “iskorpitx”. I searched google and found many related links of possible cause …
Site hacked through extcalendar component
http://forum.joomla.org/viewtopic.php?t=79050
Dreamhost e-mailed me earlier today and said that my website was an isolated incident. I think it was a Joomla! (opensource CMS) exploit.
http://www.bigevilonline.com/showthread.php?t=1310
The old version of Joomla (1.5.5) has some serious security issue. Upgrade to Joomla 1.5.6.
http://www.namepros.com/domain-name-discussion/508395-my-website-hacked-iskorpitx-turkish-hacker.html
My host support got back to me, looks like it was a server wide issue, someone had an old Joomla script on their site that was exploited.
http://wordpress.org/support/topic/my-blogs-been-hacked-by-iskorpitx-turkish-hacker
There was an older version of joomla installed on website, so this was most probably the core reason of giving access on /public_html/tmp folder.
—
Recovering
I found a useful link showing some recovering tips …
How to find backdoor PHP shell scripts on a server
http://25yearsofprogramming.com/blog/2010/20100315.htm
I went to access_logs to find scripts, but only last 24 hour logs were there … with heavy accessing on mailware code.
I asked hosting service to give me SSH access, and after several tries, i searched for the recently created files on server …
Files created in last 60 days …
find ./ -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt
Files created in last 60 days, with exclude folder option …
find ./ -path ‘./ignore-folder’ -prune -o -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt
Now last-activity.txt showed exactly what i was looking for … there were files with creation time, showing footprint of hackers.
# file uploaded in tmp folder, probably using joomla security hole … as tmp is joomla’s temp folder
Mar 10 11:48 ./tmp/x.txt
Mar 20 04:16 ./tmp/up.php
Mar 20 03:33 ./tmp/abc.php
Apr 22 11:25 ./templates/ja_purity/index.php
# reverse shell console … that will execute the sh commands
Apr 30 16:45 ./templates/beez/index.php
# probably remote shell helper
May 4 07:34 ./images/logs.php
# uploaded phishing script archive
May 4 11:39 ./images/https.zip
# extracted phishing scripts
May 4 11:46 ./.scripts/index.html
May 4 11:46 ./.scripts/infobusca/index.htm
May 4 11:46 ./.scripts/cetelem/login.php
…
May 4 11:49 ./images/https.zip.1
Phishing scripts were dead evil … they were getting users input (ccard, user/pass), storing it ../.out/file.txt and emailing file content to “infos.trace@gmail.com” … Contains cloned login pages of 12 portals (bank / credit card / other … serasaexperian, amex etc).
I’ve asked gmail security team to trace this account for investigation.
There was no extra email account, cronjob, ftp account, database found through cpanel.
I cleared that malicious content and updated hosting service to enable website again.
—-
Learnings
- Pay serious attention to security updates of installed apps (windows, joomla, wordpress … any thing)
- Don’t blindly trust on 3rd party plugin / extensions of open source tools. Do a minimal code audit if possible.
- Don’t install any thing from untrusted, warez like website, Comprehensive code audit is a must.
