1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Needs server help (grep) fast, please!

Discussion in 'Off Topic' started by Jeremy, Aug 14, 2011.

  1. Jeremy

    Jeremy Well-Known Member

    OK, I'm pretty sure my site got hacked. And I need to figure out how code is being injected into the site... Its adding CSS, favicons, and HTML while modifying the <body> tag of the site. I'm attempting to figure out what file is injecting this (into EVERY page) by using this:
    grep -e "i.i.com.com" -f /var/www/vhosts/pittnews.com/httpdocs/
    This doesn't entirely seem to be working (its just sitting there basically), is this the correct line of code?

    On a side note, I just did a google search and see that URL used in a lot of images, but I know I didn't put it in there... o_O Which means its being injected somehow because my index.php file for my theme doesn't include it. (n) Plus, it screws up the look of the site (just proving I didn't do it).
  2. Floris

    Floris Guest

    You can go to /proc dir and go inside each proc id dir and cat the content.
    It might disclose which one is "fake" and is actually doing things it shouldn't.

    You can also go the long way and cat the content of your files with cat, then pipe it to grep to filter.


    cat /var/logs/apache2/access.log |grep "i.i.com.com"

    To live check if a file has content you could tail -F it ..

    tail -F index.php |grep "i.i.com.com"

    Perhaps that helps too. Opening multiple ssh tabs to the server doesn't hurt.

    Primary thing to do here is to get a backup of your database .sql dumps.

    If you just run say xenforo and your plugins that you can re-download ..

    Perhaps it's worth to just go with a new host, or a new account at the host and restore the .sql dump there, and re-download the xenforo + plugins, and upload the clean files to your box.

    Also, always check dirs with ls -all
    this way any .hidden dirs/files that might have naughty scripts in them are perhaps found.

    There is also logwatch you could install to report back to you daily if ssh attempts etc are made.

    Change it so root isn't root user, change the ssh port, and limit it to the ISP you're on + a backup ISP say 3g connection or a friend.

    apt-get update
    apt-get upgrade

    your linux setup so you run the patched versions of latest stable to avoid them to try and get in again.

    Active scanners like rkhunter (root kit hunter) could be installed, there are a few others. The ubuntu community has great documentation about finding rootkits, etc.

    Also check your created accounts. See if any strange new accounts are listed.

    It's hard to find something like i.i.com.com, because they can just send an encoded remote request to some .txt file on some other site once they're in, that gets this data to inject. And just grepping content won't always show.
  3. Deebs

    Deebs Well-Known Member

    can you not just use grep -ir "i.i.com.com" /var/www/vhosts/pittnews.com/httpdocs/*
  4. Luke F

    Luke F Well-Known Member

    find /var/www/vhosts/pittnews.com/httpdocs/ | xargs grep 'i.i.com.com' -sli
  5. Deebs

    Deebs Well-Known Member

    Scratch that, use this:

    fgrep -ir "i.i.com.com" /var/www/vhosts/pittnews.com/httpdocs/*
  6. Floris

    Floris Guest

    A quick google search shows me that there are malicious jpg/gif files being uploaded through Ads.Services via i.i.com.com sub dirs.

    Were you running any ads on your site, or one of the sites on your account?

    Maybe it's a malicious advertisement using .jpg headers to remotely get .css content that gets executed in IE8 or something ..
  7. Jeremy

    Jeremy Well-Known Member

    Thankfully, I can say it wasn't XenForo that got hacked. And it just seems to be injecting via HTML and I can't see anything within the DB being changed / hurt.

    None of the greps worked. :( I'm checking to see if advertisements we have are causing it.
  8. Jeremy

    Jeremy Well-Known Member

    Removed all ads that aren't delivered via the local server and none caused a change. Viewing page source, i.i.com.com is in 5 spots, all of which I can't find via local files.
  9. Floris

    Floris Guest

    Check if the ad program has support for reporting that domain, blocking domains, blacklisting it, etc?

    I suspect from the thread on google which is some cnn blog ad serving cache file where there's listing of matrix.css being called, where it has loads of regular used classes that take over the screen etc, that this is something they're doing on big web sites as well.
  10. Jeremy

    Jeremy Well-Known Member

    I don't touch the ads really. But its all from the same site (oncampusweb.com or something).
  11. Sadik B

    Sadik B Well-Known Member

    Hmmm... The easy way to do this is, tar and gzip your entire public_html folder. Download that to your local computer. Install Notepad++ and do a "Find in Files". It will search any and every file and return results within it's GUI in seconds. You can even do a regex search if you like. That way you will know for sure which, if any, file has been corrupted or is the cause.
  12. Jeremy

    Jeremy Well-Known Member

    It actually "disappeared" over night. =/ I'm still trying to figure it out...
  13. ragtek

    ragtek Guest

  14. Floris

    Floris Guest

Share This Page