Malware on D7 website - Blacklisted by Google

Malware on D7 website - Blacklisted by Google - drupal-7

I want to tell you about the malware attack to my Drupal website. Not just for your suggestions but also to create something helpful to anybody tha could suffer for the same problems. Well...
INITIAL SETUP
Drupal 7.9
Activated modules:
CORE: Block, Contextual links, Database logging, Field, Field SQL storage, Field UI, File, Filter, Image, List, Locale, Menu, Node, Number, Options, Overlay, Path, PHP Filter, RDF, System, Taxonomy, Text, Toolbar, User
CCK: Multiselectd
CHAOS TOOL SUITE: Chaos tools
DATA/ORA: Calendar, Date, Date API, Date Popup, Date views
FIELDS: Email, Field permission, Link
OTHER: Google Plus One +1, Pathauto, Token, Weight
SHARING: Share this, Share this block
TAXONOMY MENU: Taxonomy menu
VIEWS: Views, Views PDF Display, Views PHP, Views UI
OTHER MODULES THAT I REMOVED: CKEDITOR, VIEWS_SLIDESHOW, IMCE, DOMPDF, PRINT, WYSIWIG
MY SETUP ERRORS
In order to satisfy the custome, I modified some of the modules and I've never update them (AUCH!)
The customer was in posses of the login data, and maybe his computer wasn't safe (MMM...)
I didn't have a copy of the webiste, because I trusted on the provider weekly backup (DOH!)
ATTACK EXTERNAL SYMPTOMS
All the link of the homepage redirected to a malware website
Google blacklisted the website
Critical alert on the Google Webmaster Tools panel
FTP SYMPTOMS
Lots of "strange" files: mainma3.php (I found this one in every folder!), functoins.php, sum75.html, wlc.html, aol.zip, chase.zip, chaseverification.zip, 501830549263.php, wp-conf.php and a dozen of wtmXXXXn.php (dove X = numero) in the root folder. All these files was plenty of malicious functions (unescape, base64_decode, eval, etc.)
Install.php was modified with a long line of malicious code
To EVERY javascript files was appended this line of code:
;document.write('');
The weekly backup was also infeceted
Dozen of repeated "strange" request, found on the Drupal log panel (my domain is obscured with the string "-----"):
index.php?q=ckeditor/xss > Notice: Undefined offset: 5 in eval() (linea 29 di /web/htdocs/-----/home/modules/php/php.module(74) : eval()'d code(1) : eval()'d code).
-----/user?destination=node/add > Failed login by shadowke
calendar/week/2012-W19?year=2011&mini=2012-12 > page not found
misc/]};P.optgroup=P.option;P.tbody=P.tfoot=P.colgroup=P.caption=P.thead;P.th=P.td;if(!c.support.htmlSerialize)P._default=[1, > page not found
misc/)h.html(f?c( > page not found
mail.htm > page not found
RECOVER [Thank to this article: http://25yearsofprogramming.com/blog/20070705.htm]
I've put the website on Maintanance mode (error503.php + .htaccess). Traffic open just for my IP Address
[see this useful guide: http://25yearsofprogramming.com/blog/20070704.htm]
I've downloaded the whole website in local
I've searched and removed the strange files > I found forty of them
I've searched the files for these worlds [with the freeware AGENT RANSACK]: eval(base64_decode($POST["php"])), eval(, eval (, base64, document.write, iframe, unescape, var div_colors, var _0x, CoreLibrariesHandler, pingnow, serchbot, km0ae9gr6m, c3284d, upd.php, timthumb. > I've acted in one of the follow ways: a) I've replaced eval with php_eval() (the eval safe version of drupal); b) I've wrote down the suspected modules; c) I've compared the code with the fresh downloaded module; d) I've removed all the malicious code (see the javascript mentioned above)
I've searched for mohanges in the file system [with the freeware WINMERGE]
I've identifyed some suspected modules, thank to the list written at the point 4 above, and thank to some researches on Google (name_of_the_module security issue, name_of_the_module hacked, etc...) and on Secunia [http://secunia.com/community/advisories/search]
I've scan my computer (Avast, Search&Destroy, Malwarebytes Antimalware) > I didn't found any virus or spyware
I've changed all the logins (ftp, cpanel, drupal admin panel)
I've reloaded the whole website
I've removed all the suspected modules: CKEDITOR, VIEWS_SLIDEWHOW, PRINT, DOMPDF, IMCE, CAPTCHA, WYSIWIG, WEBFORM.
I've tell the whole story to the provider assistance
I request Google for a revision (they did it in 12 hours)
DRUPAL LOG NOW
dozen of these messages
- wtm4698n.php?showimg=1&cookies=1 > page not found
- fhd42i3d.html > page not found
- wp-conf.php?t2471n=1 > page not found
- -----/user?destination=node/add > Failed login by Elovogue
LESSONS LEARNED
Never touch the modules, so you can update them
Keep all the login in a safe computer / Use a safe computer to work on the FTP
Search for any security issue before installing a module
Keep a clean copy of the website somewhere
MY QUESTIONS:
What kind of attack I've received?
There are other unsure module in my installation?
What can I do yet?
Thanks to everybody for your patience!

