Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 06-22-2006, 03:21 PM   #1
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
:mad Fuck!! My websites where hacked - anyone here that can read code ?

Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong

Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now.

What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ?

fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:23 PM   #2
EdgeXXX
Confirmed User
 
EdgeXXX's Avatar
 
Join Date: Nov 2005
Location: Secretely plotting a hostile takeover
Posts: 5,816
Yeah, gimme a few minutes and I'll help you out
__________________
.
.
.
.

I have a sig
EdgeXXX is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:26 PM   #3
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by EdgeXXX
Yeah, gimme a few minutes and I'll help you out
Awesome.. Really want to nail those fuckers if theres any chance of doing so
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:30 PM   #4
frank7799
Confirmed User
 
frank7799's Avatar
 
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
Quote:
Originally Posted by fedfest
Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong

Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now.

What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ?

Did it start like that?

e = '0x00' + '22';str1 = (...)

I got the same one. Itīs a trojan which has to be uploaded through ftp. If itīs the same source code (javascript), you should change your ftp logins at once. Donīt use the same login and pw combination for ftp and for sponsor sites.
frank7799 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:32 PM   #5
High Plains Drifter
Confirmed User
 
High Plains Drifter's Avatar
 
Join Date: Jun 2005
Location: ♠ ♣ ♥
Posts: 2,341
Do a search, there was a lot of threads about this last month. If its the same exploit, the CMS you're using has a vulverability. And its javascript, not java ;)
High Plains Drifter is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:34 PM   #6
EdgeXXX
Confirmed User
 
EdgeXXX's Avatar
 
Join Date: Nov 2005
Location: Secretely plotting a hostile takeover
Posts: 5,816
Ok, is the hacked version of the page still online (if so, what is the URL)?
__________________
.
.
.
.

I have a sig
EdgeXXX is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:35 PM   #7
V_RocKs
Damn Right I Kiss Ass!
 
Industry Role:
Join Date: Dec 2003
Location: Cowtown, USA
Posts: 32,409
Tripping balls.
V_RocKs is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:37 PM   #8
aico
Moo Moo Cow
 
Join Date: Mar 2004
Location: Washington State
Posts: 14,748
was it the same as this?: http://www.gofuckyourself.com/showthread.php?t=624482
aico is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:37 PM   #9
frank7799
Confirmed User
 
frank7799's Avatar
 
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
Change your FTP password, remove the script at the bottom of the page that runs the iframe:

[code=trojan stuff on your pages]
<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%
blah blah blah
</script>
[/code]

You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

Login, Get File, Put File, Get File, Put File, Logout

usually no failed password attempts.

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I donīt think itīs worth to contact them if you have a look at their site.

The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IPīs from the sites and from the hosting company are pretty much the same.
frank7799 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:38 PM   #10
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by m4yadult
Did it start like that?

e = '0x00' + '22';str1 = (...)

I got the same one. Itīs a trojan which has to be uploaded through ftp. If itīs the same source code (javascript), you should change your ftp logins at once. Donīt use the same login and pw combination for ftp and for sponsor sites.
Yes.. Started excactly like that

Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:38 PM   #11
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by m4yadult
Did it start like that?

e = '0x00' + '22';str1 = (...)

I got the same one. Itīs a trojan which has to be uploaded through ftp. If itīs the same source code (javascript), you should change your ftp logins at once. Donīt use the same login and pw combination for ftp and for sponsor sites.
Yes.. Started excactly like that

Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:39 PM   #12
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by EdgeXXX
Ok, is the hacked version of the page still online (if so, what is the URL)?
No, changed it back to the original.. But code is here http://www.3xvid.com/fuckers.html
Hope you can make anything out of it that can help trace who put it there
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:44 PM   #13
L0rdJuni0r
Confirmed User
 
Industry Role:
Join Date: Oct 2004
Location: Cancun, Mexico
Posts: 5,883
That sucks man. i hope u get it fixed soon...
__________________
Affordable video and picture editing.
junior[at]jampackproductions[DOT]com
ICQ: 605429331
L0rdJuni0r is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:46 PM   #14
pornguy
Too lazy to set a custom title
 
pornguy's Avatar
 
Industry Role:
Join Date: Mar 2003
Location: Homeless
Posts: 62,911
Also ask Smokey the bear about it. He has helped a few people with issues similar.
__________________
PornGuy skype me pornguy_epic

AmateurDough The Hottes Shemales online!
TChicks.com | Angeles Cid | Mariana Cordoba | MAILERS WELCOME!
pornguy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:46 PM   #15
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by aico
Doesn't look like the same.. but thanks
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:48 PM   #16
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by pornguy
Also ask Smokey the bear about it. He has helped a few people with issues similar.
Yeah, he does seem to be a wizz with stuff like that.. Don't understand a damn bit about it myself *lol*
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:49 PM   #17
frank7799
Confirmed User
 
frank7799's Avatar
 
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
Quote:
Originally Posted by fedfest
Yes.. Started excactly like that

Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o(
Iīm pretty sure it wasnīt hacked. I went through the logfiles with the tech of my hosting company and no attacks could be found. So it must have been someone knowing user / pw combination.
frank7799 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:50 PM   #18
FLAiR
Confirmed User
 
Join Date: Jun 2006
Location: England
Posts: 250
get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec
FLAiR is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:54 PM   #19
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by m4yadult
Change your FTP password, remove the script at the bottom of the page that runs the iframe:

[code=trojan stuff on your pages]
<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%
blah blah blah
</script>
[/code]

You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

Login, Get File, Put File, Get File, Put File, Logout

usually no failed password attempts.

