Atomicorp

Hello,

I received an email from my DC recently saying that a website I host was compromised. The wordpress site wasn't defaced but I found that the attacker had created various directories at the root with php scripts inside redirecting users elsewhere.

The following is the content of one of the index.php files created:
http://pastebin.com/3LzxCSfd

Amongst several other folders that were created, there is one which has 3,870 php files inside, all with dubious redirection links. Contents of one of them is below:
http://pastebin.com/sCXdV7NV

How did the attacker get through ASL? How can I prevent similar incidents in the future?

I apologize if I sound rude, my intentions are anything but.

We're sorry to hear that. In most cases this happens when the bad guys simply steal a password and SSH into the system (especially when you see lots and lots of files). Hard to say for sure, but both of these are picked up by the real time malware protection system. Can you tell me what kernel you are using?

If you are using the ASL kernel, can you tell me what directories you have the ASL kernels real-time malware protection system configured to protect and where these files were located?

I'm running the ASL kernel.

I just checked, it seems that I had the real time scanner disabled. I run a WHM / cPanel server so all the web directories are located inside /home/. Shall I add this path to the real time scanner?


edit: I ran the malware scanner manually on the directory where I quarantined the compromised files and folders and below is the result of the clam scan
edit2: When I said root, I actually meant the the public_html directory of the client (/home/client/public_html/). Apologies for the confusion.

Thats odd, I definitely can detect the two examples you provided:

[mshinn@localhost malware]$ clamscan 1.php
1.php: Atomicorp.PHP.Malware.012281416345.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 11.972 sec (0 m 11 s)
[mshinn@localhost malware]$ clamscan 2.php
2.php: Atomicorp.PHP.Malware.0122814163449.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 10.500 sec (0 m 10 s)

Are there different files in the directories you are scanning perhaps? Could you just tar up the directory and provide us with the URL to download it?

Here's a zip of the all the directories I could find: http://128.199.79.58/hacked.tar

edit:It appears my clamav definition database contains fewer signatures than yours, I'm off by 266039 signatures.

Im definetely seeing all of them detected, perhaps as you said your signatures are out of date? When you run "aum -u" and a clamscan -r on those files do you see them detected on your system?

If not, I wonder if your system is somehow configured to not load the ASL signatures?

This is weird, clamscan now reads all the files as malicious after running aum -u. I distinctly remember that the first thing I did after receiving the email from my DC was to update ASL via the GUI.

But my virus definition DB still contains fewer definitions than your post: