Posts Tagged ‘Malware’

Tools to scan a Linux / Unix Web server for Malware and Rootkits / Lynis and ISPProtect – clean Joomla / WordPress and other CMS for malware and malicious scripts and trojan codes

Monday, March 14th, 2016

Linux-BSD-Unix-Rootkit-Malware-XSS-Injection-spammer-scripts-clean-howto-manual

If you have been hacked or have been suspicious that someone has broken up in some of the shared web hosting servers you happent o manage you already probably have tried the server with rkhuter, chroot and unhide tools which gives a general guidance where a server has been compromised

However with the evolution of hacking tools out there and the boom of Web security XSS / CSS / Database injections and PHP scripts vulnerability catching an intruder especially spammers has been becoming more and more hard to achieve.

Just lately a mail server of mine's load avarage increased about 10 times, and the CPU's and HDD I/O load jump over the sky.
I started evaluating the situation to find out what exactly went wrong with the machine, starting with a hardware analysis tools and a physical check up whether all was fine with the hardware Disks / Ram etc. just to find out the machine's hardware was working perfect.
I've also thoroughfully investigated on Logs of Apache, MySQL, TinyProxy and Tor server and bind DNS and DJBDns  which were happily living there for quite some time but didn't found anything strange.

Not on a last place I investigated TOP processes (with top command) and iostat  and realized the CPU high burst lays in exessive Input / Output of Hard Drive. Checking the Qmail Mail server logs and the queue with qmail-qstat was a real surprise for me as on the queue there were about 9800 emails hanging unsent, most of which were obviously a spam, so I realized someone was heavily spamming through the server and started more thoroughfully investigating ending up to a WordPress Blog temp folder (writtable by all system users) which was existing under a Joomla directory infrastructure, so I guess someone got hacked through the Joomla and uploaded the malicious php spammer script to the WordPress blog. I've instantly stopped and first chmod 000 to stop being execuded and after examing deleted view73.php, javascript92.php and index8239.php which were full of PHP values with binary encoded values and one was full of encoded strings which after being decoding were actually the recepient's spammed emails.
BTW, the view*.php javascript*.php and index*.php files were owned by www-data (the user with which Apache was owned), so obviously someone got hacked through some vulnerable joomla or wordpress script (as joomla there was quite obscure version 1.5 – where currently Joomla is at version branch 3.5), hence my guess is the spamming script was uploaded through Joomla XSS vulnerability).

As I was unsure wheteher the scripts were not also mirrored under other subdirectories of Joomla or WP Blog I had to scan further to check whether there are no other scripts infected with malware or trojan spammer codes, webshells, rootkits etc.
And after some investigation, I've actually caught the 3 scripts being mirrored under other webside folders with other numbering on filename view34.php javascript72.php, index8123.php  etc..

I've used 2 tools to scan and catch malware the trojan scripts and make sure no common rootkit is installed on the server.

1. Lynis (to check for rootkits)
2. ISPProtect (Proprietary but superb Website malware scanner with a free trial)

1. Lynis – Universal security auditing tool and rootkit scanner

Lynis is actually the well known rkhunter, I've used earlier to check servers BSD and Linux servers for rootkits.
To have up-to-date version of Lynis, I've installed it from source:
 

cd /tmp
wget https://cisofy.com/files/lynis-2.1.1.tar.gz
tar xvfz lynis-2.1.1.tar.gz
mv lynis /usr/local/
ln -s /usr/local/lynis/lynis /usr/local/bin/lynis

 


Then to scan the server for rootkits, first I had to update its malware definition database with:
 

lynis update info


Then to actually scan the system:
 

lynis audit system


Plenty of things will be scanned but you will be asked on a multiple times whether you would like to conduct different kind fo system services and log files, loadable kernel module rootkits and  common places to check for installed rootkits or server placed backdoors. That's pretty annoying as you will have to press Enter on a multiple times.

lynis-asking-to-scan-for-rootkits-backdoors-and-malware-your-linux-freebsd-netbsd-unix-server

Once scan is over you will get a System Scan Summary like in below screenshot:

lynis-scanned-server-for-rootkit-summer-results-linux-check-for-backdoors-tool

Lynis suggests also a very good things that might be tampered to make the system more secure, so using some of its output when I have time I'll work out on hardening all servers.

To prevent further incidents and keep an eye on servers I've deployed Lynis scan via cron job once a month on all servers, I've placed under a root cronjob on every first dae of month in following command:

 

 

server:~# crontab -u root -e
0 3 1 * * /usr/local/bin/lynis –quick 2>&1 | mail -s "lynis output of my server" admin-mail@my-domain.com)

 

2. ISPProtect – Website malware scanner

ISPProtect is a malware scanner for web servers, I've used it to scan all installed  CMS systems like WordPress, Joomla, Drupal etc.
ISPProtect is great for PHP / Pyhon / Perl and other CMS based frameworks.
ISPProtect contains 3 scanning engines: a signature based malware scanner, a heuristic malware scanner, and a scanner to show the installation directories of outdated CMS systems.
Unfortunately it is not free software, but I personally used the FREE TRIAL option  which can be used without registration to test it or clean an infected system.
I first webserver first locally for the infected site and then globally for all the other shared hosting websites.

As I wanted to check also rest of hosted websites, I've run ISPProtect over the all bunch of installed websites.
Pre-requirement of ISPProtect is to have a working PHP Cli and Clamav Anti-Virus installed on the server thus on RHEL (RPM) based servers make sure you have it installed if not:
 

server:~# yum -y install php

server:~# yum -y install clamav


Debian based Linux servers web hosting  admins that doesn't have php-cli installed should run:
 

server:~# apt-get install php5-cli

server:~# apt-get install clamav


Installing ISPProtect from source is with:

mkdir -p /usr/local/ispprotect
chown -R root:root /usr/local/ispprotect
chmod -R 750 /usr/local/ispprotect
cd /usr/local/ispprotect
wget http://www.ispprotect.com/download/ispp_scan.tar.gz
tar xzf ispp_scan.tar.gz
rm -f ispp_scan.tar.gz
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

 

To initiate scan with ISPProtect just invoke it:
 

server:~# /usr/local/bin/ispp_scan

 

ispprotect-scan-websites-for-malware-and-infected-with-backdoors-or-spamming-software-source-code-files

I've used it as a trial

Please enter scan key:  trial
Please enter path to scan: /var/www

You will be shown the scan progress, be patient because on a multiple shared hosting servers with few hundred of websites.
The tool will take really, really long so you might need to leave it for 1 hr or even more depending on how many source files / CSS / Javascript etc. needs to be scanned.

Once scan is completed scan and infections found logs will be stored under /usr/local/ispprotect, under separate files for different Website Engines and CMSes:

After the scan is completed, you will find the results also in the following files:
 

Malware => /usr/local/ispprotect/found_malware_20161401174626.txt
Wordpress => /usr/local/ispprotect/software_wordpress_20161401174626.txt
Joomla => /usr/local/ispprotect/software_joomla_20161401174626.txt
Drupal => /usr/local/ispprotect/software_drupal_20161401174626.txt
Mediawiki => /usr/local/ispprotect/software_mediawiki_20161401174626.txt
Contao => /usr/local/ispprotect/software_contao_20161401174626.txt
Magentocommerce => /usr/local/ispprotect/software_magentocommerce_20161401174626.txt
Woltlab Burning Board => /usr/local/ispprotect/software_woltlab_burning_board_20161401174626.txt
Cms Made Simple => /usr/local/ispprotect/software_cms_made_simple_20161401174626.txt
Phpmyadmin => /usr/local/ispprotect/software_phpmyadmin_20161401174626.txt
Typo3 => /usr/local/ispprotect/software_typo3_20161401174626.txt
Roundcube => /usr/local/ispprotect/software_roundcube_20161401174626.txt


ISPProtect is really good in results is definitely the best malicious scripts / trojan / trojan / webshell / backdoor / spammer (hacking) scripts tool available so if your company could afford it you better buy a license and settle a periodic cron job scan of all your servers, like lets say:

 

server:~# crontab -u root -e
0 3  1 * *   /usr/local/ispprotect/ispp_scan –update && /usr/local/ispprotect/ispp_scan –path=/var/www –email-results=admin-email@your-domain.com –non-interactive –scan-key=AAA-BBB-CCC-DDD


Unfortunately ispprotect is quite expensive so I guess most small and middle sized shared hosting companies will be unable to afford it.
But even for a one time run this tools worths the try and will save you an hours if not days of system investigations.
I'll be glad to hear from readers if aware of any available free software alternatives to ISPProtect. The only one I am aware is Linux Malware Detect (LMD).
I've used LMD in the past but as of time of writting this article it doesn't seems working any more so I guess the tool is currently unsupported / obsolete.