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I donīt think itīs worth to contact them if you have a look at their site.

The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IPīs from the sites and from the hosting company are pretty much the same.
Thanks a lot.. some very good advices in your posts, I really apritiate that

2 quick questions.
1)whats a keylogger
2) this "start.exe" file.. does it pull that file from my server, as i cant seem to find such file ?
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:54 PM   #20
The Duck
Adult Content Provider
 
The Duck's Avatar
 
Industry Role:
Join Date: May 2005
Location: Europe
Posts: 18,243
That sucks man, sorry to hear that.
__________________
Skype Horusmaia
ICQ 41555245
Email [email protected]
The Duck is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 03:56 PM   #21
FLAiR
Confirmed User
 
Join Date: Jun 2006
Location: England
Posts: 250
oh and guys that script isent the trojan it self.. that just runs the file in your tmp folder.. like i sed get it secured and it will stop the script running the trojan.
FLAiR is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:00 PM   #22
frank7799
Confirmed User
 
frank7799's Avatar
 
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
You wonīt find the "start.exe" on your box. It is installed on the PC of the visitor who visits your website. Thatīs what the sript is doing.

A keyloggeris a spyware program which monitors and reports nearly every movement on you PC (for example login onfo and passwords). So you should have a look at your machine as well.
frank7799 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:07 PM   #23
frank7799
Confirmed User
 
frank7799's Avatar
 
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
Quote:
Originally Posted by FLAiR
get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec
Iīm not familiar with server administration. Can I do it myself via telnet or SSH or is it a better choice to ask tech support of my hosting company?
frank7799 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:09 PM   #24
mortenb
Confirmed User
 
mortenb's Avatar
 
Join Date: Jul 2004
Location: Denmark ICQ: 7880009
Posts: 2,203
Quote:
Originally Posted by fedfest
No, changed it back to the original.. But code is here http://www.3xvid.com/fuckers.html
Hope you can make anything out of it that can help trace who put it there
The encoded javascript translates into this:
mortenb is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:20 PM   #25
frank7799
Confirmed User
 
frank7799's Avatar
 
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
Quote:
Originally Posted by fedfest
Thanks a lot.. some very good advices in your posts, I really apritiate that
No problem, but I have to admit that I got this information from a very helpful guy on another board and it worked fine for me, so I thought I could repost it here.
frank7799 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:30 PM   #26
Ferrishyn
Registered User
 
Join Date: Nov 2005
Posts: 28
Beat me to it.

Here's the name of the virus if you didn't get that figured out yet
HTML.HelpControl!exploit
Ferrishyn is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:35 PM   #27
Harrison Richard
Confirmed User
 
Join Date: Oct 2005
Posts: 199
What CMS do you use?
__________________
i sale executive summaries of threads
Harrison Richard is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:43 PM   #28
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by m4yadult
No problem, but I have to admit that I got this information from a very helpful guy on another board and it worked fine for me, so I thought I could repost it here.
Well a big thanks to you both then, and to everyone else here who have been most helpfull with this
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:48 PM   #29
fedfest
Confirmed User
 
Join Date: May 2002
Posts: 1,334
Quote:
Originally Posted by mortenb
The encoded javascript translates into this:
Can i asume from this that the ovner of that site is behind this ? going to http://www.dnv-counter.com/trf/ ..that seems to be only a blank page with a counter though, so what doo they get out of that ?
Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned.
fedfest is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:54 PM   #30
mortenb
Confirmed User
 
mortenb's Avatar
 
Join Date: Jul 2004
Location: Denmark ICQ: 7880009
Posts: 2,203
Quote:
Originally Posted by fedfest
Can i asume from this that the ovner of that site is behind this ? going to http://www.dnv-counter.com/trf/ ..that seems to be only a blank page with a counter though, so what doo they get out of that ?
Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned.
If you look at the source of that page, you will see that it loads yet another iframe with some more javascript code..
mortenb is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2006, 04:55 PM   #31
czarina
Webmaster Extraordinaire
 
czarina's Avatar
 
Industry Role:
Join Date: Jul 2002
Location: A beautiful beach...
Posts: 10,748
check all the index pages of all the websites hosted in that server.
It happened to me about a month ago, I was so pissed!
czarina is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright Đ 2000- Jelsoft Enterprises Limited.