TechSpot

Hostgator password scrape?

By ds515
May 1, 2010
  1. Hi,

    my girlfriends hostgator account has apparently been comprimised. A ticket was launched and this was a part of the response.

    I found the iframes and have removed them from the account. According to the logs it appears as though the FTP/cpanel account was compromised and the password was scraped. Notice the IP downloading and uploading to the account. This is indicative of a script that is injecting the files with iframes. From recent incidents like these we have come to the conclusion that a users password was stolen via a password scraper or keylogger that resides on their local PC or network. So no matter how many changes we make to the password as soon as they type it into FTP or cpanel its immediately sent off to this script that then injects the files. The logs are below and below the logs you will see tips on how to secure your local network.

    I've attached the logs as per the sticky... any help is greatly appreciated.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    So far, I don't any serious security issues.
    You have some Norton's leftover, so please, run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    ========================================================================

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  3. ds515

    ds515 TS Rookie Topic Starter

    Hi,

    Thanks for the reply.

    I am currently running Dr. Web, the first scan went for over an 1.5 hours, the complete scan is in the 2nd hour and not even half way done. I'll post results once completed.
     
  4. ds515

    ds515 TS Rookie Topic Starter

    Here are the results of the Dr. Web scan & OTL scan. I attached the OTL logs... I cannot attach the Dr. Web scan log as it is over 70 MBs. It took Dr. Web about 7 hours to complete the scan not sure why the log file is huge. Dr. Web did find a tronjan named keylogger.exe Siggen trojan
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  6. ds515

    ds515 TS Rookie Topic Starter

    I keep trying to upload the file, however after over 10 mins it keeps timing out.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  8. ds515

    ds515 TS Rookie Topic Starter

  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I don't really see much...


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
      O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll File not found
      O33 - MountPoints2\{026d12e6-b89e-11dd-9baf-001e8ce5cdf2}\Shell - "" = AutoRun
      O33 - MountPoints2\{026d12e6-b89e-11dd-9baf-001e8ce5cdf2}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
      O33 - MountPoints2\{2d7b5c41-5657-11dd-b785-001e8c435e84}\Shell - "" = AutoRun
      O33 - MountPoints2\{2d7b5c41-5657-11dd-b785-001e8c435e84}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
      O33 - MountPoints2\{38704e73-41a3-11de-aebf-001de061ec4b}\Shell - "" = AutoRun
      O33 - MountPoints2\{38704e73-41a3-11de-aebf-001de061ec4b}\Shell\AutoRun\command - "" = G:\LiteAuto.exe -- File not found
      [2010/03/21 13:25:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
      [2010/03/21 13:25:08 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
      @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:D1B5B4F1
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  10. ds515

    ds515 TS Rookie Topic Starter

    here are the 2 logs after the fix & quickscan
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Something went wrong.
    Did you copy all text including a colon in front of "OTL"?
    Please, retry.
     
  12. ds515

    ds515 TS Rookie Topic Starter

    yes I believe I did. I ran it again. I have been getting the following message about 6 times "There is no disk in the drive. Please insert a disk into drive\Device\Harddisk1\DR1"

    Here's the log


    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 524288 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 23.00 mb

    File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.4.0 log created on 05022010_115727

    Files\Folders moved on Reboot...
    C:\Users\CFeehely\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Windows\temp\wbxtra_05022010_103122.wbt moved successfully.
    File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     

    Attached Files:

    • OTL.Txt
      File size:
      146.4 KB
      Views:
      1
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  14. ds515

    ds515 TS Rookie Topic Starter

    I ran kapersky it found quite a few things... I've attached both logs as requested. On a sidenote not sure it's related to all this however within the last few days my internet times out on a regular basis.
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    1st item is a false positive, as I've seen it flagged number of times by Kaspersky.
    The last one one is in your download folder, so you can delete that file manually. It's just an adware, though.

    All others are more serious, but they all are in your Thunderbird folders.
    If you take a closer look, you can get rid of half of those infected files, just by emptying "Deleted items", "Junk" and "Trash" folders.
    5 other items sit in your "Inbox", so you have to be really careful, especially opening any attachments.
    I'm explaining all this to you, since I don't want to automatically delete those folders and mess up your mail.

    Other, than that....


    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  16. ds515

    ds515 TS Rookie Topic Starter

    thanks so much for all your help, the work you guys do around here is great, and so much help to us... again thanks alot it's very appreciated.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're very welcome :)
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...