Comments on: RoundStorm FTP Hack – Solution

By: Snype

Snype — Tue, 03 Aug 2010 16:14:38 +0000

@David the passwords are encrypted locally but can be easily decrypted depending on the app. Check to see if your FTP client has a setting for a “Master Password.” This should increase the security of your passwords, also if you save passwords in your browser you might want to setup a “Master Password” there too.

@Ivan I had to download and run Avast free anti-virus in Boot mode. This found several *.sys, *.tmp files that were infected. Mainly in temp and system32 folders. NoScript is really helping and uninstalling Java also didn’t hurt.

By: ivan haentjens

ivan haentjens — Sat, 31 Jul 2010 20:27:24 +0000

forget the cpanel option, I’ve had sites hacked on hosting servers not offering cpanel or plesk. In my opinion the malware resides on the pc of the webmaster.

By: ivan haentjens

ivan haentjens — Sat, 31 Jul 2010 20:18:20 +0000

Some thoughts…

Does anyone of you use phpmaker?
Does anyone has / had mywebsearch plugin installed?

regards,
Ivan

By: David

David — Fri, 30 Jul 2010 22:46:54 +0000

Thanks for the great advice.

I just helped to restore a clients site that was infected. It’s a nasty one and as you said was in every file and directory. We did a full site restore to fix.

But I’m curious about the details of your comment. “Delete all FTP Passwords and do not save any on your client”. Is the virus somehow grabbing passwords from the FTP Client?

I’m a Mac guy which (normally) gives me a certain level of security, and I’m using Transmit for Mac, which is a pretty decent FTP client. However my passwords are saved within Transmit. (Although they are encrypted).

I’m just wondering what kinds of hoops need to be jumped?

Thanks again!

By: admin

admin — Wed, 21 Jul 2010 14:28:26 +0000

@Nick, I thought about that too but found it easier to use shell since we have access to our servers. The only flaw I see in using a PHP script is that you’ll need to properly CHMOD all the files before running the script and maybe on shared hosts the script will not be able to run for long periods of time.

Other solutions:
- restore a backup of the site. If you have cPanel or Plesk this should be easy.
- If your site is in a version control system you can simply revert all changed files.

I can probably whip up a PHP script if enough requests come in.

By: Nick

Nick — Wed, 21 Jul 2010 00:27:04 +0000

Back…

As one who ‘dabbles’ in php, the thought came to me that as the AV big boys haven’t yet taken this problem under their wings. Perhaps a small group of talented indiviuals could write a php/asp/etc script that would run though all the files and a person’s site automatically editing out the offending code.

I know the concept is valid, however, I do not feel I am sufficiently skilled to write it. Correcting via the shell may be a bit too daunting for the average site owner. Whereas, running a simple script is some thing easily done by even a novice.

Just a thought.

Nick

By: Nick

Nick — Tue, 20 Jul 2010 12:54:03 +0000

Also have been ‘infected’. It added to all my index, js files as well as many html and php files with ‘main’ as the prefix.

Still very limited information on the web about it

By: Mark

Mark — Mon, 19 Jul 2010 07:01:14 +0000

Did the virus get from your computer to your website or your website to your computer? The virus never got onto my computer thanks to Eset’s AV, it was on the website first.

I would love to know how it worked because if it got in once then it can sure as heck do it again and I doubt just changing my passwords will work.

But I have a lot of different systems so knowing which is vulnerable requires knowing how the script works. I have tried to contact various AV firms but they are all useless.

By: admin

admin — Thu, 15 Jul 2010 18:23:35 +0000

Thanks for the info Mark. I also recently found that getting rid of this virus on the my PC is tricky. I have installed NoScript (Firefox Plugin) and completely uninstalled Java6 my computer… The sites I visit hardly used Java anyway.

By: Mark

Mark — Thu, 15 Jul 2010 16:52:14 +0000

I had the same thing on my website, it infected various different scripts and somehow even got in to replace and infect well protected files. It even got to some scripts that are not public. To me this suggests some kind of root level access.

I don’t know how this virus works or anything about its method or how to protect against it, but I have managed to check through 20,000 odd files and replace them with fresh copies from my backups. Mostly index.php’s, .js files and .html stuff.