Google+ Followers

Tuesday, May 18, 2010

Estou um pouco velho pra isso...

Ontem, dentre tantos emails, recebo o seguinte recadinho do provedor do meu podcast (para quem não sabe Impressões Digitais):

A hacker backdoor shell known to be associated with recent hacks on user accounts that are then used to launch SEO spam and malware distribution was found on your user, listed below:
This means that your user's password has likely been compromised. Your user's password has been changed to a random string to prevent the intruder from logging back in. Please do NOT change the password back to what it was previously! Going forward we need you to:

1) Ensure that you (and all of your users) have active and up-to-date virus/malware screening on all computers they use to connect to us. Infected computers are often how strong passwords are stolen.

2) Pick a new password for this user via our control panel under "Users" -> "Manage Users" -> "Edit". Your new password should not bear any similarity to the old one, should not be one you've used with any other online service, and should not contain any guessable components.

3) Discontinue use of regular FTP if you use it -- it sends passwords over the internet in plaintext. Use SFTP or SSH which encrypt passwords. On the same page you change your password in the control panel ("Users" -> "Manage Users" -> "Edit") you can select "SFTP Account" or "Shell Account" and then click the "Disallow FTP?" checkbox just below those options. 

4) Look for any files that may have been placed or modified by the intruder and remove them or remove the modified portion. 
It's a good idea to examine anything that has been modified more recently than you have updated your website for good measure.
a) SEO spam attacks that we have seen associated with this hacker shell typically leave behind a randomly named .php file and a subfolder named '.files' under the main folder of a domain. The .files folder may contain html pages named after popular SEO terms.
b) more rarely SEO redirect via obfusciated code that is added to site files
code example:
<?php /**/ eval(base64_decode("aWYoZn... 

A quick clean up for sites that have been modified with this string can be done via the SSH command line :
./ -name "*.php" -type f | 
xargs sed -i 's#<?php /**/ eval(base64_decode("aWY.*?>##
g' 2>&1
./ -name "*.php" -type f | 
xargs sed -i '/./,Illegal seekd' 2>&1

5) Make sure that any pre-packaged web software (blogs, galleries, carts, CMS scripts, etc.) are up-to-date with the most recent versions available from the vendor, as these often contain security patches against known vulnerabilities. While this was not the intrusion method for this hack, this is an important security measure for keeping yourself secure in the future.

Desde 2005 nunca tive problema algum com a hospedagem, e não é que agora vou ter que me virar como garoto de 20 anos para ficar depurando arquivo php infectado?
Ainda bem que há - aparentemente - uma solução (se você estiver com o mesmo problema clica aqui).
Preciso, agora, ¨cavar¨ umas horas na minha agenda já um tanto sufocada para espanar código de baixo nível e malicioso nos arquivos php do wordpress e seus plug-ins.
Enquanto eu não terminar de fazer isso o RSS do podcast não irá funcionar... desculpa aí. Foi maus... 

Posted via email from Impressões Digitais

No comments: