~Toughbooktalk~

I don't know why I didn't click on the Blacklist Status tab on that Sucuri report. It leads to Spamhaus as the actual blacklist:
http://www.spamhaus.org/dbl/removal/rec ... oktalk.com
Which leads to a suspcious file on toughbooktalk.com:
/styles/skylineblue/theme/dump.php

Rob, I run several web servers for a living and have suggested you try out maldet. Here is how to do it on windows.



Download Clamwin here:
http://downloads.sourceforge.net/clamwi ... -setup.exe

Download maldet here:
http://www.rfxn.com/downloads/maldetect-current.tar.gz

Install Clamwin and extract maldet somewhere temporary so we can copy its sig files. 7zip can handle tar.gz in two steps, first un-gzipping then un-tarring

Make a directory inside the clamwin bin directory named 'maldet'
For example on my system it would be this full path: Copy the files from the maldet files\sigs directory into the maldet directory you just created above. There should be two .dat and two .hdb files.

Open a command prompt and cd into the Clamwin's bin directory
Run this command, preferably using the administrator user to reduce 'permission denied' errors on individually scanned files:
clamscan.exe -r -i -d maldet (FULL PATH TO YOUR WEB FILES)
for example: This will not delete or quarantine files. -r is recursive look, -i is report summary only and -d is directory containing sig files.

Maldet might report back about files containing base64 or otherwise obfuscated code. These are not necessarily infected but often are. They should be examined individually. It's the other types of nasties that should be taken more seriously like PHP shells.

Note:
Probably a good idea to log the output to a file. I have trouble with -l <file> or --log=FILE so I redirect the output instead with ">"

example:

kode-niner wrote:I don't know why I didn't click on the Blacklist Status tab on that Sucuri report. It leads to Spamhaus as the actual blacklist:
http://www.spamhaus.org/dbl/removal/rec ... oktalk.com
Which leads to a suspcious file on toughbooktalk.com:
/styles/skylineblue/theme/dump.php

Rob, I run several web servers for a living and have suggested you try out maldet. Here is how to do it on windows.



Download Clamwin here:
http://downloads.sourceforge.net/clamwi ... -setup.exe

Download maldet here:
http://www.rfxn.com/downloads/maldetect-current.tar.gz

Install Clamwin and extract maldet somewhere temporary so we can copy its sig files. 7zip can handle tar.gz in two steps, first un-gzipping then un-tarring

Make a directory inside the clamwin bin directory named 'maldet'
For example on my system it would be this full path:

Code: Select all

C:\Program Files (x86)\ClamWin\bin\maldet

Copy the files from the maldet files\sigs directory into the maldet directory you just created above. There should be two .dat and two .hdb files.

Open a command prompt and cd into the Clamwin's bin directory

Code: Select all

cd C:\Program Files (x86)\ClamWin\bin

Run this command, preferably using the administrator user to reduce 'permission denied' errors on individually scanned files:
clamscan.exe -r -i -d maldet (FULL PATH TO YOUR WEB FILES)
for example:

Code: Select all

clamscan -r -i -d maldet e:\inetpub

This will not delete or quarantine files. -r is recursive look, -i is report summary only and -d is directory containing sig files.

Maldet might report back about files containing base64 or otherwise obfuscated code. These are not necessarily infected but often are. They should be examined individually. It's the other types of nasties that should be taken more seriously like PHP shells.

Thanks dude!

Will call Tuesday.

I called you back and left a message. Damn conference calls!

Update!!:

Me and Nick (Kode-Niner) (This man deserves a medal) are working on resolving a bunch of PHP injection issues. There are a TON of files I think I need to fix here and have already done a scan. Some date back years. Wow, live and learn right?

I'm 99.999% sure at this point that this is what is causing the website to randomly not display pages seeing as the internet has been totally fine lately *Knocks on wood* !!!

Thanks!

Update:

I am working on fixing all issues now.

I have to shut down the FTP server too. All of you that have accounts I will PM you a new password since we think it could be compromised and that could be how this happened to begin with. I'm looking into alternative file sharing services I can run that might be safer too.

Thanks!

Okay, FTP is back up but all passwords are changed! I'll be PMing you all new passwords shortly!

Even though the issues seem huge, at least now you know what the problem has been....
With that knowledge, you can now work on the solutions

Keep on, keeping on....

Update:

I spent the last 7 hours straight working on this and have removed everything and am scanning again to verify if I missed anything.

This TOTALLY explains why the CLOUD wasn't working either... I'm totally inspired now to get the cloud going again!!!

I'm still seeing the site time out all the time for which I'm still working on. I still have to do the following on top of the last 7 hours of BS I've had to deal with:

Purge several 2.5GB+ sized log files
Reboot the server
Upgrade the firewalls firmware to the latest version.

Thanks!