GoFuckYourself.com - Adult Webmaster Forum - View Single Post - IMPORTANT: any of your servers hitted by this?

devine · 04-20-2009, 07:48 PM

So we were hitted by a fucking trojan that appends a script at the beginning of several php files and at the end of all .js files. This mofo apparently comes on pdf files and some swf using an Acrobat vulnerability. It will then create a pdf and 2 swf files which will be used to infect your server, from there your site will try to load 94.247.2.195/news/?id=100 and/or 94.247.2.195/news/?id=101 . If successful, it will infect your visitor and so on and so on. It's spreading wildly and last week the count of affected websites was over 20000 (and counting). The only remedy is to wipeout everything in your server, change passwords and such, just take a look to your php files, it will append to most (or all) php files containing index or config in the name, which makes Wordpress, Drupal and Joomla extremely vulnerable

Just look for this (don't worry, it's just a tiny bit of the code, but enough to find out) in your hosted files:

Code:

<?php if(!function_exists('tmp_lkojfghx'))

in WP you'll find it in index.php for sure, if you don't have it, you're safe

it's not confirmed if it attacks databases and some people says it also attacks filezilla, so be careful

04-20-2009, 07:48 PM
devine Confirmed User Join Date: Jul 2006 Posts: 620	IMPORTANT: any of your servers hitted by this? So we were hitted by a fucking trojan that appends a script at the beginning of several php files and at the end of all .js files. This mofo apparently comes on pdf files and some swf using an Acrobat vulnerability. It will then create a pdf and 2 swf files which will be used to infect your server, from there your site will try to load 94.247.2.195/news/?id=100 and/or 94.247.2.195/news/?id=101 . If successful, it will infect your visitor and so on and so on. It's spreading wildly and last week the count of affected websites was over 20000 (and counting). The only remedy is to wipeout everything in your server, change passwords and such, just take a look to your php files, it will append to most (or all) php files containing index or config in the name, which makes Wordpress, Drupal and Joomla extremely vulnerable Just look for this (don't worry, it's just a tiny bit of the code, but enough to find out) in your hosted files: Code: <?php if(!function_exists('tmp_lkojfghx')) in WP you'll find it in index.php for sure, if you don't have it, you're safe it's not confirmed if it attacks databases and some people says it also attacks filezilla, so be careful