PHP Backdoor found on our server. Removed but would like to

[RainMotorsports]

I was downloading a backup for the TBGclan forums today when I noticed windows security essentials went off on a file. A file, possible a linux executable or compiled script named xh was in the folder clientscript/pro and the threat was identified as "Hacktool:Linux/xhide".

A look into that folder revealed 4 files, the file named xh, a file named prox, a log and a php file named "bot.comel.php". The bot.comel.php document gave me a nice lead and I came up with an article with the same php file - http://0entropy.blogspot.com/2011/09/fa ... lysis.html

Looks like some sort of backdoor access. I do not know if this was at all effective. But I have atleast 3 of the 4 files and might have a backup with it as it was 7-6 and we have done atleast one backup.

Just wanted to warn you guys. While something like this is probably a specific target. We have had some past break ins. Can't be sure if any of them have been legitimate intrusions or if they exploited a vulnerability in board software, accidental left over install files, etc.

[IcEWoLF]

You guys use vBulletin I believe.

Go to AdminCP> Maintenance > Diagnostics > Suspect File Versions and check if you see any suspected files.
Keep in mind some of the files in there may not be recognized because you are running few third party plugins.

Also make sure register_globals is off in your PHP. (If you are using the NFo shared hosting then this feature is most likely already off)

Last thing, make sure you are running the latest version of vBSEO, few months ago vBSEO customers website were getting hacked because of an exploit.

http://www.vbseo.com/f5/faqs-rogue-plug ... ase-52862/

[Edge100x]

Unfortunately, this type of break-in is fairly common for customers who run their own webservers. The best way to prevent these sorts of problems is to keep all of your software as up-to-date (to the latest stable versions) as possible. It's also important to use secure, non-default passwords, to run services without administrator-level access, and other basics.

We talk a bit more about recommended security practices here: http://www.nfoservers.com/forums/viewto ... =46&t=4746 and what to do when you might have a break-in on your hands here: http://www.nfoservers.com/forums/viewto ... =46&t=5059

[RainMotorsports]

The site in question is hosted off of the NFO shared web hosting. Not sure if maybe you looked into my account but I am both a customer and staff of another customer.

[Edge100x]

Ah, ok, I misunderstood.

In that case, your privileges are correctly restricted, so the damage that it could have done server-side is limited. Wiping and starting with a new, updated installation of your application(s), and changing the webhosting-related passwords (system and MySQL) would be the ultimate server-side cleanup, but you may be able to get away with deleting the obvious files, updating the application(s), and changing your passwords. Also make sure that users know to check their machines for viruses, since it could have loaded malware onto some visitors' machines.

[IcEWoLF]

Well based on what he said, the clientscipt folder is inside vBulletin, so I wouldn't say it was a server side exploit, more likely a plugin exploit.

TBG Clan you run vBSEO and you have not replied to what I've mentioned in the first post, do you guys run the latest version of vBSEO and did you make sure you run this script to clear up your datastore?
You can download the script directly here:
http://www.vbseo.com/f5/faqs-rogue-plug ... post326304

I'd also suggest checking all the plugins under plugins manager to make sure they are all plugins that you installed on your web server.

If you can't still fix this, then I'd suggest seeking professional help from Webhostingtalk if you don't want to wipe everything out.