Needs server help (grep) fast, please!

Jeremy

Jeremy

in memoriam 1991-2020
OK, I'm pretty sure my site got hacked. And I need to figure out how code is being injected into the site... Its adding CSS, favicons, and HTML while modifying the <body> tag of the site. I'm attempting to figure out what file is injecting this (into EVERY page) by using this:
Code: 
grep -e "i.i.com.com" -f /var/www/vhosts/pittnews.com/httpdocs/

This doesn't entirely seem to be working (its just sitting there basically), is this the correct line of code?

On a side note, I just did a google search and see that URL used in a lot of images, but I know I didn't put it in there... o_O Which means its being injected somehow because my index.php file for my theme doesn't include it. (n) Plus, it screws up the look of the site (just proving I didn't do it).
 
You can go to /proc dir and go inside each proc id dir and cat the content.
It might disclose which one is "fake" and is actually doing things it shouldn't.

You can also go the long way and cat the content of your files with cat, then pipe it to grep to filter.

like

cat /var/logs/apache2/access.log |grep "i.i.com.com"

To live check if a file has content you could tail -F it ..

tail -F index.php |grep "i.i.com.com"

Perhaps that helps too. Opening multiple ssh tabs to the server doesn't hurt.

Primary thing to do here is to get a backup of your database .sql dumps.

If you just run say xenforo and your plugins that you can re-download ..

Perhaps it's worth to just go with a new host, or a new account at the host and restore the .sql dump there, and re-download the xenforo + plugins, and upload the clean files to your box.

Also, always check dirs with ls -all
this way any .hidden dirs/files that might have naughty scripts in them are perhaps found.

There is also logwatch you could install to report back to you daily if ssh attempts etc are made.

Change it so root isn't root user, change the ssh port, and limit it to the ISP you're on + a backup ISP say 3g connection or a friend.

apt-get update
and
apt-get upgrade

your linux setup so you run the patched versions of latest stable to avoid them to try and get in again.

Active scanners like rkhunter (root kit hunter) could be installed, there are a few others. The ubuntu community has great documentation about finding rootkits, etc.

Also check your created accounts. See if any strange new accounts are listed.

It's hard to find something like i.i.com.com, because they can just send an encoded remote request to some .txt file on some other site once they're in, that gets this data to inject. And just grepping content won't always show.
 
A quick google search shows me that there are malicious jpg/gif files being uploaded through Ads.Services via i.i.com.com sub dirs.

Were you running any ads on your site, or one of the sites on your account?

Maybe it's a malicious advertisement using .jpg headers to remotely get .css content that gets executed in IE8 or something ..
 
Floris said:
You can go to /proc dir and go inside each proc id dir and cat the content.
It might disclose which one is "fake" and is actually doing things it shouldn't.

You can also go the long way and cat the content of your files with cat, then pipe it to grep to filter.

like

cat /var/logs/apache2/access.log |grep "i.i.com.com"

To live check if a file has content you could tail -F it ..

tail -F index.php |grep "i.i.com.com"

Perhaps that helps too. Opening multiple ssh tabs to the server doesn't hurt.

Primary thing to do here is to get a backup of your database .sql dumps.

If you just run say xenforo and your plugins that you can re-download ..

Perhaps it's worth to just go with a new host, or a new account at the host and restore the .sql dump there, and re-download the xenforo + plugins, and upload the clean files to your box.

Also, always check dirs with ls -all
this way any .hidden dirs/files that might have naughty scripts in them are perhaps found.

There is also logwatch you could install to report back to you daily if ssh attempts etc are made.

Change it so root isn't root user, change the ssh port, and limit it to the ISP you're on + a backup ISP say 3g connection or a friend.

apt-get update
and
apt-get upgrade

your linux setup so you run the patched versions of latest stable to avoid them to try and get in again.

Active scanners like rkhunter (root kit hunter) could be installed, there are a few others. The ubuntu community has great documentation about finding rootkits, etc.

Also check your created accounts. See if any strange new accounts are listed.

It's hard to find something like i.i.com.com, because they can just send an encoded remote request to some .txt file on some other site once they're in, that gets this data to inject. And just grepping content won't always show.
Click to expand...
Thankfully, I can say it wasn't XenForo that got hacked. And it just seems to be injecting via HTML and I can't see anything within the DB being changed / hurt.

None of the greps worked. :( I'm checking to see if advertisements we have are causing it.
 
Floris said:
A quick google search shows me that there are malicious jpg/gif files being uploaded through Ads.Services via i.i.com.com sub dirs.

Were you running any ads on your site, or one of the sites on your account?

Maybe it's a malicious advertisement using .jpg headers to remotely get .css content that gets executed in IE8 or something ..
Click to expand...
Removed all ads that aren't delivered via the local server and none caused a change. Viewing page source, i.i.com.com is in 5 spots, all of which I can't find via local files.
 
Check if the ad program has support for reporting that domain, blocking domains, blacklisting it, etc?

I suspect from the thread on google which is some cnn blog ad serving cache file where there's listing of matrix.css being called, where it has loads of regular used classes that take over the screen etc, that this is something they're doing on big web sites as well.
 
Floris said:
Check if the ad program has support for reporting that domain, blocking domains, blacklisting it, etc?

I suspect from the thread on google which is some cnn blog ad serving cache file where there's listing of matrix.css being called, where it has loads of regular used classes that take over the screen etc, that this is something they're doing on big web sites as well.
Click to expand...
I don't touch the ads really. But its all from the same site (oncampusweb.com or something).
 
King Kovifor said:
I don't touch the ads really. But its all from the same site (oncampusweb.com or something).
Click to expand...

Hmmm... The easy way to do this is, tar and gzip your entire public_html folder. Download that to your local computer. Install Notepad++ and do a "Find in Files". It will search any and every file and return results within it's GUI in seconds. You can even do a regex search if you like. That way you will know for sure which, if any, file has been corrupted or is the cause.
 

Similar threads

RG70Hz
  • Locked
Forensic Analysis of Malicious Code
2 3
Replies
54
Views
2K
Paul B
Paul B
Z
  • Question Question
XF 2.2 Need help transferring database and files to new host
Replies
3
Views
587
Zephyr
Z
M
  • Question Question
XF 2.2 Disable automatic link shortening with ellipsis/periods/dots? URLs displayed with dots will be broken when copy-pasted.
Replies
0
Views
463
MaximilianKohler
M
J
  • Question Question
XF 2.2 Custom User Fields Help - Occupation Field
Replies
0
Views
163
jar546
J
C
XF 2.2 Appropriate way to alter addon
Replies
9
Views
462
chris p
C
Top Bottom