Find the answer to your Linux question:
Results 1 to 3 of 3
Hi! I have a webserver with numerous websites. There is one specific site that runs Joomla 2.5 that keeps getting infected with various php-scripts. The "hackers" use it to send ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2012
    Posts
    44

    Webserver infected with spamscript


    Hi!

    I have a webserver with numerous websites. There is one specific site that runs Joomla 2.5 that keeps getting infected with various php-scripts. The "hackers" use it to send as much spam as possible.

    I've had this problem in the past but upgrading Joomla has always seem to fix it for a while so my guess is that there's a vulnerability in Joomla itself, but I'm unable to track down exactly what it is. And Joomla is upgraded to the latest 2.5, I might ask them to upgrade to the latest 3.x version instead.

    For the time being I have stopped Postfix on the webserver so everything that they try to send just stops in the queue. Over the weekend there was over 169 000 mails in the queue, yes you read that right...

    There is one specific file that they keep creating, it's called javascript.php, I have it zipped down in the attachment.
    I can't really make heads or tails out of this but it looks like it specifies a bunch of IP-numbers that are allowed to use it, I'm guessing a botnet maybe!?
    There is a list of over 600 IP-numbers that have accessed javascript.php

    If I open the file in my webbrowser I just get "Linux+cfcd208495d565ef66e7dff9f98764da+01+[[]]"


    Is there something I can do to track down How they manage to create that file over and over again?
    I really want to know how they manage to do this so I can prevent stuff like this in the future.

    So what do you guys recommend doing?
    Are stuff I can do more than scanning all files for virus/malware at this point?
    Is it Joomla, some plugins or is it my Apache/PHP setup?

    My setup:

    Debian 7.6
    Apache 2.2.22-13+deb7u3
    PHP 5.4.31-1~dotdeb.1 (from Dotdeb | The extra repository for Debian servers)
    Attached Files Attached Files

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,599
    Your servers are either not properly configured as to directory/file permissions, or you have been compromised by a rootkit. Deal with those issues first (after taking your servers off-line and removing the bad files and replacing infected ones with clean ones).

    In any case, DO NOT go back online until you have cleaned up your systems!

    Finally, DO NOT ask us to open an infected file! Are you out of your mind?! If I had the time (my time costs $200 USD / hour) and you were paying for it, I'd put it in a virtual machine sandbox before I opened it. At least that way I can delete the VM once I had analyzed it and saw what it can do. And I charge a minimum 8 hours for this sort of work - 1 working day. If you have $1600 USD (minimum) to spend to figure this out, I will be happy to help...
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Apr 2012
    Posts
    44
    Quote Originally Posted by Rubberman View Post
    Your servers are either not properly configured as to directory/file permissions, or you have been compromised by a rootkit. Deal with those issues first (after taking your servers off-line and removing the bad files and replacing infected ones with clean ones).

    In any case, DO NOT go back online until you have cleaned up your systems!

    Finally, DO NOT ask us to open an infected file! Are you out of your mind?! If I had the time (my time costs $200 USD / hour) and you were paying for it, I'd put it in a virtual machine sandbox before I opened it. At least that way I can delete the VM once I had analyzed it and saw what it can do. And I charge a minimum 8 hours for this sort of work - 1 working day. If you have $1600 USD (minimum) to spend to figure this out, I will be happy to help...
    First of all relax, it's a php-file in a zip archive which is basically just text. Did I ask you to upload it on your production servers? No I didn't. You can easily open it in a text editor to see what it is.

    Second of all, no thank you. I didn't make a post here asking for payed support. Do you really think I would make a post in an open source forum expecting to pay for support? If I wanted that I would buy stuff from Microsoft. And isn't it against the rules to advertise in the forums?

    So thanks, but no thanks.
    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •