Solved Hostgator password scrape?

[ds515]

Hi,

my girlfriends hostgator account has apparently been comprimised. A ticket was launched and this was a part of the response.

I found the iframes and have removed them from the account. According to the logs it appears as though the FTP/cpanel account was compromised and the password was scraped. Notice the IP downloading and uploading to the account. This is indicative of a script that is injecting the files with iframes. From recent incidents like these we have come to the conclusion that a users password was stolen via a password scraper or keylogger that resides on their local PC or network. So no matter how many changes we make to the password as soon as they type it into FTP or cpanel its immediately sent off to this script that then injects the files. The logs are below and below the logs you will see tips on how to secure your local network.

I've attached the logs as per the sticky... any help is greatly appreciated.

 

[Broni]

So far, I don't any serious security issues.
You have some Norton's leftover, so please, run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

========================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow
  
  at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[ds515]

Hi,

Thanks for the reply.

I am currently running Dr. Web, the first scan went for over an 1.5 hours, the complete scan is in the 2nd hour and not even half way done. I'll post results once completed.

 

[ds515]

Here are the results of the Dr. Web scan & OTL scan. I attached the OTL logs... I cannot attach the Dr. Web scan log as it is over 70 MBs. It took Dr. Web about 7 hours to complete the scan not sure why the log file is huge. Dr. Web did find a tronjan named keylogger.exe Siggen trojan

 

[Broni]

Upload Dr.Web log here: http://uploadmb.com/
Post download link (Direct Link).

 

[ds515]

Upload Dr.Web log here: http://uploadmb.com/
Post download link (Direct Link).

I keep trying to upload the file, however after over 10 mins it keeps timing out.

 

[Broni]

Try here: http://www.filedropper.com/

 

[ds515]

Try here: http://www.filedropper.com/

thanks for all your help, the link worked http://www.filedropper.com/cureit

 

[Broni]

I don't really see much...


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
  O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll File not found
  O33 - MountPoints2\{026d12e6-b89e-11dd-9baf-001e8ce5cdf2}\Shell - "" = AutoRun
  O33 - MountPoints2\{026d12e6-b89e-11dd-9baf-001e8ce5cdf2}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{2d7b5c41-5657-11dd-b785-001e8c435e84}\Shell - "" = AutoRun
  O33 - MountPoints2\{2d7b5c41-5657-11dd-b785-001e8c435e84}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{38704e73-41a3-11de-aebf-001de061ec4b}\Shell - "" = AutoRun
  O33 - MountPoints2\{38704e73-41a3-11de-aebf-001de061ec4b}\Shell\AutoRun\command - "" = G:\LiteAuto.exe -- File not found
  [2010/03/21 13:25:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
  [2010/03/21 13:25:08 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
  @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:D1B5B4F1
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[ds515]

Here are the 2 logs after the fix & quickscan

 

[Broni]

Something went wrong.
Did you copy all text including a colon in front of "OTL"?
Please, retry.

 

[ds515]

Something went wrong.
Did you copy all text including a colon in front of "OTL"?
Please, retry.

yes I believe I did. I ran it again. I have been getting the following message about 6 times "There is no disk in the drive. Please insert a disk into drive\Device\Harddisk1\DR1"

Here's the log


User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 524288 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb

File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.4.0 log created on 05022010_115727

Files\Folders moved on Reboot...
C:\Users\CFeehely\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Windows\temp\wbxtra_05022010_103122.wbt moved successfully.
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot...

 

[Broni]

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[ds515]

I ran kapersky it found quite a few things... I've attached both logs as requested. On a sidenote not sure it's related to all this however within the last few days my internet times out on a regular basis.

 

[Broni]

1st item is a false positive, as I've seen it flagged number of times by Kaspersky.
The last one one is in your download folder, so you can delete that file manually. It's just an adware, though.

All others are more serious, but they all are in your Thunderbird folders.
If you take a closer look, you can get rid of half of those infected files, just by emptying "Deleted items", "Junk" and "Trash" folders.
5 other items sit in your "Inbox", so you have to be really careful, especially opening any attachments.
I'm explaining all this to you, since I don't want to automatically delete those folders and mess up your mail.

Other, than that....


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[ds515]

thanks so much for all your help, the work you guys do around here is great, and so much help to us... again thanks alot it's very appreciated.

 

[Broni]

You're very welcome
Good luck and stay safe