Fucking Megacount iFrame - GoFuckYourself.com

JD · 10-17-2006, 01:14 PM

I just found that fucking pos iframe on 2 sites... I was under the assumption that it was a wordpress exploit but these 2 sites aren't running wp

site 1: Smart Thumbs and ATX
site 2: Smart Thumbs and AT3

Here's the funny thing... A few weeks ago, I installed wordpress on a site and within 10 minutes that megacount iframe was on the main page...

An ftp pw change fixed all 3 sites so far

Lance69 · 10-17-2006, 08:32 PM

That was one every one of my sites the other day! Fuck! "Except" the Wordpress/ABP one. It seemed to be running fine. And only on the index file of my pages as far as I can tell. Gone now, but shit thats fuct.

BiggleJones · 10-17-2006, 08:55 PM

Yup...just found that fucker on one of my sites too. It seemed to only write the iframe code on my TTT-Toplist and AXSLinks templates.

Fuckin Ghey.

madawgz · 10-17-2006, 08:56 PM

wow, this guy is going after everyone...

looky_lou · 10-17-2006, 10:23 PM

Can someone please fill me in on exactly what this is and what it does.

Also, how do you check to see if you have it?

Lance69 · 10-17-2006, 11:11 PM

Basically they load an iframe on your page which tries to load a virus from megacount.net/ somethin somethin...
win32.wordpro some shit like that.
Fucking fucks!!!!

RevSand · 10-17-2006, 11:18 PM

Try blocking all all symlink () php functions

Thats what Sami at http://serverprovider.com/ did for mine and it has not been back since.... If it works then you might want to hit up sami next time you need a new box since the service is excellent and he was the only one able to find a way to make this stop for me..

CaptainHowdy · 10-17-2006, 11:25 PM

!!

boldy · 10-17-2006, 11:49 PM

Got it to a couple of weeks ago, no wordpress or smartthumbs or other software installed, seems a php exploit ir something. If you ask me it has nothing to do with Wordpress.

B.

Naughty-Pages · 10-21-2006, 05:19 AM

Quote:

Originally Posted by SPeRMiNaToR

An ftp pw change fixed all 3 sites so far

Same here...

gofuckyourself.com/showthread.php?t=666473

Problem is, I'm not sure how they got the password to begin with.

Quote:

Originally Posted by madawgz

wow, this guy is going after everyone...

LOL, we wish it was just one guy...

Lance69 · 10-21-2006, 11:16 AM

Quote:

Originally Posted by boldy

Got it to a couple of weeks ago, no wordpress or smartthumbs or other software installed, seems a php exploit ir something. If you ask me it has nothing to do with Wordpress.

B.

I would have to agree, the only domain on my server that "wasn't" affected was my wordpress blog.

remii · 10-21-2006, 11:22 AM

Take a look on your server - maybe you have a file called iframe.php - delete it - change your FTP pass. It should fix your problem.

RawAlex · 10-21-2006, 11:49 AM

Has anyone bothered to allow themselves to be infected to see what the asswipe is up to? I am betting pretty good money that he is the fuckwad sending out all the stock tip pump and dump scam mails right now, using many computers as zombies to do the mailing for him.

I would really be interested to see what the payload really ends up being.

Alex

JD · 10-21-2006, 12:51 PM

Quote:

Originally Posted by RawAlex

Has anyone bothered to allow themselves to be infected to see what the asswipe is up to? I am betting pretty good money that he is the fuckwad sending out all the stock tip pump and dump scam mails right now, using many computers as zombies to do the mailing for him.

I would really be interested to see what the payload really ends up being.

Alex

it always crashes my shit

and I've run spyware scans and virii scans and they never find anything.

btw, site 1 was hit again this morning....

bdld · 10-21-2006, 02:18 PM

got hit on a dozen plus sites too. it reminds me i need to check my sites at least weekly or else i'd never notice these types of things.

bdld · 10-21-2006, 02:18 PM

and its not wordpress, it happened on sites that didnt have wp installed, happened on a wp one too though.

JD · 10-21-2006, 04:42 PM

it's fucking amazing that no one has come up with a fucking solution to this shit yet....

I wonder when the asshole is going to start pushing Zango installs...

