Cleaning up an infected PHP server (Mal/Badsrc-M – Troj/PHPShll-B)

I recently discovered that a number of sites of mine were considered unsafe by Google, Firefox, Yandex … The reason was they had detected malware being served to visitors of the site. I checked a bit further and I discovered it was the Mal/Badsrc-M – Troj/PHPShll-B trojan. In each of my (WordPress and other) PHP files, the first line had been changed to

<?php /* */ eval(base64_decode("...(bad stuff)"));?><?php ...
The file is easy to clean up: you remove the eval statement and that’s it. Only, on this server several hundreds of PHP files (WordPress, MediaWiki, …) were affected. So I made a script to go through all of them and clean up. It uses the fact that

  • the whole injected statement is on 1 line
  • no ‘decent’, trustworthy program uses eval(base64_decode(" ... ")) in its PHP code
  • it moves the second <?php to the second line and then removes the whole first line

So if you have the same problem, use a bash script like this and run it in the root of all your websites:

WordPress editor scripting blocked by IE7

For those of you with WordPress blogs, does this look familiar?
WP Editor scripts on IE7: the problem

The new Internet Explorer 7 blocks a lot of (Javascript) scripting for security reasons, which means that clicking on “link” in the WordPress editor gives the warning message above. You have to select “Temporarily Allow Scripted Windows” to be able to use the WP editor buttons. But if you save the post and the editor window is refreshed, you have to do that whole procedure again. Security is nice, and we know why IE makes a point out of it, but it shouldn’t interfere with convenience too much.

Luckily there is a way to let IE switch the security warning off for URLs that are under your own control (like your blog, for instance):
WP Editor scripts on IE7: the solution
Add your own URL to the Trusted Sites (Options/Security/Trusted Sites) and you do not get the scripting warning anymore. Happy posting!

You give out your passwords every day

If you’re allergic to acronyms, don’t read on. I’ve reached an all-time TLA/FLA density high in the following article!

Lock - photo by mfshadowTHE PROBLEM
Who knows the passwords you use for your email accounts? Who knows the password you use for your FTP account? Who knows the password to your blog admin page? There might be more than you thought!

Imagine user John Doe, with username jdoe who has the ‘strong’ password “p@ssw0rd“. Let’s take a look at what conversation happens when his Outlook/Thunderbird email client connects to check for new messages, or when he uploads a new version of his website with Filezilla/Dreamweaver:

This is a typical FTP conversation:

Response:	220 (ID of the FTP server)
Command:	USER jdoe
Response:	331 Password required for jdoe.
Command:	PASS p@ssw0rd
Response:	230 User jdoe logged in.
Command:	...

This is a typical POP3 (email) scenario

Command:	USER jdoe
Response:	+OK Password required for jdoe
Command:	PASS p@ssw0rd
Response:	+OK jdoe's maildrop has 2 messages (320 octets)

(remark: POP3 does have an APOP command that does not transfer the password in clear-text. It is however typically used for 2nd and following POP3 connections, using a piece of information that was given in the first transaction)

Wordpress loginEven more scary: when you log in to your blog/CMS software (that does not use a Google, Yahoo, MSN or Passport account), how does your password reach the server, you think? Encrypted? Not!

Continue reading You give out your passwords every day

Removal of Serflog/Sumom worm

My little niece had been trying for a while now to send me through MSN Messenger a picture called “How a Blonde Eats a Banana”. My reaction was, as any one’s should be: don’t know what she’s sending, nor why, there’s no prior conversation, no context, no nothing: I did not accept it. But I did not think further about it. A couple of days later I found that a) the girl’s computer had a virus, b) the virus eagerly tried to infect other PCs via Messenger, and c) had succesfully accomplished that task in several cases. One of the victims handed over his PC to me (being the family geek and all). Since it was a nasty worm, and it took me some time to disable it, here is the procedure to follow:

  • The virus is a worm called W32.Serflog.A, Win32.Bropia.U, Worm.Win32.Sumom.a, W32/Crog.worm or WORM_FATSO.A, depending on what anti-virus company site you visit. I used the information on the Symantec (Norton Antivirus) site to see how it locked itself to the PC.
  • The worm does several things:
    • it tries to infect other PCs through Messenger (and eMule, but not too aggressively).
    • It does not prevent users from ‘working’ (surfing, email, …) so I can see some people doing nothing about it while the program keeps trying to multiply.
    • And, most importantly, the worm makes it very hard for even an experienced user to desactivate or remove it.
  • The worm starts itself up when Windows starts. Alas, you cannot use Task Manager to see and terminate this process. The invader immediately kills any window starting up that has “Task” in its title. You cannot visit the site of a vendor of antivirus software, because they have all been made inaccessible. You cannot delete its entries from the Registry because it kills the Regedit or Regedt32 applications from the moment they start. You cannot start a DOS Prompt, because … you get the picture.
  • So what you do is the following: create command prompt with a different name. Go to the C:WINNTsystem32 (Win2K) or C:WindowsSystem32 (WinXP) folder and copy the cmd.exe file to e.g. whatever.exe. Now doubleclick the last file, and you should get a command prompt (DOS box). The worm will not detect this.
  • The worm works through 3 hidden .exe files: %System%formatsys.exe - %System%serbw.exe - %Windir%msmbw.exe. We will deactivate them by making them accessible (non-hidden) and renaming them:
    attrib -h serbw.exe
    ren serbw.exe die_sucker.dead
    (and the same for the other 2)
    I first tried to delete the files, but that did not work. Renaming did work, though.
  • Restart your computer. The worm will try to start up by one of the three .exe files, since they are now gone, it will not run. Now start up regedit and delete the hooks the worm had placed in the Registry (see Symantec page for details).
  • Go to the hosts file (most likely in %SYSTEM%driversetchosts) and delete the lines that made the antivirus vendors unavailable. (See Symantec page for details)
  • Switch off the computer, hit yourself on the head and go and buy an antivirus program. What were you thinking? The virus would have been detected and cleaned by: F-SecureNortonSophosMcAfeeTrendMicro – …
    If you have been infected by it, you know you are too gullible to surf the Internet without protection.

These instructions should work on any Windows installation. You might use Symantec’s removal tool, but I had no Internet connection when I was struggling with the intruder. Took me about thirty minutes to figure out a way to circumvent the vicious sucker.

Is this a really nasty piece of software? Yes. Do I admire the person who wrote it? Not at all. It’s not clever engineering, just malevolent.