![]() |
![]() |
![]() |
||||
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
![]() ![]() |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
![]() |
#1 |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
![]() Got a mail from a surfer saying that his virus blocker whent nuts on my front page, so I check it out and sure enough, burried in the html of the index file theres a string of java code that does not belong
![]() Checked all sites and found it on 2 other pages too, so looks like some fucker haced into the server and placed the code.. Talking with host about that now. What i really would like to find out is what this code does, and if it leaves some trail, like to a website or something, so that i can maybe track down who's behind this.. only most of it looks like this "%99%C1%CA%D7%BD%D0%D1%DA%C9%..." so i have no clue what to make of it.. Any script wizzes that can help ? ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#2 |
Confirmed User
Join Date: Nov 2005
Location: Secretely plotting a hostile takeover
Posts: 5,816
|
Yeah, gimme a few minutes and I'll help you out
__________________
. . . . I have a sig
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#3 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#4 | |
Confirmed User
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
|
Quote:
e = '0x00' + '22';str1 = (...) I got the same one. Itīs a trojan which has to be uploaded through ftp. If itīs the same source code (javascript), you should change your ftp logins at once. Donīt use the same login and pw combination for ftp and for sponsor sites. |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#5 |
Confirmed User
Join Date: Jun 2005
Location: ♠ ♣ ♥
Posts: 2,341
|
Do a search, there was a lot of threads about this last month. If its the same exploit, the CMS you're using has a vulverability. And its javascript, not java ;)
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#6 |
Confirmed User
Join Date: Nov 2005
Location: Secretely plotting a hostile takeover
Posts: 5,816
|
Ok, is the hacked version of the page still online (if so, what is the URL)?
__________________
. . . . I have a sig
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#7 |
Damn Right I Kiss Ass!
Industry Role:
Join Date: Dec 2003
Location: Cowtown, USA
Posts: 32,409
|
Tripping balls.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#8 |
Moo Moo Cow
Join Date: Mar 2004
Location: Washington State
Posts: 14,748
|
was it the same as this?: http://www.gofuckyourself.com/showthread.php?t=624482
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#9 |
Confirmed User
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
|
Change your FTP password, remove the script at the bottom of the page that runs the iframe:
[code=trojan stuff on your pages] <script language="JavaScript"> e = '0x00' + '22';str1 = "%99%C1%CA% blah blah blah </script> [/code] You might have your host run a check to see what other files were modified at the same time. Pattern to look for is: Login, Get File, Put File, Get File, Put File, Logout usually no failed password attempts. Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system. The script forces the installation of an "start.exe" which connects to a site hosted at "inhoster.com". I donīt think itīs worth to contact them if you have a look at their site. The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IPīs from the sites and from the hosting company are pretty much the same. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#10 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
![]() Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o( |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#11 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
![]() Have a very unique login combination for ftp, not used anywhere else.. Only did share with the most nessesary people (Billings etc.) so kinda "hope" it was hacked.. Still going to change it now offcause :o( |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#12 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
Hope you can make anything out of it that can help trace who put it there ![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#13 |
Confirmed User
Industry Role:
Join Date: Oct 2004
Location: Cancun, Mexico
Posts: 5,883
|
That sucks man. i hope u get it fixed soon...
__________________
Affordable video and picture editing. junior[at]jampackproductions[DOT]com ICQ: 605429331 |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#14 |
Too lazy to set a custom title
Industry Role:
Join Date: Mar 2003
Location: Homeless
Posts: 62,911
|
Also ask Smokey the bear about it. He has helped a few people with issues similar.
__________________
PornGuy skype me pornguy_epic AmateurDough The Hottes Shemales online! TChicks.com | Angeles Cid | Mariana Cordoba | MAILERS WELCOME! |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#15 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#16 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#17 | |
Confirmed User
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#18 |
Confirmed User
Join Date: Jun 2006
Location: England
Posts: 250
|
get your server admin to protect your tmp folder.. run in shell to make it secure.. (so no files can be put in) ill find you the command in a sec
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#19 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
![]() 2 quick questions. 1)whats a keylogger 2) this "start.exe" file.. does it pull that file from my server, as i cant seem to find such file ? |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#20 |
Adult Content Provider
Industry Role:
Join Date: May 2005
Location: Europe
Posts: 18,243
|
That sucks man, sorry to hear that.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#21 |
Confirmed User
Join Date: Jun 2006
Location: England
Posts: 250
|
oh and guys that script isent the trojan it self.. that just runs the file in your tmp folder.. like i sed get it secured and it will stop the script running the trojan.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#22 |
Confirmed User
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
|
You wonīt find the "start.exe" on your box. It is installed on the PC of the visitor who visits your website. Thatīs what the sript is doing.
A keyloggeris a spyware program which monitors and reports nearly every movement on you PC (for example login onfo and passwords). So you should have a look at your machine as well. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#23 | |
Confirmed User
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#24 | |
Confirmed User
Join Date: Jul 2004
Location: Denmark ICQ: 7880009
Posts: 2,203
|
Quote:
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#25 | |
Confirmed User
Industry Role:
Join Date: Jul 2003
Location: In the middle of nowhere...
Posts: 1,974
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#26 |
Registered User
Join Date: Nov 2005
Posts: 28
|
Beat me to it.
Here's the name of the virus if you didn't get that figured out yet HTML.HelpControl!exploit |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#27 |
Confirmed User
Join Date: Oct 2005
Posts: 199
|
What CMS do you use?
__________________
i sale executive summaries of threads |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#28 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#29 | |
Confirmed User
Join Date: May 2002
Posts: 1,334
|
Quote:
Doing some digging, that does seem to tie to the "inhoster.com" site that m4yadult mentioned. |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#30 | |
Confirmed User
Join Date: Jul 2004
Location: Denmark ICQ: 7880009
Posts: 2,203
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#31 |
Webmaster Extraordinaire
Industry Role:
Join Date: Jul 2002
Location: A beautiful beach...
Posts: 10,748
|
check all the index pages of all the websites hosted in that server.
It happened to me about a month ago, I was so pissed! |
![]() |
![]() ![]() ![]() ![]() ![]() |