Div Colors Malware

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
Longonese
Forum Members
Forum Members
Posts: 11
Joined: Tue Jun 17, 2008 1:56 pm

Div Colors Malware

Post by Longonese »

Hi all,
My site is continuously under attack.
This time it's the "div_colors" malware. I am not an expert, so i need some information, e.g. if someone knows this malware, or has experienced a problem like this.

Readinge the source of my index page (http://www.itinera.info) i can see a short script code:

Code: Select all

<__script__ type="text/javascript">if (typeof(redef_colors)=="undefined") {   var div_colors = new Array('#4b8272' ....


I searched on google and found this page:
http://blog.sucuri.net/2011/03/the-div_ ... pdate.html

Scanning the page with this scanner : http://sitecheck.sucuri.net/scanner/ I found a large number of pages infected.

Can someone help me to find a valid solution?

Thanks in advance and sorry for my bad english.

Longo

-------------------------
CMSMS version: 1.9.4.1
PHP Version: 5.2.17
Server: Apache/2.2
OS: Linux 2.6.18-194.32.1.el5PAE On i686
Longonese
Forum Members
Forum Members
Posts: 11
Joined: Tue Jun 17, 2008 1:56 pm

Re: Div Colors Malware

Post by Longonese »

Other info about this problem:

I noticed that the files on my server are modified as i upload them.
e.g. i uploaded a new "fileloc.php" and after the upload the file is modified on the server.

I Upload the file as you can see the modifications.
Not only fileloc.php is modified, but other files too (moduleinterface.php, preview.php, include.php, ...)
Attachments
fileloc.php.tar.gz
File modified by the server
(266 Bytes) Downloaded 68 times
User avatar
Nullig
Power Poster
Power Poster
Posts: 2380
Joined: Fri Feb 02, 2007 4:31 pm

Re: Div Colors Malware

Post by Nullig »

Re-upload all of the core files and search through the tables in the db for the code that's been injected.

Also, your host may be compromised, so you should let them know, so they can see if the problem is originating with them.

Nullig
Wishbone
Power Poster
Power Poster
Posts: 1368
Joined: Tue Dec 23, 2008 8:39 pm

Re: Div Colors Malware

Post by Wishbone »

Just for the fun of it, move all your files into a sub-directory, lock it so that no-one can access it, and upload this file again. If it changes, either your host is compromised, or your computer is compromised....
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm

Re: Div Colors Malware

Post by calguy1000 »

I noticed that the files on my server are modified as i upload them.
This either means your workstation (windoze) is corrupted (unlikely, never seen this kind of attack before). Or your host is corrupted, and all files are getting recursively re-corrupted on the next access of the website (possible).. or the permissions are incorrect and your ftp client is lying to you that it actually overwrote the files (much more likely).

Your options are
--
a: get a decent ftp client, and watch it's logs
- some ftp clients won't actually overwrite the files, if it already exists
- most people don't pay attention to the logs produced by the ftp
client.
- FileZilla is relatively decent... and if you have to use FTP I would
recommend this client.
- UPLOAD ALL FILES IN BINARY MODE.
- VERIFY the upload using the checksum utility in CMSMS.
b: don't use ftp... most host control panels provide a way to expand a .tar.gz file directly.
c: ssh (much much better than both of the above options)

Once you've narrowed down the problem, and can make sure you are ACTUALLY overwriting the files, and IF the problem still occurs then you will have contact the host because the problem may be coming from another site on the same server recursively modifying all files it has access to).
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Post Reply

Return to “CMSMS Core”