Question about a SimplePie cache trojan

If you run tt-rss on an officially unsupported platform (shared hosting, Windows, etc.) post here
onyxfox
Bear Rating Trainee
Bear Rating Trainee
Posts: 18
Joined: 19 Mar 2013, 11:54

Question about a SimplePie cache trojan

Postby onyxfox » 29 Jul 2013, 03:33

So, my hosting company contacted me today to let me know that they found and cleaned a trojan from a file in my shared hosting account. Anyhow, the affected file was located in my tt-rss installation, so I wanted to ask about it here. I'm curious if the file in question (they removed it, so I'm not sure what was inside it originally) is one that contains data from the feeds? I wonder this because it is in a cache file, which makes me think that is what it probably is, but I am not sure. I just would like to know if the trojan might have come from a feed that I'm subscribed to, or if the hunt should continue elsewhere. Thanks.

Hello **** ****,

This is an abuse report concerning your Shared Hosting account with A Small Orange:

Username: ****
Domain: ****.com
IP Address: **.**.**.**
Abuse Type: Malware

We wanted to let you know that Malware was found on your site, and the file in question was cleaned and returned to it's original state, or quarantined if the malware infection was unable to be cleaned. The report of what was done is cut and pasted below:

{CAV}winnow.botnet.ff.trojans.3793 : /home/****/public_html/rss/cache/simplepie/35676d8d02ee16fd5ff4094e9416c7441cc4a828.xml => /usr/local/maldetect/quarantine/35676d8d02ee16fd5ff4094e9416c7441cc4a828.xml.17713

Please note that if the infected file was quarantined, your site may need attention to return it to full functioning. You may also wish to change your FTP and cPanel passwords, and scan any computer that had access to those passwords to ensure it is not infected as that is often how malware finds it's way onto sites.

Please let us know if you have any questions about this issue, or need any advice regarding the security of your site and best practices to keep these issues from happening.

Thanks!

**** ****
Live Support Ninja
A Small Orange

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Question about a SimplePie cache trojan

Postby fox » 29 Jul 2013, 09:01

The file in question contains raw feed XML. A special kind of idiot is required to find a trojan there but obviously shared hosting never fails to disappoint.

Sidicas
Bear Rating Trainee
Bear Rating Trainee
Posts: 12
Joined: 15 May 2013, 14:24

Re: Question about a SimplePie cache trojan

Postby Sidicas » 29 Jul 2013, 12:24

Looks like your hosting provider is using clamav and clamav is scanning the tt-rss XML cache as if they were e-mails.

winnow.botnet.ff is clamav's designation that there might be a url in the file that has been blacklisted for being part of a botnet. (ff = Fast Flux Tracker.).

It doesn't mean that there is any virus/trojan/etc. in the file. It just means that the file *might* have a link, url, or IP address of a server that at one time in the past, *might* have been part of a spam botnet. That's all it means. It looks like your hosting provider has quarantined the XML file which normally would be ok for e-mails but totally worthless for tt-rss's XML cache since it will just download it again and again until you remove the feed.

I would suggest grabbing a copy of the file that was quarantied. Figure out which feed it belongs to. And then contact the owners of the feed to see if they're aware about the possibly bad link in their feeds and/or removing the feed.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Question about a SimplePie cache trojan

Postby fox » 29 Jul 2013, 12:51

I would suggest running the fuck away from that hosting.

onyxfox
Bear Rating Trainee
Bear Rating Trainee
Posts: 18
Joined: 19 Mar 2013, 11:54

Re: Question about a SimplePie cache trojan

Postby onyxfox » 29 Jul 2013, 17:47

Thanks, Sidicas, that explains a lot!

onyxfox
Bear Rating Trainee
Bear Rating Trainee
Posts: 18
Joined: 19 Mar 2013, 11:54

Re: Question about a SimplePie cache trojan

Postby onyxfox » 01 Aug 2013, 23:27

Well, just to give an update, the tech support for my host sent me the following in response to my inquiry about the contents of the XML file.

Code: Select all

This looks to be the string being hit:

        <slash:comments>131</slash:comments>
                <feedburner:origLink>http://torrentfreak.com/steps-towards-uncovering-the-uks-piracy-site-blackout-130719/</feedburner:origLink></item>
                <item>
                <title>The Pirate Bay “Crowdfunds† Massive 10th Anniversary Festival</title>
                <link>http://feed.torrentfreak.com/~r/Torrentfreak/~3/cH6kdBWR4R0/</link>
                <comments>http://torrentfreak.com/the-pirate-bay-crowdfunds-massive-10th-anniversary-festival-130719/#comments</comments>
                <pubDate>Fri, 19 Jul 2013 10:25:52 +0000</pubDate>
                <dc:creator>Ernesto</dc:creator>


I just removed the feed for now, which should clear up the problem. I guess their ClamAV doesn't like news sites about torrents? Oddly, I've had this feed for quite some time, and have read many articles from there, so I'm not sure what the issue is with this entry compared to the others, lol :(


Return to “Unsupported platforms”

Who is online

Users browsing this forum: No registered users and 2 guests