Div Colors Malware

[Longonese]

Hi all,
My site is continuously under attack.
This time it's the "div_colors" malware. I am not an expert, so i need some information, e.g. if someone knows this malware, or has experienced a problem like this.

Readinge the source of my index page (http://www.itinera.info) i can see a short script code:

Code: Select all

<__script__ type="text/javascript">if (typeof(redef_colors)=="undefined") {   var div_colors = new Array('#4b8272' ....

I searched on google and found this page:
http://blog.sucuri.net/2011/03/the-div_ ... pdate.html

Scanning the page with this scanner : http://sitecheck.sucuri.net/scanner/ I found a large number of pages infected.

Can someone help me to find a valid solution?

Thanks in advance and sorry for my bad english.

Longo

-------------------------
CMSMS version: 1.9.4.1
PHP Version: 5.2.17
Server: Apache/2.2
OS: Linux 2.6.18-194.32.1.el5PAE On i686

[Longonese]

Other info about this problem:

I noticed that the files on my server are modified as i upload them.
e.g. i uploaded a new "fileloc.php" and after the upload the file is modified on the server.

I Upload the file as you can see the modifications.
Not only fileloc.php is modified, but other files too (moduleinterface.php, preview.php, include.php, ...)

[Nullig]

Re-upload all of the core files and search through the tables in the db for the code that's been injected.

Also, your host may be compromised, so you should let them know, so they can see if the problem is originating with them.

Nullig

[Wishbone]

Just for the fun of it, move all your files into a sub-directory, lock it so that no-one can access it, and upload this file again. If it changes, either your host is compromised, or your computer is compromised....

[calguy1000]

I noticed that the files on my server are modified as i upload them.

This either means your workstation (windoze) is corrupted (unlikely, never seen this kind of attack before). Or your host is corrupted, and all files are getting recursively re-corrupted on the next access of the website (possible).. or the permissions are incorrect and your ftp client is lying to you that it actually overwrote the files (much more likely).

Your options are
--
a: get a decent ftp client, and watch it's logs
- some ftp clients won't actually overwrite the files, if it already exists
- most people don't pay attention to the logs produced by the ftp
client.
- FileZilla is relatively decent... and if you have to use FTP I would
recommend this client.
- UPLOAD ALL FILES IN BINARY MODE.
- VERIFY the upload using the checksum utility in CMSMS.
b: don't use ftp... most host control panels provide a way to expand a .tar.gz file directly.
c: ssh (much much better than both of the above options)

Once you've narrowed down the problem, and can make sure you are ACTUALLY overwriting the files, and IF the problem still occurs then you will have contact the host because the problem may be coming from another site on the same server recursively modifying all files it has access to).