Over the past few weeks we’ve cleaned a number of websites that were infected with l_backuptoster.php and while it’s been around awhile, we thought we would share our experience. This infection isn’t so much about website security as it is about computer security, but it does eventually affect your website security as well – which is why we’re involved.
For those of you unfamiliar with this little gem, it’s used by hackers to send SPAM. It is uploaded to the website via FTP – which means that the FTP password has been compromised, or worse, the hosting account password has been compromised.
In the most recent instances of websites infected with the l_backuptoster.php file, a new FTP account was created on the hosting account and that was used to upload the files. The files is uploaded with 2 other files: body1.txt and body.txt, used, then deleted until the next time the hacker wants to send SPAM.
Here is what you might see in your FTP logs:
Tue Dec 20 06:32:41 2011 0 xx.xx.xx.xxx 320 /home/path/public_html/body1.txt b _ i r candy@yourdomain ftp 1 * c
Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 292 /home/path/public_html/body.txt b _ i r candy@yourdomain ftp 1 * c
Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 8160 /home/path/public_html/l_backuptoster.php b _ i r candy@yourdomain ftp 1 * c
The xx.xx.xx.xxx would actually be where this traffic is originating. The number after is the file size, the path and the FTP account used.
You see that first the body1.txt file, with a size of 320, was uploaded to the folder shown, followed by body.txt with a size of 292 and finally the l_backuptoster.php file with a size of 8160.
If you’ve been infected with this, and you have your Raw Access Logs activated, you will probably also see entries like these in your access logs:
xx.xx.xx.xxx – – [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4550&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1” 200 205 “-” “-”
xx.xx.xx.xxx – – [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4554&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1” 200 205 “-” “-”
Again, the xx.xx.xx.xxx would actually show the originating IP address. In our work, we track down this IP address and report it to the proper people as this is an indication that the originating IP address is being used in a suspicious manner.
In the above log file entries the ipAddr matches the first IP address and the serv_name parameter would be your, or the infected URL.
You will probably see hundreds of these lines if your website is being used with the l_backuptoster.php file.
What we found in each case of a website infected with l_backuptoster.php was that the FTP account used to upload these files was not created by the hosting account owner. The only way this could have been achieved was if the hosting account password had been compromised.
If this is true, then the hackers are no longer just stealing the FTP login credentials, but their keyboard loggers are also recording all logins and the hackers are very interested in infecting websites so why not create their own FTP account.
As stated earlier, after the activity in the access logs, we found that the 3 files uploaded were deleted so there was no trace. The hackers would simply upload the files again at a later time, use them and delete them.
Without constant watching of the log files, we would not have seen this.
If you have been a victim of the l_backuptoster.php website infection, here’s what you should do:
- Change your hosting account password
- Check your hosting account for unused or unauthorized FTP accounts and delete any that you aren’t familiar with
- Create new passwords for remaining FTP accounts
- Perform a full system virus scan with either Avast! or AVG anti-virus and use Malwarebytes as a secondary scanner. If you’re using a Mac try BitDefender
- Check your log files on regular basis. Download them to your computer and search for ‘l_backuptoster.php’
One point to remember, do not ever have your browser save your hosting account password or the any passwords. We have copies of the viruses hackers use to steal passwords and they work extremely well on browser saved passwords!
If you’ve been infected by this and have more to add, please leave a comment. If you need help in cleaning this up and getting everything “locked down”, please email me at firstname.lastname@example.org or call at (847)728-0214.
If you found this useful, Tweet about us, like us on Facebook or follow us on Google+.