 

ping “General Failure” no internet connection Windows 7 on HP work computer – Reasons for general failure and solution

Monday, May 26th, 2014

windows-7-general-failure-error-fix-on-hp-workbook
Out of a sudden today after running Malware Bytes – Free Anti-Malware & Internet Security Software, and after it found some Malware (Pup.Optional.Opencandy) and removed it it WI-FI internet on my work computer HP Elitebook 8470p mysteriously stopped working.

That's quite nasty because today I'm working from Home – well known among Hewlett Packard employees under WFH abbreviation. I couldn't connect normally to my home Access Point and tried pinging Google from command line just to get an error:
 

Transmit Failed: General Failure


and first I thought it is a wi-fi router related problem and restarted my WIFI RouterD-Link DI524. As I could normally connect to the WIFI and I see there is an internet IP assigned running:

ipconfig /all
...
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
Physical Address. . . . . . . . . : 3C-A9-F4-4C-E7-98
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d2f:97b8:9e1a:2b13%63(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.159(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : May 23, 2014 14:19:01 PM
Lease Expires . . . . . . . . . . : May 30, 2014 14:32:49 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 1094494708
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-CB-1A-5D-A4-5D-36-5A-EB-84
DNS Servers . . . . . . . . . . . : 8.8.8.8
192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

As you see in above output I have notebook IP, default gateway and DNS IP assigned – i.e. all seems fine, so as I got General Failure from pinging the Internet in order to make sure my Linux router is not the bottleneck I tried pinging Default GW

C:UsersGeorgi> ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Just to realize I'm continually getting General Failure error

I tried trying to renew IPs, to make sure there is no some kind of IP assignment conflict with my other WIFI connected devices,reflushing DNS and resetting WinSock stack, hoping this could help:

> ipconfig /renew
> ipconfig /flushdns
> netsh winsock reset

Then I tried restarting the PC a couple of times, but unfortunately none of those helped the shitty error:
 

PING: Transmit failed. General Failure

continued …

I was totally out of idea .. and red some people managed to fix the issue after booting Windows into Safe mode with Networking. I tried booting in Safe mode, but as Hard Drive data is encrypted with Bitlocker encryption I was asked about some kinf of Serial Key – which I don't have at hand – hence I couldn't boot into Safe mode …

Here is moment to say even loopback device was returning "General Failure"!

I tried even connecting the laptop directly into my homelan with UTP cable, but though everything got connected, there was no local network and internet. I tried even connecting via Vivacom's mobile network 3G modem and even there I got the "General Failure" error …

Running out of options, I decided it might be that Malware Bytes broke something during Malware removal hence I put out back Quarantined Malware files – but this didn't solve it either.

solution-to-no-internet-general-failure-ping-error-firewall-off-screenshot.png

Finally I found this post and this thread talking that reason for "General Failure" might be firewall related. After checking my firewall settings in Windows Firewall and Advanced Security, surprisingly I realized everything related to firewall – e.g. Default Profile, Inbound, Outbound connections are Turned off!!!

windows-firewall-off-reason-for-general-failure-no-internet

I switched everything back and my Internet and local connection came back! THANKS GOD! Pfuu, now I can continue working. It seems HP work computers are patched with software / configured to not allow Internet connection in case if Firewall is Off. If you happen to be an HP Employee and you get the PING: Transmit failed. General Failure, be sure the first place to check is whether Windows Firewall is enabled? – if not enable it and this will solve your connectivity issues. Cheers ! 🙂

Clean disk space, fix broken shortcuts and delete old restore points on Windows 98,XP, 2000 with Free Spacer

Thursday, February 28th, 2013

 

freespacer perfect clean disk space on Windows 98 XP 2000 russian software

If you end up with a low disk space, or a lot of broken shorcuts without knowing how this exaclty happened  on  Windows XP and you need to free some disk space on OS without manually bothering to delete Windows Temporary files. Check out a tiny Russian Program called Free Spacer. The program is a good substitute for the inefficient windows default app Disk Cleaner. Free Spacer is FreeWare and it can be just used "as it is" but unfortunately access to source code is unavailable as well as use for commercial purposes is prohibited.

