Virus checking and cleaning

[coolemail]

[root@plesk2 ~]# find /var/www/vhosts/compromised-domain.co.uk/httpdocs -name \* -exec egrep -i "base64_decode" {} \; -ls -print
$id = base64_decode($_REQUEST['id']);
18878110 12 -rw-r--r-- 1 ***ftp psacln 9863 Apr 13 16:22 /var/www/vhosts/compromised-domain.co.uk/httpdocs/webadmin/webpage/index.php
/var/www/vhosts/compromised-domain.co.uk/httpdocs/webadmin/webpage/index.php
[root@plesk2 ~]#

and it is in that file:

<?php
session_start();
require_once("../../fckeditor/fckeditor.php");
require_once("../include/application-top-inner.php");
if($_SESSION["AdminName"] == ""){
echo "<script>location.href='index.php'</script>";
exit;
}
if(isset($_REQUEST['id'])){
$id = base64_decode($_REQUEST['id']);
}
$page_information = $page_object->getPageInfo($id);
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>WEB ADMIN SECTION</title>
<link href="../include/style.css" rel="stylesheet" type="text/css">
<style type="text/css">
body{
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
background-color: #F9F8F8;
}
.style1 {color: #FF0000}
</style>
<script language="javascript" type="text/javascript">
function changeScrollbarColor(){
document.body.style.scrollbarBaseColor = '#636562';
document.body.style.scrollbarFaceColor='#FFFFFF';
document.body.style.scrollbarArrowColor='#6E89DD';
document.body.style.scrollbarTrackColor='#FFFFFF';
document.body.style.scrollbarShadowColor='#FFFFFF';
document.body.style.scrollbarHighlightColor='#EEECEF';
document.body.style.scrollbar3dlightColor='#EEECEF';
document.body.style.scrollbarDarkshadowColor='#000000';
}

function formValidation(){
var frm = document.form1;
if(frm.page_title.value == ""){
alert("Error: Please enter page title.");
frm.page_title.focus();
return false;
}
if(frm.page_content_title.value == ""){
alert("Error: Please enter page content title.");
frm.page_content_title.focus();
return false;
}
if(frm.page_sco_title.value == ""){
alert("Error: Please enter page sco title.");
frm.page_sco_title.focus();
return false;
}
if(frm.page_sco_keyword.value == ""){
alert("Error: Please enter page sco keyword.");
frm.page_sco_keyword.focus();
return false;
}
if(frm.page_sco_disc.value == ""){
alert("Error: Please enter page sco discription.");
frm.page_sco_disc.focus();
return false;
}else{
return true;
}
}

</script>
<script language="javascript" type="text/javascript" src="../include/required_functions.js"></script>
<link href="../include/style.css" rel="stylesheet" type="text/css">
</head>

Is that a good or bad entry? Perhaps I need to get the customer to ask the designers?

[mikeshinn]

Always best to ask them, they wrote it.

[faris]

Google indicates that...

Code: Select all

if(isset($_REQUEST['id'])){
$id = base64_decode($_REQUEST['id']);

...is not anything significant - base64 coding it is relatively commonly used in scripts to obfusticate variables visible to users in the url for good reasons.

Having said that, when you get to the bottom of page 2 in the search results, it is also used in various nasty scripts. But in this case my guess is that there's no problem with that bit of code in that particular place. I may be wrong of course.

[coolemail]

I've sent the evidence to the web designers for them to confirm that they are using it or not. THANK YOU all for your help and enlightenment on what has been a very interesting few days.

[mikeshinn]

BTW, you can tell ASL to watch your web directories for changes so you can coorelate those changes with user logs in, etc. Just look for this line in ossec.conf:


<directories check_all="yes">/bin,/sbin</directories>

And add another line with your web directories (keep in mind this will tell you if anything changes, so you may not want to include your cache directories).


<directories check_all="yes">/var/www/vhosts/domain.com/httdocs/code</directories>

[coolemail]

blocking Korea, Romania, Russia, Ukraine and Turkey alone will reduce the workload on your server, especially the security systems, massively.

If I geoblock some of the countries above, would that prevent anyone in those countries from sending emails to our clients? Or just block those countries from accessing the server? The latter would work for us. The former would be a problem.

[faris]

With ASL geoblocking, you would block access to everything -- the IP would be firewalled out full stop.

But with ASL we also currently have separate DNS-based blocklist facilities for:

1) Email (as provided as standard)
2) Web (via mod_sec)
3) FTP (via the ASL version of the psa-proftpd package)

So you could mix and match which countries to block on those three services (as long as you have [access to*] a suitable DNS server set up with the appropriate country zones), but not ssh, mysql and plesk control panel access, which are the three other "main" services that you might want to block.

ssh and mysql access is not something many hosting companies would want to allow for third parties, so I guess it isn't all that important -- you are likely to already have blocked it to all IPs other than your own. There's nothing much you can about plesk other than to have yet another set of iptables and that's just going to get messy.

* We have such a beast and could theoretically make it available to selected users. Does anybody think it might be worth commercializing by us? Or would it be better if the service was provided by Atomicorp as part of your ASL subscription? This is going really off-topic here though. I may post something about this in a new topic in a few days - right now and ill and can't be bothered to think about it.

Faris.