~Toughbooktalk~ Rob - 630-300-8877

The largest Toughbook discussion site on the net!
It is currently Wed Nov 14, 2018 12:18 pm

All times are UTC-06:00




Post new topic  Reply to topic  [ 73 posts ]  Go to page Previous 14 5 6 7 8 Next
Author Message
PostPosted: Sun Mar 08, 2015 7:43 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 655
Location: Canada
I don't know why I didn't click on the Blacklist Status tab on that Sucuri report. It leads to Spamhaus as the actual blacklist:
http://www.spamhaus.org/dbl/removal/rec ... oktalk.com
Which leads to a suspcious file on toughbooktalk.com:
/styles/skylineblue/theme/dump.php

Rob, I run several web servers for a living and have suggested you try out maldet. Here is how to do it on windows.



Download Clamwin here:
http://downloads.sourceforge.net/clamwi ... -setup.exe

Download maldet here:
http://www.rfxn.com/downloads/maldetect-current.tar.gz

Install Clamwin and extract maldet somewhere temporary so we can copy its sig files. 7zip can handle tar.gz in two steps, first un-gzipping then un-tarring

Make a directory inside the clamwin bin directory named 'maldet'
For example on my system it would be this full path:
Code:
C:\Program Files (x86)\ClamWin\bin\maldet


Copy the files from the maldet files\sigs directory into the maldet directory you just created above. There should be two .dat and two .hdb files.

Open a command prompt and cd into the Clamwin's bin directory
Code:
cd C:\Program Files (x86)\ClamWin\bin



Run this command, preferably using the administrator user to reduce 'permission denied' errors on individually scanned files:
clamscan.exe -r -i -d maldet (FULL PATH TO YOUR WEB FILES)
for example:
Code:
clamscan -r -i -d maldet e:\inetpub


This will not delete or quarantine files. -r is recursive look, -i is report summary only and -d is directory containing sig files.

Maldet might report back about files containing base64 or otherwise obfuscated code. These are not necessarily infected but often are. They should be examined individually. It's the other types of nasties that should be taken more seriously like PHP shells.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Sun Mar 08, 2015 8:59 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 655
Location: Canada
Note:
Probably a good idea to log the output to a file. I have trouble with -l <file> or --log=FILE so I redirect the output instead with ">"

example:
Code:
clamscan -r -i -d maldet e:\inetpub > c:\users\administrator\desktop\log.txt

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Mon Mar 09, 2015 10:31 am 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3580
kode-niner wrote:
I don't know why I didn't click on the Blacklist Status tab on that Sucuri report. It leads to Spamhaus as the actual blacklist:
http://www.spamhaus.org/dbl/removal/rec ... oktalk.com
Which leads to a suspcious file on toughbooktalk.com:
/styles/skylineblue/theme/dump.php

Rob, I run several web servers for a living and have suggested you try out maldet. Here is how to do it on windows.



Download Clamwin here:
http://downloads.sourceforge.net/clamwi ... -setup.exe

Download maldet here:
http://www.rfxn.com/downloads/maldetect-current.tar.gz

Install Clamwin and extract maldet somewhere temporary so we can copy its sig files. 7zip can handle tar.gz in two steps, first un-gzipping then un-tarring

Make a directory inside the clamwin bin directory named 'maldet'
For example on my system it would be this full path:
Code:
C:\Program Files (x86)\ClamWin\bin\maldet


Copy the files from the maldet files\sigs directory into the maldet directory you just created above. There should be two .dat and two .hdb files.

Open a command prompt and cd into the Clamwin's bin directory
Code:
cd C:\Program Files (x86)\ClamWin\bin



Run this command, preferably using the administrator user to reduce 'permission denied' errors on individually scanned files:
clamscan.exe -r -i -d maldet (FULL PATH TO YOUR WEB FILES)
for example:
Code:
clamscan -r -i -d maldet e:\inetpub


This will not delete or quarantine files. -r is recursive look, -i is report summary only and -d is directory containing sig files.

Maldet might report back about files containing base64 or otherwise obfuscated code. These are not necessarily infected but often are. They should be examined individually. It's the other types of nasties that should be taken more seriously like PHP shells.



Can we talk about this on the phone? I'm lost... 630-300-8877.

Thanks dude!

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 3/16/18 - CF-54F0001KM Win10, Intel Core i5 6300U 2.4GHz, 240GB SSD, 12GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 1/25/18): CF-54F0962KM/i5/128GB SSD/8GB/Win 10~
~Others: CF-52MLBBQ2M (Home Workstation)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
PostPosted: Mon Mar 09, 2015 8:25 pm 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 655
Location: Canada
Will call Tuesday.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Tue Mar 10, 2015 10:26 am 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3580
I called you back and left a message. Damn conference calls! :(

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 3/16/18 - CF-54F0001KM Win10, Intel Core i5 6300U 2.4GHz, 240GB SSD, 12GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 1/25/18): CF-54F0962KM/i5/128GB SSD/8GB/Win 10~
~Others: CF-52MLBBQ2M (Home Workstation)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
PostPosted: Wed Mar 11, 2015 11:51 am 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3580
Update!!:

Me and Nick (Kode-Niner) (This man deserves a medal) :notworthy: are working on resolving a bunch of PHP injection issues. There are a TON of files I think I need to fix here and have already done a scan. Some date back years. Wow, live and learn right?

I'm 99.999% sure at this point that this is what is causing the website to randomly not display pages seeing as the internet has been totally fine lately *Knocks on wood* :blowaway: !!!

Thanks!

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 3/16/18 - CF-54F0001KM Win10, Intel Core i5 6300U 2.4GHz, 240GB SSD, 12GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 1/25/18): CF-54F0962KM/i5/128GB SSD/8GB/Win 10~
~Others: CF-52MLBBQ2M (Home Workstation)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
PostPosted: Wed Mar 11, 2015 4:53 pm 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3580
Update:

I am working on fixing all issues now.

I have to shut down the FTP server too. All of you that have accounts I will PM you a new password since we think it could be compromised and that could be how this happened to begin with. I'm looking into alternative file sharing services I can run that might be safer too.

Thanks!

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 3/16/18 - CF-54F0001KM Win10, Intel Core i5 6300U 2.4GHz, 240GB SSD, 12GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 1/25/18): CF-54F0962KM/i5/128GB SSD/8GB/Win 10~
~Others: CF-52MLBBQ2M (Home Workstation)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
PostPosted: Wed Mar 11, 2015 5:16 pm 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3580
Okay, FTP is back up but all passwords are changed! I'll be PMing you all new passwords shortly!

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 3/16/18 - CF-54F0001KM Win10, Intel Core i5 6300U 2.4GHz, 240GB SSD, 12GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 1/25/18): CF-54F0962KM/i5/128GB SSD/8GB/Win 10~
~Others: CF-52MLBBQ2M (Home Workstation)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
PostPosted: Wed Mar 11, 2015 5:53 pm 
Offline
User avatar

Joined: Fri Jan 18, 2013 11:35 am
Posts: 2969
Even though the issues seem huge, at least now you know what the problem has been....
With that knowledge, you can now work on the solutions

Keep on, keeping on....

_________________
Life will beat you into submission.


Top
   
PostPosted: Wed Mar 11, 2015 9:55 pm 
Offline
Toughbooktalk Founder
User avatar

Joined: Mon Mar 16, 2009 8:23 pm
Posts: 3580
Update:

I spent the last 7 hours straight working on this and have removed everything and am scanning again to verify if I missed anything.

This TOTALLY explains why the CLOUD wasn't working either... I'm totally inspired now to get the cloud going again!!! :)

I'm still seeing the site time out all the time for which I'm still working on. I still have to do the following on top of the last 7 hours of BS I've had to deal with:

Purge several 2.5GB+ sized log files
Reboot the server
Upgrade the firewalls firmware to the latest version.

Thanks!

_________________
~Rob - Rugged Depot ~ Cell: (630)/300-8877~

~Fully rugged Toughbook user since April 18th 2005~
~New 3/16/18 - CF-54F0001KM Win10, Intel Core i5 6300U 2.4GHz, 240GB SSD, 12GB, Verizon 4G LTE, Intel 8260 WiFi a/b/g/n/ac, Bluetooth~
~For the wife (New 1/25/18): CF-54F0962KM/i5/128GB SSD/8GB/Win 10~
~Others: CF-52MLBBQ2M (Home Workstation)
~New 11/13/14 Donations thanks to everyone at Toughbooktalk: IBM xSeries 3650/2 x Xeon X5560 2.8GHz/16GB RAM/8 x 600GB 10KRPM SAS RAID 5/3.71TB Space/Win 2008 R2/3000VA + 1250VA Battery Backup~
~AT&T 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Diamond Partner~

http://www.toughbooktalk.com
http://www.toughbooktalk.com/public_downloads
http://www.toughwiki.com
http://www.robsnetworks.com
http://www.giganethosting.com


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 73 posts ]  Go to page Previous 14 5 6 7 8 Next

All times are UTC-06:00


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited