3

A malware file appeared on a friend's server as described in this question. It's a file called "images.php" that is designed to look like nothing important, whose sole function is to wait for an unknown party to send it some code to execute.

The server is on shared hosting. The hosting company adamantly insists that if it happened at all, the only possible explanation is that my friend's password was compromised (somehow). They have no interest whatsoever in the particulars of the attack or the possibility that other servers under their control may have been effected.

The offending file has been removed, all passwords have been changed, and nothing else seems to be out of place. The website in question is basically a business card and nothing was changed, so there is no damage to speak of. There is no reason to think that the attack was in any way targeted or personal. The owner and the hosted server are located in California, USA.

It would be easy to set up a replacement script for "images.php" that would log any requests without executing them. So my question is, is there any reason to do that? Is there any organization (law enforcement, security researchers, etc.) that would be interested to know about the attack, the code used, or any follow-up requests?

Robert
  • 607
  • 5
  • 13

2 Answers2

3

Is there any organization (law enforcement, security researchers, etc.) that would be interested to know about the attack, the code used, or any follow-up requests?

The code you posted in the other thread gives the impression of being unique because malware creators use an algorithm to generate a slightly different obfuscation function every time. This prevents it from showing up in Google or from AV software recognising it using a simple string match.

However, the core functionality (which is to take external input and run it through exec()) is incredibly common. I've personally come across of at least a dozen identical cases (and I don't work in security or anything like that) and I imagine there's hundreds of thousands of sites running this code out there at any given time. Your host is probably apathetic because they've already dealt with 10 different instances that day if they're a large host. Law enforcement is probably equally unlikely to be interested.

possibility that other servers under their control may have been effected

Shared hosting users are usually pretty well isolated from one another. As I mentioned, shared hosting accounts get hacked all the time. Most hosting companies also run off the shelf shared hosting management software – so if the isolation was really broken in their system it would also be broken for other hosts and discovered pretty quickly (although who knows, some hosts might be too lazy to update their software).

It would be easy to set up a replacement script for "images.php" that would log any requests without executing them. So my question is, is there any reason to do that?

It could be mildly interesting, but it's a pretty safe bet the only thing you'll get are scripts to send viagra spam.

The hosting company adamantly insists that if it happened at all, the only possible explanation is that my friend's password was compromised (somehow).

It's possible (and perhaps likely). What FTP client does he use? Many FTP clients (cough FileZilla cough) store their passwords in plain text and in a very predictable location. In other words, it's a perfect target for malware on his PC.

It's also possible they sent him a phishing page which looks like his hosting login, it wouldn't be hard to determine his hosting company or email.

There's some chance it was compromised via a vulnerability in the site but this is unlikely if it's just a simple business card site which accepts little or no external input.

The bottom line is, there's a pretty big incentive for malware creators to compromise hosting accounts. Usually they're a pretty easy target and all the spam in the world has to get sent from somewhere!

In terms of cleaning it up, if you've only got a few files then just manually check all of them. Otherwise go by file date-stamp, but it is sometimes possible to alter this.

thexacre
  • 8,484
  • 3
  • 24
  • 35
1

Each day thousands of websites get hacked. In your case maybe a proxy script or dropper was installed. I doubt that law enforcement is concerned as no one got hurt - yet.

You should not wait until something happens to remove that script. Law enforcement will be interested in you if your site is, for example, a proxy for an attack on a government system or is used to share illegal files.

Get a new strong password. Check other scripts for changes. Given the indifference of your hosting company you should think of switching to another one.

Rüdiger Voigt
  • 411
  • 2
  • 7