If you are using m$ windows, I think it is a trojan/virus that steals your ftp passwords and automatically editing files. I know many such stories.
Switch to WinSCP.net.

Related

problems with search engine on dnn

I'm having problems when indexing content on dnn search engine.
I have a provider that use dnn and I have an admin user. They tell me that they have another customer that use the search engine and works well.
They pre config everything and is not working.
I have tried to find in the documentation, but I could not find anything about this.
I checked for the skin objects, but it looks fine. Then I added vocabulary and check the tags on some pages. I also checked for the crawler API and is not indexing anything.
https://www.colombiantourist.com/DesktopModules/internalservices/API/searchService/preview?keywords=dnn&culture=es-ES
Maybe I am missing something?
<%# Register TagPrefix="dnn" TagName="SEARCH" Src="~/Admin/Skins/Search.ascx" %>
<dnn:SEARCH ID="dnnSearch" runat="server" ShowSite="false" ShowWeb="false" EnableTheming="true" Submit="Search" CssClass="SearchButton" />

Try go to https://www.colombiantourist.com/Search-Results
In Edit mode, open the module Settings
Check if all set correctly

There are many components to the search story on DNN - site config, module config, scheduled indexing, user permissions to name a few. If you are getting search results on the site but they are stale then check the search scheduler to see that it has performed a recent re-index.
see successfull indexing task
If there are no results at all and you have access to the code base then do a clean index by browsing to root / app_data / search and delete all files in that folder then manually start the scheduled task (find scheduler in the admin settings) . If you don't have access to code base you can re-index from the admin menu Site Settings --> search Tab see search settings
Note the warnings about when to complete a re-index for large sites. Also note that deleting files manually affects all sites on that DNN instance.
Select a test page and ensure that the page and module settings are set to allow indexing of content.
Re-index content as explained above
Hope this helps

Codename One Preferences/Storage permissions

I have developed and published an app in Google Play Store, which only send simple String request to REST API and store the results in the Preferences. The same app is also submitted to Windows Store for publication, however it was rejected due to the following reason:
The app declares use of the sensitive capability [musicLibrary, picturesLibrary, videosLibrary] without appearing to access the declared capability. Please removed the sensitive capability declaration and re-submit the app.
Upon inspection to Google Play Store submission, I noticed the same permissions are requested:
This app has access to:Photos/Media/Filesread the contents of your USB storagemodify or delete the contents of your USB storageStorageread the contents of your USB storagemodify or delete the contents of your USB storageOtherreceive data from Internetview network connectionsfull network accessprevent device from sleeping
So my question is, do Preferences really need these permissions, or can I set some kind of build hints to remove these permission requests, especially for UWP build? I have also tried to set android.blockExternalStoragePermission build hint, but the permissions are still requested in Android build. I have yet to try iOS build since currently I don't have Apple Developer account.
Thank you very much in advance.
Edit #1 (23/10/2018):
Upon further inspection, I found that I have mistakenly uploaded the version that didn't declare android.blockExternalStoragePermission to Google Play Store, so all good on Android version.
Currently I'm not using any of cn1libs, and here's the list of all classes imported in my application:
java.util.HashMapjava.util.Mapjava.util.Randomcom.codename1.components.InfiniteProgresscom.codename1.components.ToastBarcom.codename1.components.ToastBar.Statuscom.codename1.io.CharArrayReadercom.codename1.io.JSONParsercom.codename1.io.Logcom.codename1.io.NetworkManagercom.codename1.io.Preferencescom.codename1.io.rest.Responsecom.codename1.io.rest.Restcom.codename1.l10n.L10NManagercom.codename1.ui.Buttoncom.codename1.ui.Componentcom.codename1.ui.Containercom.codename1.ui.Dialogcom.codename1.ui.FontImagecom.codename1.ui.Formcom.codename1.ui.Labelcom.codename1.ui.events.ActionEventcom.codename1.ui.events.ActionListenercom.codename1.ui.layouts.BorderLayoutcom.codename1.ui.layouts.FlowLayoutcom.codename1.ui.layouts.GridLayoutcom.codename1.ui.plaf.Bordercom.codename1.ui.plaf.Stylecom.codename1.ui.plaf.UIManagercom.codename1.ui.util.Resources
So my original question remain, how do I set the build hints to prevent the same external storage read/write permission in Windows and iOS?

See the section titled "Android Permissions" here, for a list of some API's that might trigger extra permissions. I suggest extracting the manifest from the XML and inspecting it. It should include two permissions based on your description you should have two permissions there:
android.permission.WRITE_EXTERNAL_STORAGE - which you should have been disabled when you applied android.blockExternalStoragePermission
android.permission.INTERNET - this one you actually need
I'm assuming you have a permission for media access and here it becomes a question of where it came from?
Did you use a cn1lib that might include a feature that triggers this?
Do you have a feature in the app that isn't active yet?
Once you have the specific name or results of this investigation comment here and I'll revise the answer with more details.

What files make one Wordpress site different from another

Migrating wordpress sites between hosts can take a lot of time, especially when the hosting platforms are different.
I have been trying to migrate my sites from Cpanel to Mediatemple, but it seems like im just not getting it right.
There is various options
Use the guide they provide
https://kb.mediatemple.net/questions/1556/Migrating+your+websites+to+the+Grid#gs
When moving the files in this way the permissions of the files are not set properly and I would have to got back through them and figure out which ones need to change.
The database export from PHPMyAdmin also does not look the same it looks in the screenshot
Using InfiniteWP
To use InfiniteWP you must provide the url of the site and since I dont want to change the DNS until the site is moved this option does not seems to be ideal.
This option might work if its ok for the sites to be unavailable for a day or so while the DNS resolves...
But I don't want the sites to be unavailable
Using Mediatemples "one click apps" to install wordpress and then moving only the files that are unique to the site from the old host to the new host.
I would like to use this option
I think that the content of the WP-Content folder needs to be moved that the database needs to be moved.
My question is
- what folders and files in a standard wordpress install typically hardly ever changes from one site to the other.
- can I use the wordpress database export and import function to move the database from one site to the other.
Any help will be appreciated
Thank you

With InfiniteWP, you can use the clone an existing site command (which can be found in "Tool"->"Install / Clone WP") to migrate a site to a new server.
You have to use a temporary (sub)domain pointing to the new server.
To answer your questions :
/wp-content/ stores all your files and sometimes plugin files, wp-config.php is where your configuration is stored (e.g. credentials to access the database). Depending on your servers, the .htaccess files may be different.
I would recommend to create a dump file of your entire database using phpMyAdmin.

Open and Save Word files through internet

I have a situation that override my knowledge. Here is situation:
A simple web based system store a Word files. Users create them locally, then upload them to server. After that, another user can download, edit and upload again. All that is okay, but that steps of repeating Download/Upload cause troubles - in case when user forgot to upload after he make changes. The prerequisites is that they want to use only Word, so i can't use any web editors like CKEditor or Google Documents.
So - a question - is there a way to let users open/save that DOC files with Word without setting a VPN?
Server is a Windows 2008, and language is ASP.NET / classicASP. User access system via browsers.

I think you can embed a plugin called aceoffix in your web system, if the customers do not have to download, upload and save back to server. With aceoffix they can edit online and save back to the server directly. It is exactly the same interface as MS Office. Hope this will be helpful.

How about a tiny app (on clients) to act as a syncronizer (using FTP) ?

I think an embedded Word viewer would be something quite complex to pull off - especially if they require the native, proper and exact Word look/menus.
One alternative is to provide a plugin to your users, where they can access/sync documents directly from/to the server. But then you aren't using the a web site but a local plugin, which comes with its own headaches of course.
Creating a Word plugin is a nice way to make it seem like something "in the Office program" when you have actually created it yourself, so that your user don't have to feel like they are using another program. My idea is that you could create a way for users to load a Word file from the server, do changes to it and then upload them back to the server automatically.

Monitor hosting environment for spam keywords

What environment-independent tools are available to detect new spam blogs or comments appearing on a hosting infrastructure?
As an occasional hosting provider, we want to watch for new blogs or comments which appear spammy, but avoid relying on plugins or modules in the CMS environment (because these are easy to circumvent, or expose only to Google).
A (pseudo) example would be to set up Google Alert for "viagra ip:10.0.0.1", where 10.0.0.1 is the front-facing IP of the servers. (Google doesn't offer such an advanced operator term though ...)
Seems I'm looking for a combination of Nagios + Google Alerts + ( ??? ) ... what does fill this space?

I would setup an hourly cronjob that wgets the entire website then greps the resulting files for whatever spam strings you're looking for an alerts on a hit. Let me know if you'd like me to hack up a quick example, or if thats not the direction you were thinking.