I've used Free Spacer multiple times on messed up PCs and always it does good, it is an excellent piece of software. Any Windows-Admin knows  Cleaning some disk space from unnecessary junk files, makes PC work faster. Free Spacer is very useful to run on Virus infested PCs, together with SpyBot , Malware Bytes and some AV soft like Avira.

As software is Russian, unfortunately menu buttons are in Russian too. Even non-russians can easily orientate as the most important buttons are first two from up to bottom and the last which is exit. The first button on from top onwards starts searching for garbage and obsolete and temporary files you can afterwards delete with the second button Удалить – meaning Delete in Russian). A note to make here is on newer Windows than XP Pro or XP Home FreeSpacer does not work well; even though it installs and runs on x86 Windows Vista and Win 7 it hangs up during scan.

For latest version of FreeSpacer check Free Spacer's Official version here, only available in Russian. As of time of writting this post FreeSpacer's latest version is 1.67, I've created mirror of FreeSpcer 1.67 here.

Here is description of what FreeSpacer "features" translated to English:

  • Powerful cleaner drive of unnecessary files.
  • Cleans efficient found "garbage." files
  • A large number of masks for the detection of unnecessary files / folders.
  • Cleanup folders with temporary files, not only Windows / Internet, but about 30 popular programs.
  • Search for invalid shortcuts.
  • Search system restore points.
  • Search for missing files and folders.
  • Support Exclude files and folders.
     

Little Registry Cleaner (Free Software / Open Source Windows XP Registry Cleaner)

Saturday, December 17th, 2011

Little Registry Cleaner - Free and Open Source Software Windows XP Registry cleaner / Alternative to Registry Booster
Have you ever wondered, if there is a free (open source) software that could fix Windows XP registry irregularities e.g. (obsolete or unwanted items that build up in the registry over time.)?

I did not either until now, however when I had to fix, few Windows XP computers which was not maintained for a long time fixing the Windows registry was necessery to make the sluggerish computers improve their overall stability and performance.

The reasons of the slowness in computers who run for a long time by users who does not have a "computer culture" are obvious.
Windows programs which has incorrectly placed registry records withint the Windows registry database, Programs which on Uninstall / Removal left behind a lot of registry records just to hang around because of impotent (coders), or records created on purpose on program uninstall to intentionally further track the user behavior etc.
Other reasons why Windows registry gots bloated with time, are due to Malware or polymorphic Viruses which load them selves everytime on Windows load using some obscure registry records.

Though I'm not a big proprietary software lover still my job as a system administrator , enforces me to fix some broken Windowses.
I haven't fixed Windows machines for a long time, so my memories on programs that clean up registry are from my young years.

The software, I've used before to fix Windows 2000 / XP Registry was:

1. Registry Booster

From my current perspective of a free software hobbyist / evangelist it was important for me to clean up the Windows PCs with a program that is Free or Open Source Software.
When I'm asked to fix some Windows computer I always do my best to make most of the programs that roll on the PC to be FOSS.

Using FOSS instead of downloading from torrents, some cracked software has multiple benefits.

1. Usually Free Software is more stable and more robust2. FOSS software for Windows usually does not come with Malware / Spyware as many of the cracked proprietary software

3. Free and Open Source Programs are simplistic in interface and way of use

A bit of research if there is a Free (Open Source) Software immediately lead me to a program called Little Registry Cleaner
You can see a screenshot of the program in the beginning of the article, the program is very easy to install and use and uses some .NET framework classes so right before installing it installs .NET library (code).

The use results of Little Registry Cleaner were amazing. Even though it is a free software the program found and fixed more registry problems than its competitor Windows Registry Booster! 😉
 

Cleaning Packard Bell Hera GL laptop running Windows XP from Viruses and Spyware (Viruses / Spyware which can make CD drive and Wireless seem unworking)

Tuesday, December 13th, 2011

Packard Bell Hera GL Fixing Broken RaLink Wireless

Yesterday, one (girl)friend of mine brought me one Packard Bell notebook, which had a 2 years old Windows installed on it.
As one can imagine Windows XP on it is full of Spyware and Viruses. Besides the software problems the notebook had some hardware problems with the CD / DVD which is not reading CD / DVDs at all.

Initially I thought, the CD unable to read problems are caused by the infected Windows, however even restarting the PC with a bootable Hirens BootCD and a Whoppix liveCD and trying to boot from it failed this convinced me its a CD / DVD combo drive hardware failure.

By the way, I’ve just recently found out about Nixory – Is a nice Free Software Open Source AntiSpyware tool for Firefox, IE and Chrome.

Nixory Windows XP Screenshot

I hope it will get a sharp development and soon, when some friend asks me to fix his stupid non free-Windows PC, I would not have to use a trial version of Malware Bytes but directly use only Nixory

Anyways after using Nixory, MalwareBytes and Avira and thoroughfully scanned the system in Safe Mode and found and deleted some 15 Spyware / Viruses and tampered a bit with the Wireless Driver settings all the notebook devices started working fine again.

The wireless had also one really odd problem on this Packard BellHera GL, even though the notebook wireless antenna was capable of detecting all the wireless networks it couldn’t properly connect to any of it but failed to get proper IP addresses.
Partially the unable to grab an IP via wireless router dhcp server got fixed by using the Wireless restart Button (located on the Notebook corpus).
However even after cleaning up the Virus and Spyware the Wireless Networks connectivity problems on this Packard Bell continued, until I changed also few settings in the Control PanelI never thought Viruses / Spyware infected can have some bad impact on Wireless Card and CD drive make them unsusable though they showed like working correctly in Windows Control Panel -> System ??

In the meantime I reinstalled the Wireless Driver for the notebook, the Wireless card on the notebook was showing up itself under the name of Ralink 802.11n Wireless Lan Card in Windows Device Manager

After re-installing the wireless driver I had to also change few settings for the Wireless Network Connection using the menus Properties -> Configure -> Extended; therein everywhere for each Value I make it be Enable and for Power Saving Mode , I’ve choose the Value option of CAM

After a system reboot, everything started working finally fine. One last thing to add is that before I fixed the Ralink wireless to work under Windows, I tried to use a Bootable Linux LiveCD but even there the wireless was failing to connect to the wireless networks (maybe this shit wireless device has some issues with its Linux drivers).

Poderosa a tabbed Terminal Emulator (PuTTY Windows Alternative)

Tuesday, December 6th, 2011

Even though, I rarely use Windows to connect to remote servers using SSH or Telnet protocols in some cases I’m forced to do that (in cases I’m away from my Linux notebook). I’m doing my best to keep away from logging anywhere via SSH using Windows as when using Windows you never know what kind of spyware, malware or Viruses is already on the system, not to mention Microsoft are sniffing a lot if not everything which is typed on the keyboard… Anyways, usually I use Putty as a quick way to access a remote SSH, however pitily PuTTY lacks an embedded functionality for Tabs and each new connection to a server I had to run a new instance of PuTTY. This is okay if you need to access a single server but in some cases where access to multple servers is necessery lacking the tab functionality and starting 10 times putty is really irritating and one forgets what kind of connection is present on which PuTTY instance.

Earlier on, I’ve blogged about the existence of PuTTY Connection Manager PuTTY add-on program which is a PuTTY wrapper which enables PuTTY to be used with Connection Tabs feature, however installing two programs is quite inconvenient, especially if you have to do this every few days (in case if travelling a lot).

Luckily there is another terminal emulator free program for Windows called PodeRoSA which natively supports a tabbed Secure Shell connections.
If you want to get some experience with it check out Poderosa’s website , here is also a screenshot of the program running few ssh encrypted connections in tabs on a Windows host.

Poderosa Windows ssh / telnet tabs terminal emulator screenshot
Another good reason that one might consider using Poderosa instead of PuTTY is the Apache License under which Poderosa is developed. Currently the Apache License is compatible with GPL free software license which makes the program fully free software. The PuTTY license is under BSD and MIT and some other weird custom license not 100% compatible with GPL and hence PuTTY can be considered less free software in terms of freedom.

How to fix “vbAccelerator SGrid II Control Runtime Error” popup window in Windows XP

Tuesday, May 24th, 2011

Windows XPI’m in a friend and he asked me to take a look at his Win PC.
When the Windows boots up a weird and annoying error message appears that reads:

vBAccelerator SGrid II Control Runtime Error

I figured out the SGrid II Control Runtime Error was a cause of a mis-working old Malware Bytes portable installation.

I’ve found online the following tool which fixes the stupid VBAccelerator SGrid II error

By simply downloading and starting the mbam-clean.exe binary after a computer restart the error gets fixed.