Dejal - Forum - Simon - Monitoring sites for malware infection

Monitoring sites for malware infection

Wed, 2010-04-14 09:52 — karelles

Several of my websites have been hacked in the recent past. I've cleaned them up, again, but one got listed as a malware site by Google (which I am also resolving).

There were 2 kinds of hack:

1. the first page (index.html or index.php) of multiple sites was replaced with a different page.

2. in the other hack a php file and a folder (called .files) were added to the site(s).

I'm working on preventing and/or detecting #2. I'm trying to use the ftp directory listing function of Simon and keep getting this message:

ftp -n karellescharff.com << EOF
user [Username] (password)
cd inspiringyourlife.com
ls
EOF

Login incorrect.
Login failed.
Please login with USER and PASS
Please login with USER and PASS
Please login with USER and PASS
Please login with USER and PASS

I've tried the correct password and several others too.

Also I'm not sure I have the directory path correct. I host multiple domains so there is my domain and then the domain/website under it, like this:

mydomain.com
herdomain.com

There is no other folder (like public_html).

So the "domain" would be mydomain.com, and the directory path is herdomain.com?

The user is the same for both.

Simon
2.5.5

Wed, 2010-04-14 11:08 — David Sinclair

Re: Monitoring sites for malware infection

Perhaps the easiest way to determine the correct values would be to perform the same operation in Terminal. Launch Terminal (from /Applications/Utilities) and enter

ftp -n karellescharff.com

Then enter your username and password when prompted. If that works, you'll have the correct information to enter in Simon.

From the output you pasted, it sounds like the username is incorrect. Perhaps you have a different username for the FTP account than used elsewhere?

Another possibility is that the FTP server might be ignoring the password if provided on the "user" line. The only way around that would be to use a .netrc file; see man ftp for details.

Wed, 2010-04-14 14:50 — karelles

Re: Monitoring sites for malware infection

Wouldn't the username and password be the same as what I use in Fetch? That's what I'm using in Simon with the result as noted before. Just tried ftp in terminal using that username and password and I got in.

Not finding enough info about .netrc to know if it's necessary or how to use it.

Given the repeated incidents I'm experiencing, I'd like this to work.

Wed, 2010-04-14 15:11 — David Sinclair

Re: Monitoring sites for malware infection

Yes, it'd be the same. So the problem must be that the server is ignoring the password.

Maybe you could use a different service for this? You could have a PHP script on your site to output the directory listing, and check that with the simple Web (HTTP) service.

Otherwise, here's info from man ftp regarding the .netrc file:

THE .netrc FILE

The .netrc file contains login and initialization information used by the auto-login process. It resides in the user's home directory, unless overridden with the -N netrc option, or specified in the NETRC environment variable. The following tokens are recognized; they may be separated by spaces, tabs, or new-lines:

machine name
Identify a remote machine name. The auto-login process searches the .netrc file for a machine token that matches the remote machine specified on the ftp command line or as an open command argument. Once a match is made, the subsequent .netrc tokens are processed, stopping when the end of file is reached or another machine or a default token is encountered.

default
This is the same as machine name except that default matches any name. There can be only one default token, and it must be after all machine tokens. This is normally used as:

default login anonymous password user@site

thereby giving the user an automatic anonymous FTP login to machines not specified in .netrc. This can be overridden by using the -n flag to disable auto-login.

login name
Identify a user on the remote machine. If this token is present, the auto-login process will initiate a login using the specified name.

password string
Supply a password. If this token is present, the auto-login process will supply the speci- fied string if the remote server requires a password as part of the login process. Note that if this token is present in the .netrc file for any user other than anonymous, ftp will abort the auto-login process if the .netrc is readable by anyone besides the user.

Mon, 2010-06-14 19:31 — karelles

Re: Monitoring sites for malware infection

coming back to this several months later as I now really have to figure this out.

It probably doesn't come as a surprise that the .netrc instructions gave me brain damage. Sorry. So if I understood the first paragraph correctly at all, I create a file called .netrc and I put it in my home directory - I presume in the root directory of the website in question?

So this file should contain for instance:

karellescharff.com myusername mypasswordstring

So I tried the above, in both the root directory of the server user account and in the root of my computer user folder, still getting the same error message. Some more direction here?

Another surprise - I speak VERY limited php and don't write it at all. Is such a script available?

Mon, 2010-06-14 19:44 — David Sinclair

Re: Monitoring sites for malware infection

The .netrc file should only be in the home folder on your Mac — definitely not on the website. You don't want your password in a file that people can access on a public site.

The file should contain the following text (with suitable values substituted, of course):

machine karellescharff.com
        login myusername
        password mypasswordstring

In the Finder or Terminal, give the file permissions so only you can access it (you can do that in the Finder via Get Info on it). Also, if you created the file with TextEdit, make sure that it doesn't have a hidden ".txt" extension; you can see that via Get Info, too.

Hope this helps.