Comments on: Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)

By: Denis

Denis — Sun, 02 May 2010 17:52:52 +0000

It’s not beladen. It doesn’t affect all .php file. With beladen, usually no files are affected at all.

By: bobby sandhu

bobby sandhu — Sat, 01 May 2010 10:43:20 +0000

Im using godaddy’s shared hosting and my site has got affected twice in 10 days. The infection targets all .php files and adds an encrypted code to the first line.

I restored my site using local end backup. Changed all CHMOD permissions to read only. The FTP passwords are iron tough. Still, it came back. Im not sure if its beladen or something new. I can provide screenshots if needed.

Im very sure that its aserver based issue and im seriously considering moving to a new hosting provider. Can you suggest which is the safest and most co-operative hosting provider.

Regards
Bobby

By: Chris

Chris — Fri, 12 Feb 2010 10:22:41 +0000

I also received this exploit from adwstat.com/lib/, the hidden iframe was from space.com. I’ve got a copy of the malicious iframe if that is of use or interest.

Thank you for the article, very helpful.

Kind Regards

By: A. Upchurch

A. Upchurch — Sat, 06 Feb 2010 01:04:19 +0000

i don’t have a website. But i did get this Exploit JavaScript obfuscation threat block from AVG. the file name is adwstat.com/lib/
i could not find any info on AVG on it or what to do about it. I’m not sure i understand what all you guys are doing about it or what i can do about it. any info would be gratefully appreciated.

By: David H

David H — Mon, 19 Oct 2009 00:28:08 +0000

The majority of the recommendations and the article seem to be ignoring the fact that if a server is serving up random code instead of what was requested, the server has been root compromised; it’s not just something as innocent and dismissible as oh a site on the server has some php file hiding somewhere and we’re all good if we delete it.

Before a php script can take the place of a child apache process, listen on port 80 and answer queries, the server needs to be hacked; the parent apache process running as root spawns the child processes, it’s not going to randomly spawn someone’s php file instead. If the server has been hacked, then running a bunch of commands to find things running is pointless as none of the utilities can be trusted, so who knows if what’s being reported has any relevance. Their output will most likely have been modified to hide the fact that processes that should not be there are running, or maybe they show you some bogus apache-owned process so you can kill it and think you’ve eliminated the issue.

If this problem does occur, all the server binaries should be compared to a known-good system after first replacing the ssh daemon and the commands needed to do the comparison such as md5sum and rsync if you sync up with your read-only known good system, etc.

By: Denis

Denis — Thu, 17 Sep 2009 09:15:14 +0000

Hi Ben, I've noticed these new sites as well. The malicious redirects a similar to the Goscanpark attack (a new version of the same attack) Thanks for sharing search commands.

By: Ben

Ben — Wed, 16 Sep 2009 23:35:13 +0000

Also used the following search and found another file!:

find . -iname ‘*php’ | xargs grep ‘\$_POST\[\"p\"\]‘ -sl

Again, as mentioned in the article – word wrap wasn’t on in Joe so it looked legit – a search for the term revealed the code way off to the right…

By: Ben

Ben — Wed, 16 Sep 2009 22:01:16 +0000

Hi,

Just thought I’d leave a note here thanking you immensely for providing this information. It aided me in catching the offending file (a file named the same as an image but with php on the end). I performed the following search in the root of the vhosts directory:

find . -iname ‘*php’ | xargs grep ‘Instant Zero’ -sl

This showed the offending file which I could remove and notify the account holder to “get a real password”.

I also thought I’d share that I saw totally different URLs – my sites were being redirected to:

indianapolis-sales .com
best-virus-scanner5 .com

The rest of the article still fitted (I never did see the processes running however).

Thanks again,
Ben.

By: declare.james

declare.james — Tue, 30 Jun 2009 15:22:13 +0000

Denis,

Just Posted up steps to take to try to prevent attacks like Gumblar, Martuz and Nine-Ball.

http://blog.igothacked.com/2009/06/steps-to-prevent-gumblar-martuz-nine.html

By: Estadd

Estadd — Fri, 19 Jun 2009 14:04:50 +0000

Google? No! Not that for me!
The most unreliable and damaging agent
for website monitoring – see my earlier posts here. Many have already quit it, not just me.

Please develop unmaskparasite to such extent that it does better than those and becomes the best. You can !!!