Recent uniqcontent / megacount trojan exploits summary

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SinSational
    Confirmed User
    • Oct 2004
    • 1723

    #1

    Recent uniqcontent / megacount trojan exploits summary

    The past couple of weeks I've been seeing this exploit happen to more and more people.
    It's either a javascript trojan insertion connecting to uniqcontent.com
    or an iframe trojan insertion connecting to megacount.com
    or both....

    We have had this happen to a couple customers. Unfortunately each fix has been slighly different. Some of the fixes have been:

    Getting rid of a counter
    Getting rid of a 3rd party WordPress template
    Fixing WordPress file permissions

    Below are some of the recent threads started:

    http://www.gfy.com/showthread.php?t=660506

    http://www.gofuckyourself.com/showthread.php?t=661811

    http://www.gofuckyourself.com/showthread.php?t=662380

    http://www.gofuckyourself.com/showthread.php?t=661965

    http://www.gofuckyourself.com/showthread.php?t=662468

    http://www.gofuckyourself.com/showthread.php?t=664196

    Originally people thought this was directly related to WordPress, but it appears to be happening to non WP sites as well.
    There are 4 or 5 hosts mentioned, so this is not host specific.
    Then it was thought to be a cPanel issue, but not everyone is running cPanel.

    dissipate posted these links:
    http://www.securiteam.com/unixfocus/6R0030UH5W.html
    http://www.securiteam.com/unixfocus/6M00315H5S.html

    other suggestions:
    http://www.securityfocus.com/bid/14088/info
    http://www.securityfocus.com/bid/18372


    No one has really followed up with h0w the issue has been resolved.
    I'm basically trying to get all the info in to one thread for any others that may come across this exploit.

    ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
    Virtual from $14.95/month, Dedicated from $149.95/month
    Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95
  • boneprone
    Hall Of Fame
    • Jan 2001
    • 34415

    #2
    Im VERY much in this with you.........

    Industry Hall Of Fame Legend Mike Jones
    Bow to the Power - Still BP4L
    http://gfyawards.com/hall-of-fame
    Learn about it kids.

    Comment

    • boneprone
      Hall Of Fame
      • Jan 2001
      • 34415

      #3
      Two of my sites were hacked yesterday with this megacount.net expliot hidden and put onto my html pages.

      I want to know how they got in...

      According to Jupiter Hosting whom I host with it appears they simply logged in with a password... Maybe a harvester or something or keystroke logger.

      But with the epidemic of sites that got hacked in the past few days, Im thinking there must be some security hole somewhere that we dont know about.

      Im aware of the assumptions of cpanel and wordpress and the others. None of that applies to me...

      Again, I dont know how they got in.

      Industry Hall Of Fame Legend Mike Jones
      Bow to the Power - Still BP4L
      http://gfyawards.com/hall-of-fame
      Learn about it kids.

      Comment

      • boneprone
        Hall Of Fame
        • Jan 2001
        • 34415

        #4
        Im thinking, and have had it suggested to me to upgrade versions of Apache and php....

        There are known security holes in older versions of them, but we have not concluded that this hack is due to any of this...

        Industry Hall Of Fame Legend Mike Jones
        Bow to the Power - Still BP4L
        http://gfyawards.com/hall-of-fame
        Learn about it kids.

        Comment

        • boneprone
          Hall Of Fame
          • Jan 2001
          • 34415

          #5
          As I mentioned my host didnt notice any security breaches.. They noted that someone just logged right in and did this..

          Which brings to mind, I think our local PC's have some trojan on them that is recording our logins, or corrupting files as we upload via ftp.....

          I think this may be more of a local issue rather than a server one??

          What do you think?

          Industry Hall Of Fame Legend Mike Jones
          Bow to the Power - Still BP4L
          http://gfyawards.com/hall-of-fame
          Learn about it kids.

          Comment

          • bl4h
            Confirmed User
            • Jul 2006
            • 1282

            #6
            List what wordpress pluggins you have installed

            its not a vanilla wordpress problem as the exploit isnt *THAT* common

            Comment

            • SinSational
              Confirmed User
              • Oct 2004
              • 1723

              #7
              boneprone isn't running wordpress at all.

              ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
              Virtual from $14.95/month, Dedicated from $149.95/month
              Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

              Comment

              • Calvinguy
                Confirmed User
                • Oct 2002
                • 1752

                #8
                Anyone without thirdparty software/scripts who got infected?

                Comment

                • Dirty Dane
                  Sick Fuck
                  • Feb 2004
                  • 9491

                  #9
                  Originally posted by Calvinguy
                  Anyone without thirdparty software/scripts who got infected?
                  Got it on one static site. Shared server though.

                  Comment

                  • SinSational
                    Confirmed User
                    • Oct 2004
                    • 1723

                    #10
                    Originally posted by Dirty Dane
                    Got it on one static site. Shared server though.
                    i'm thinking all it takes is one customer with an old/unpatched install of some script to be able to exploit any site on a shared server.

                    ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                    Virtual from $14.95/month, Dedicated from $149.95/month
                    Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                    Comment

                    • SinSational
                      Confirmed User
                      • Oct 2004
                      • 1723

                      #11
                      but on the other hand....
                      i was chatting with boneprone and he mentioned that he scanned his computer and found a trojan, and the pages being exploited were ones that he had been working on and had uploaded to his server. so possibly his FTP info was grabbed, or the virus/trojan on his compter was automatically infecting the pages as he uploaded.

                      ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                      Virtual from $14.95/month, Dedicated from $149.95/month
                      Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                      Comment

                      • boneprone
                        Hall Of Fame
                        • Jan 2001
                        • 34415

                        #12
                        Originally posted by SinSational
                        but on the other hand....
                        i was chatting with boneprone and he mentioned that he scanned his computer and found a trojan, and the pages being exploited were ones that he had been working on and had uploaded to his server. so possibly his FTP info was grabbed, or the virus/trojan on his compter was automatically infecting the pages as he uploaded.
                        My assumption was wrong.. I thought I had it pinned down.. But it appears a file also on nudedorms.com another domain on the server was also infected..

                        I had not uploaded anything to that domain.....

                        So my theory is shot..

                        Back to step 1.

                        Industry Hall Of Fame Legend Mike Jones
                        Bow to the Power - Still BP4L
                        http://gfyawards.com/hall-of-fame
                        Learn about it kids.

                        Comment

                        • Dirty Dane
                          Sick Fuck
                          • Feb 2004
                          • 9491

                          #13
                          Originally posted by boneprone
                          My assumption was wrong.. I thought I had it pinned down.. But it appears a file also on nudedorms.com another domain on the server was also infected..

                          I had not uploaded anything to that domain.....

                          So my theory is shot..

                          Back to step 1.
                          Neither had I. In fact 4 months without uploading anything.

                          Comment

                          • boneprone
                            Hall Of Fame
                            • Jan 2001
                            • 34415

                            #14
                            My server Support guy:

                            "Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am
                            I renamed it from geoip.php to geoip.php.txt so it cant be executed, but we can read it. I already made a copy for myself, so delete it if you want.
                            http://nudedorms.com/aff/geoip.php.txt

                            It was owned by webmaster, and not the apache user, so it wasnt a php exploit.

                            A corresponding login during that time was from as the user MuratAT3, Gavin suspected that was one of the hackers IPs,

                            So if it was a weak password, and they guessed it, thats one way they could have done this. Or maybe they somehow got the password via some other way, but one thing is for sure, they just straight up logged in and knew the password, then uploaded their junk. "

                            They are convinced the server wasnt comprimised... But that indeed the hacker got his login and pass from some other means and simply walked on in with info on hand..

                            And It couldnt have been a corrupt file that I uploaded, casue I never used the username MuratAT3.. ITs an old user name to the box.

                            Naturally its been removed by now.. But thats what these guys used so it seems.

                            Industry Hall Of Fame Legend Mike Jones
                            Bow to the Power - Still BP4L
                            http://gfyawards.com/hall-of-fame
                            Learn about it kids.

                            Comment

                            • Makingcoin
                              Confirmed User
                              • Aug 2002
                              • 8919

                              #15
                              Hope you get this resolved guys

                              www.MAKINGCOIN.com

                              icq. 166-662-831
                              "Start making large coin!"


                              Daddy I Get Paid To Be A Whore - Coming Soon

                              Comment

                              • sandman!
                                Icq: 14420613
                                • Mar 2001
                                • 15431

                                #16
                                i just had an account on a shared server running hsphere hacked and megacount added

                                tech is working on finding the hole they got in thru.

                                only one account was hacked tho not the whole server.
                                Need WebHosting ? Email me for some great deals [email protected]

                                Comment

                                • Calvinguy
                                  Confirmed User
                                  • Oct 2002
                                  • 1752

                                  #17
                                  Originally posted by boneprone
                                  My server Support guy:

                                  "Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am

                                  http://nudedorms.com/aff/geoip.php.txt
                                  That script is evil

                                  Comment

                                  • RobV
                                    Confirmed User
                                    • Oct 2005
                                    • 111

                                    #18
                                    I am still a bit confused by it all.

                                    My hosting company (webair) stated that someone had just logged in with my info.

                                    This was my first inital thought and had changed the password, my account was still hacked after this.

                                    My password was changed again and now nothing has happend.

                                    At all times I had anti virus/trojan/spywear programs running and had scan my system at least 1 time per week and nothing was found.

