iSKORPiTX Footprints … Recovering a iSKORPiTX Hacked Site

Last weekend, one of my friend called me in a hurry, that my intranet official site is being hacked and suspended by the hosting service due to phishing. What to do next … Here is the process, i used to finding the root cause and recover …


Hosting service indicated this in email …

Reported Malicious Content:
http://www.web.com/. script s/SIIBIC/index.processa

Other Potential Malware:

/home1/web/public_html/tmp/x.txt
/home1/web/public_html/tmp/up.php

Root Cause

in /tmp/x.txt …. hacker left his name as a signal. it was “iskorpitx”. I searched google and found many related links of possible cause …

Site hacked through extcalendar component
http://forum.joomla.org/viewtopic.php?t=79050

Dreamhost e-mailed me earlier today and said that my website was an isolated incident. I think it was a Joomla! (opensource CMS) exploit.
http://www.bigevilonline.com/showthread.php?t=1310

The old version of Joomla (1.5.5) has some serious security issue. Upgrade to Joomla 1.5.6.
http://www.namepros.com/domain-name-discussion/508395-my-website-hacked-iskorpitx-turkish-hacker.html

My host support got back to me, looks like it was a server wide issue, someone had an old Joomla script on their site that was exploited.
http://wordpress.org/support/topic/my-blogs-been-hacked-by-iskorpitx-turkish-hacker

There was an older version of joomla installed on website, so this was most probably the core reason of giving access on /public_html/tmp folder.

Recovering

I found a useful link showing some recovering tips …

How to find backdoor PHP shell scripts on a server
http://25yearsofprogramming.com/blog/2010/20100315.htm

I went to access_logs to find scripts, but only last 24 hour logs were there … with heavy accessing on mailware code.

I asked hosting service to give me SSH access, and after several tries, i searched for the recently created files on server …

Files created in last 60 days …
find ./ -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt

Files created in last 60 days, with exclude folder option …
find ./ -path ‘./ignore-folder’ -prune -o -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt

Another use find call to get recent 20 files …

find . -type f -printf ‘%TY-%Tm-%Td %TH:%TM: %Tz %p\n’| sort -n | grep -v “css” | grep -v jpg | grep -v less | grep -v gif | grep -v png | tail -n20

Now last-activity.txt showed exactly what i was looking for … there were files with creation time, showing footprint of hackers.

# file uploaded in tmp folder, probably using joomla security hole … as tmp is joomla’s temp folder

Mar 10 11:48 ./tmp/x.txt
Mar 20 04:16 ./tmp/up.php
Mar 20 03:33 ./tmp/abc.php
Apr 22 11:25 ./templates/ja_purity/index.php

# reverse shell console … that will execute the sh commands
Apr 30 16:45 ./templates/beez/index.php

# probably remote shell helper
May 4 07:34 ./images/logs.php

# uploaded phishing script archive
May 4 11:39 ./images/https.zip

# extracted phishing scripts
May 4 11:46 ./.scripts/index.html
May 4 11:46 ./.scripts/infobusca/index.htm
May 4 11:46 ./.scripts/cetelem/login.php

May 4 11:49 ./images/https.zip.1

Phishing scripts were dead evil … they were getting users input (ccard, user/pass), storing it ../.out/file.txt and emailing file content to “infos.trace@gmail.com” … Contains cloned login pages of 12 portals (bank / credit card / other … serasaexperian, amex etc).

I’ve asked gmail security team to trace this account for investigation.

There was no extra email account, cronjob, ftp account, database found through cpanel.
I cleared that malicious content and updated hosting service to enable website again.

—-

Learnings

– Pay serious attention to security updates of installed apps (windows, joomla, wordpress … any thing)
– Don’t blindly trust on 3rd party plugin / extensions of open source tools. Do a minimal code audit if possible.
– Don’t install any thing from untrusted, warez like website, Comprehensive code audit is a must.

Share your thoughts & feedback

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: