Famous Bloggers

How To Blog and Start a Business

Home » The Famous Blog » You’ve Been Hacked!

You’ve Been Hacked!

- by 2,263

Been Hacked

If you are one of the many computer users or web hostmasters who think that they have not been hacked before, you should think again! And if you truly believe you are invincible or unsusceptible to attacks, well, let’s just say, “There is wishful thinking in Hell as well as on Earth” – C.S. Lewis

Cleaning up web pages injected with airschk

Getting hacked is one thing and not being aware of it is another. I can go on and on talking about the many incidents I personally experienced with clients I consulted with who were totally unaware of their network or data compromise for months. For now, I’ll just stick to an incident we had last night.

Last night, I was asked by Hesham to help him look into some strange server behaviors he has been witnessing. The server had been requesting connections to a couple of unrecognized domains; mainly though, airschk.com. We had to dig deeper into Hesham’s web files to finally find a php script added at the very top of many of the apache .php files of Hesham’s sites. Apparently, the attacker gained access somehow to those particular domains’ FTP, downloaded the .php code, added the malicious script and uploaded the files back into the server.

Before we all roll up our sleeves here, let’s first discuss what airschk attack (or web-bug) does.

What does the airschk attack do exactly?

cyber face eyes

The malicious code embeds an IMG SRC tag into your web pages that would normally be interpreted by browsers as a .gif image hosted in a remote address. In reality however, the script is actually collecting a lot of information about the target site and the site visitors like visitor location, IP, etc.; moreover, the code is sending massive distributed requests back to Google for possible future alterations of page/domain rankings.

How do I check if I have been attacked by airschk?

You can use “grep” or “find” Unix commands to look for the infected files.

From your main web server documents’ directory, use the following grep command to list the files and the lines containing the script:

$ grep "airschk" –r *

Or, for a more extensive search (the entire machine), listing only the infected files, use the find command with the grep together as follows (searching from the root directory “/”). Replace “public_html” with your web server document base directory name.

$ find / -type f -name '*' -exec grep -s airschk {} \; -print | grep public_html

The output of the command above will show you all filenames infected.

How can I remove it?

First of all, you need to change your login password NOW. Choose a hard-to-guess password, preferably at least 10 characters long that contain small and capital letters, at least one numeric character, and at least one punctuation character.

I am currently working on a Linux script that would clean-up the infected files. I will post another blog article with details on that as soon as I finish.

How did this happen anyway?

Do you ever use Telnet to remotely manage your server? Or may be FTP to upload files? If you do, then you may want to check your php files now; especially if you are using WordPress or similar CMS.

Both Telnet and FTP use clear-text to authenticate, it is very likely that your password has been compromised by the attacker during one of your FTP/Telnet sessions. There are many possibilities on which your password could have been compromised. Without getting into too many technical details, one possibility is that telnet or FTP traffic was captured in transit between your server and your workstation. Another possibility is that another server/machine in the hosting company’s network was compromised and used as a launching pad for sniffing traffic within your hosting company’s network.

We actually examined the server’s log file /var/log/messages

Here is a snippet from what we found:


Apr 27 04:26:46 fam pure-ftpd: (?@76.26.91.229) [INFO] New connection from 76.26.91.229
Apr 27 04:26:47 fam pure-ftpd: (?@76.26.91.229) [INFO] user@famousbloggers.net is now logged in
Apr 27 04:27:05 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_vti_inf.html downloaded (1754 bytes, 127.67KB/sec)
Apr 27 04:27:05 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_vti_inf.html uploaded (1995 bytes, 25.33KB/sec)
Apr 27 04:27:06 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_wp-settings.php downloaded (9655 bytes, 530.69KB/sec)
Apr 27 04:27:06 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_wp-settings.php uploaded (12410 bytes, 54.37KB/sec)
:
:

As you see above, the IP address (76.26.91.229) which comes from West Virginia (not necessarily where the actual hack originated from, it could be another machine that has been compromised and used as a divert for launching attacks to remote servers) successfully gained FTP access to the machine, downloaded the WordPress files and then uploaded the files back into the server. From the timestamp of the logs, you can easily tell that this is an automated script ran by the attacker. This process has continuously repeated itself for many other files in other domains running on the server.

Can I prevent similar incidents from happening again?

I hate to break it to you, but the answer is “No.” The good news is that there are a few precautions you could take to protect yourself from similar attacks.

  1. As mentioned above, the first important precaution you should take is to use a hard-to-guess password and never share that password with others.
  2. The use of Telnet and FTP over a public cloud is highly discouraged. Please consider using SSH to remotely login to your server’s command-line, and SFTP (Secure-FTP) to transfer files in between; both protocols encrypt the flow of information between your computer and your server.
  3. Unfortunately, some of the hosting companies provide remote management tools like control panels, etc. that use clear-text authentication. Make sure your site Control/Admin Panel uses HTTPS, at least during the login process. Consult with your hosting company on the authentication protocol or method used on the provided Control Panel. If your hosting company does not offer an encrypted authentication for managing your server, well, you may not be with the right hosting company.
  4. Periodically, check your FTP/Telnet logs; you can do that by examining the /var/log/messages file for suspicious activities.

Cleaning up web pages injected with airschk

Hope this article was helpful. As always, your comments and suggestions are welcome.

About

A network engineer and a security specialist with a BSc degree in Computer Engineering, MS in Computer Networks, MBA in International Business and MS in Global Management. A member of the National Political Science Honor Society and The International Honor Society for Collegiate Schools of Business. Seinfeld, That '70s Show, Monk and Lost are my favorite TV shows, and Back to the Future, 12 Monkeys and Crash are my favorite movies. I however enjoy activities like biking, golfing and reading, but I spend most of my time behind a computer screen.

Reader Interactions

Related Posts

{ 25 Responses }

  1. Karan says:
    Most of it went over ma head...lol
  2. Felicia says:
    Upon opening your webpage, I immediately thought that your website has been hacked. However, as I continue to look at the content, I found out that it was an informative post about airschk attack. I must commend you for the presentation though.
  3. John says:
    A catchy title you have there! The content is really informative and it’s new. I haven’t heard about airschk but I must really be on the look out for this attacker. I really appreciate this article –you had the basic details about airschk, how it happens and how to remove it with the visual representations. I’m so looking forward for your new posts!
  4. Slav says:
    I forgot about one extra thinks - if this possible, change default ports on your server - if you have VPS or dedicated machine this shouldn't be a problem. For example for SSH change port to something extremely random - most of "hacking attempts" are made by automated tools, which are "knocking" to default ports.
  5. John says:
    Hi Osam, I am not a technical guy who work continiously on server or web development. but still i must say your post explain issue very easily. Thanks for sharing information John
  6. Slav says:
    Missing advice is: don't store your passwords in browsers, or any FTP clients. Best way is keep passwords in programs like KeePass and use them wisely.
    • Mohamed Osam says:
      Spot on Slav! Absolutely, this is one thing I am talking about in my Part II of this blog. We worked on the script that past weekend and will publish it along with some more details and insights of this web bug, likely sometime tomorrow.
  7. Rose says:
    Hi Mohamed, Especially when you reach the first page of Google with high competition keywords, there will be big chance that someone tries to bring you down. One of my website have been hacked which I have to removed the whole site and started it from scratch. I am now back on first page of Google again and hope that I will get no more hack. I am no more using Telnet, allow FTP access only and my FTP password is about 30 alphabets which will change every month. Thank you for really useful post.
    • Mohamed Osam says:
      Hi Rose, Being at the top of Google search will definitely make you a target. Having a long password will also increase your security, but still, sending the password in clear-text through FTP or Telnet is a no-no to me, no matter how long or well crafted your password is, once you hit that send/login/submit button, your password is out in the open for anyone to catch. Not sure what server OS you use, but usually SFTP (FTP over SSH) is available and turned on by default on most Unix/Linux hostings. If you use Windows, consider FTP over SSL, consult with your hosting company on the available options.
      • Rose says:
        Hi Mohamed, I am using Dreamhost and yes! You just get me some idea, thank you! Your post very helpful to me, thank you again. ;)
  8. Ayden says:
    Actually there is a way to make sure that never happens again - which is to cancel your hosting account and never go online again ;) apart from that, you're right Mohamed
  9. lawmacs says:
    I too a couple of months back had the same problem along with two other friends of mine the frightening thing is that the latest sets of attack that i have seen seems to happen to sites running wordpress and thesis this is just a thought. Sorry bro hope you are up and running soon
  10. Trisi says:
    I've been hacked a few times and for someone like me that has very little server or php skills it is an absolute nightmare. I have a membership site (not WordPress but .php) that was hacked and it could have been months before I noticed. They added hundreds of invisible links to the footer of each page. I've also had a couple of WP blogs hacked. I wish there was a simple clear cut form of protection for those of us that don't want to become technical experts or programmers.
  11. Edgar says:
    I heard that Google (the spam team) is putting an intensive effort to detect and stop malicious codes from spreading. When i visit some blogs or websites sometimes Google flags them as "Attacked site" because they've detected a malicious code in their files. I know that it's very hard to scan through codes to find such vulnerabilities, so i appreciate the effort you've put in this.
  12. AIDY says:
    Timely post indeed! Hesham definitely has a keen eye and hopefully all will be resolved successfully. Fantastically detailed post and menacing image as well! Is there anyway to detect these system vulnerabilities as they occur? Perhaps some type of real-time scanning software? Thanks for the heads up.
  13. Dennis Edell says:
    Thanks for the heads up, it's greatly appreciated. :)
  14. Fran Aslam the Onlinewriter says:
    Hi Mohammad : Your article is very informative. But I feel many times, that I have been hacked. Otherwise, why suddenly when I turn on it starts behaving different and funny and not easy to use. Why does that happen? Changes do not happen by itself. Thanks for the password hint and an informative post Fran Aslam
  15. Tessa says:
    Yes of course agree with Tatum. Now a days hackers hacking all company sites very easily. I prefer to use proper spy ware & firewall to protect more security.
  16. Sam says:
    Hi Osam. I really appreciate this timely information. Thanks
  17. Fisayo says:
    This is a very useful information. Thanks for sharing
  18. A. Tatum Jr says:
    Very timely post. Especially with all the major companies being hacked people may forget about the little guy. I tell my friends and family all the time logging in the password protected sites on open wifi without https is a no no. That's one reason why I bought the HTC Evo. So I can have a hotspot every where I go.