                                    Also - at some times that my site was hacked I did nothing to the site, shut my computers off and took a vacation. But most of the time it was hacked I never even uploaded anything I would just write posts in the blog.
                                    ICQ: 619221

                                    Comment

                                    • SinSational
                                      Confirmed User
                                      • Oct 2004
                                      • 1723

                                      #19
                                      ok, so 2 times it has been said that someone had logged in to the account and uploaded the infected files.

                                      ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                                      Virtual from $14.95/month, Dedicated from $149.95/month
                                      Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                                      Comment

                                      • SinSational
                                        Confirmed User
                                        • Oct 2004
                                        • 1723

                                        #20
                                        i just read on one of the other boards about someone having the same issue. This is what they said:

                                        "ok here is what my hosting company says:
                                        I checked your login history and I see logins from several different
                                        addresses, in addition, in the index.html on domain.com it
                                        looks like it contains malicious javascript.

                                        What I'm guessing happened was someone got your password somehow, then
                                        modified your index pages to include this. You can go in and delete it
                                        from the index pages."

                                        ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                                        Virtual from $14.95/month, Dedicated from $149.95/month
                                        Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                                        Comment

                                        • SinSational
                                          Confirmed User
                                          • Oct 2004
                                          • 1723

                                          #21
                                          i'm seeing some new domains now:

                                          clvcnt.com/nmd/trf/ (DON'T load this, it tries to download a trojan)
                                          clvcnt.com/nmd/trf/gc2/

                                          ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                                          Virtual from $14.95/month, Dedicated from $149.95/month
                                          Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                                          Comment

                                          • Solid Bob
                                            Confirmed User
                                            • Apr 2006
                                            • 1213

                                            #22
                                            xmlrpc no?
                                            [email protected]

                                            Comment

                                            • SinSational
                                              Confirmed User
                                              • Oct 2004
                                              • 1723

                                              #23
                                              i believe the trojan downloads:

                                              sploit.anr and xpl.wmf

                                              but the issue is how peoples pages are being altered with the code

                                              ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                                              Virtual from $14.95/month, Dedicated from $149.95/month
                                              Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                                              Comment

                                              • Machete_
                                                WINNING!
                                                • Oct 2002
                                                • 14579

                                                #24
                                                My webair accounts are still clean after the update. Imagine how many computers is infected now.

                                                Im sure we will see a drop in sales, because its likely that the Trojan is replacing the affiliate-codes.

                                                I think its quite targeted these attacks. ONLY my adult sites have been touched. Its like they scanned for sites that link to selected affiliate programs.

                                                Comment

                                                • SinSational
                                                  Confirmed User
                                                  • Oct 2004
                                                  • 1723

                                                  #25
                                                  Originally posted by ebus_dk
                                                  My webair accounts are still clean after the update. Imagine how many computers is infected now.

                                                  Im sure we will see a drop in sales, because its likely that the Trojan is replacing the affiliate-codes.

                                                  I think its quite targeted these attacks. ONLY my adult sites have been touched. Its like they scanned for sites that link to selected affiliate programs.
                                                  what did you have updated?

                                                  ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                                                  Virtual from $14.95/month, Dedicated from $149.95/month
                                                  Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                                                  Comment

                                                  • Machete_
                                                    WINNING!
                                                    • Oct 2002
                                                    • 14579

                                                    #26
                                                    Originally posted by SinSational
                                                    what did you have updated?
                                                    PhP and CPanel was patched

                                                    Comment

                                                    • spasmo
                                                      Confirmed User
                                                      • Dec 2005
                                                      • 2678

                                                      #27
                                                      It appears to be another spin on an old php exploit with phpSecurePages.

                                                      I'd be interested in knowing if there were any machines hit that did *not* have a copy of the file secure.php anywhere on their server.

                                                      Here is another version of the one that hit boneprone...from Iranian hackers.

                                                      http://www.milw0rm.com/exploits/2452

                                                      Though the above link is safe, I do not recommend going to any links found in that code (or any other exploit code for that matter).

                                                      Surfers: Go here for hot babes.

                                                      Comment

                                                      • tranza
                                                        ICQ: 197-556-237
                                                        • Jun 2003
                                                        • 57559

                                                        #28
                                                        Damn, I'm sorry to hear that...

                                                        I hope you can fix everything...
                                                        I'm just a newbie.

                                                        Comment

                                                        • SinSational
                                                          Confirmed User
                                                          • Oct 2004
                                                          • 1723

                                                          #29
                                                          added info/suggestions...

                                                          http://www.gofuckyourself.com/showthread.php?t=666473

                                                          ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
                                                          Virtual from $14.95/month, Dedicated from $149.95/month
                                                          Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

                                                          Comment

                                                          • JD
                                                            Too lazy to set a custom title
                                                            • Sep 2003
                                                            • 22651

                                                            #30
                                                            buuuuump just got hit AGAIN today

                                                            Comment

                                                            Working...