IMPORTANT: any of your servers hitted by this?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • devine
    Confirmed User
    • Jul 2006
    • 620

    #1

    IMPORTANT: any of your servers hitted by this?

    So we were hitted by a fucking trojan that appends a script at the beginning of several php files and at the end of all .js files. This mofo apparently comes on pdf files and some swf using an Acrobat vulnerability. It will then create a pdf and 2 swf files which will be used to infect your server, from there your site will try to load 94.247.2.195/news/?id=100 and/or 94.247.2.195/news/?id=101 . If successful, it will infect your visitor and so on and so on. It's spreading wildly and last week the count of affected websites was over 20000 (and counting). The only remedy is to wipeout everything in your server, change passwords and such, just take a look to your php files, it will append to most (or all) php files containing index or config in the name, which makes Wordpress, Drupal and Joomla extremely vulnerable

    Just look for this (don't worry, it's just a tiny bit of the code, but enough to find out) in your hosted files:

    Code:
    <?php if(!function_exists('tmp_lkojfghx'))
    in WP you'll find it in index.php for sure, if you don't have it, you're safe

    it's not confirmed if it attacks databases and some people says it also attacks filezilla, so be careful
  • LiveDose
    Show Yer Tits!
    • Feb 2002
    • 25792

    #2
    Wow, thanks for the thread.

    Scammer Alert: acer19 acer [email protected] [email protected] Money stolen using PayPal

    Comment

    • devine
      Confirmed User
      • Jul 2006
      • 620

      #3
      no problem, we're researching on what this crap intends to do, will keep you updated, in the meanwhile, no need to panic or anything, just check your files

      Comment

      • ztik
        Confirmed User
        • Aug 2001
        • 5196

        #4
        normally that comes from your computer when you upload things to your server
        .

        Comment

        • mynameisjim
          Confirmed User
          • Aug 2007
          • 2985

          #5
          Originally posted by ztik
          normally that comes from your computer when you upload things to your server
          Yeah, a doctor friend of mine runs a little website that had some code injected into all the pages. I cleaned it all out, but it came back. I cleaned it again and switched servers, and it came back. Then he told me has someone do some minor HTML work now and then. Turns out his computer had some kind of virus that was adding the code when he uploaded via Filezilla. I made him stop uploading and the problem went away. Very strange.
          jim (at) amateursconvert . com Amateurs Convert

          Comment

          • devine
            Confirmed User
            • Jul 2006
            • 620

            #6
            Originally posted by ztik
            normally that comes from your computer when you upload things to your server
            yes, you're right, initially it was uploaded by one of our guys, but after cleaning the infected computer and what we thought all affected files in the server it waited in the server one week or so and then infected everything again. The file that re-infects everything is installed 2 or 3 levels before the affected file, although it seems it's a random behavior. According to most people asking for help, the usual file it looks for to start is jquery.js. We had that file affected, although not sure if it's where it started.

            This trojan is quite obnoxious once you have it in your computer, it will disallow regedit, will fake program uninstall and slow down your computer A LOT, so it's quite easy to know you have it, and as far as I know, it uses several names, although Superantispyware catchs it. Anyway, just letting you guys know since it's spreading fast, at least our headaches may help someone here

            Comment

            Working...