King of Queens · 10-21-2006, 06:57 PM

this fucking sucks big time

Kimo · 10-21-2006, 08:03 PM

yeah ive seen this on a bunch of sites lately

ridikuloz · 10-21-2006, 09:11 PM

LOL, I totally ignored your messaged and watched that monkey sig of yours for a good 5 minutes... what the FUCK

JD · 10-22-2006, 01:57 AM

Quote:

Originally Posted by ridikuloz

LOL, I totally ignored your messaged and watched that monkey sig of yours for a good 5 minutes... what the FUCK

JD · 10-24-2006, 07:43 AM

anyone know how to fix this shit? It hit me again this morning. this time a new url http://fdghewrtewrtyrew [DOT] biz

marketsmart · 10-24-2006, 07:43 AM

Quote:

Originally Posted by ridikuloz

LOL, I totally ignored your messaged and watched that monkey sig of yours for a good 5 minutes... what the FUCK

hahahahaha

JD · 10-25-2006, 07:44 AM

happened again today with read only perms on the file.

it's not the symlink thing either. C'mon SOMEONE has to know how to stop this shit.

JD · 10-25-2006, 10:45 AM

buuuuuump

JD · 11-20-2006, 10:33 AM

buuuuump just got hit AGAIN today

RobV · 11-20-2006, 10:59 AM

Quote:

Originally Posted by SPeRMiNaToR

buuuuump just got hit AGAIN today

Just bumping, hopefully someone can figure something out for you.

JD · 11-20-2006, 11:19 AM

thanks rob

Sosa · 11-20-2006, 11:26 AM

had the same thing happen, glad to get it fixed though

Kimo · 11-20-2006, 11:45 AM

this fucker must be stopped!

10-17-2006, 01:14 PM	#1
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	Fucking Megacount iFrame I just found that fucking pos iframe on 2 sites... I was under the assumption that it was a wordpress exploit but these 2 sites aren't running wp site 1: Smart Thumbs and ATX site 2: Smart Thumbs and AT3 Here's the funny thing... A few weeks ago, I installed wordpress on a site and within 10 minutes that megacount iframe was on the main page... An ftp pw change fixed all 3 sites so far

10-17-2006, 08:32 PM	#2
Lance69 Confirmed User Join Date: Jan 2005 Location: Vancouver BC Posts: 2,266	That was one every one of my sites the other day! Fuck! "Except" the Wordpress/ABP one. It seemed to be running fine. And only on the index file of my pages as far as I can tell. Gone now, but shit thats fuct. __________________ Sonarcash Competitive Content Shooting Handgasm HD Handjobs Janessa Jordan Ultimate Wife Make Money Fucking Blog ICQ: 307 975 028 lance {at} sonarcash {dot} com (<- Need amateur content? Email or ICQ)

10-17-2006, 08:55 PM	#3
BiggleJones Confirmed User Industry Role: Join Date: Dec 2002 Location: Downtown LA Posts: 2,276	Yup...just found that fucker on one of my sites too. It seemed to only write the iframe code on my TTT-Toplist and AXSLinks templates. Fuckin Ghey. __________________ ICQ-291.596.343

10-17-2006, 08:56 PM	#4
madawgz 8.8.8.8 Industry Role: Join Date: Mar 2006 Location: Noordermarkt Posts: 30,509	wow, this guy is going after everyone... __________________ TAEMDLRMSKRJIXMRLSMRJ.

10-17-2006, 10:23 PM	#5
looky_lou Confirmed User Industry Role: Join Date: Mar 2003 Location: Seattle, WA Posts: 1,771	Can someone please fill me in on exactly what this is and what it does. Also, how do you check to see if you have it? __________________ PUSSY - PUSSY - PUSSY! Wet & Puffy - Wet & Pissy - We Like To Suck Puffy Cash

10-17-2006, 11:11 PM	#6
Lance69 Confirmed User Join Date: Jan 2005 Location: Vancouver BC Posts: 2,266	Basically they load an iframe on your page which tries to load a virus from megacount.net/ somethin somethin... win32.wordpro some shit like that. Fucking fucks!!!! __________________ Sonarcash Competitive Content Shooting Handgasm HD Handjobs Janessa Jordan Ultimate Wife Make Money Fucking Blog ICQ: 307 975 028 lance {at} sonarcash {dot} com (<- Need amateur content? Email or ICQ)

10-17-2006, 11:18 PM	#7
RevSand Confirmed User Industry Role: Join Date: Oct 2003 Location: Porn Valley Posts: 8,151	Try blocking all all symlink () php functions Thats what Sami at http://serverprovider.com/ did for mine and it has not been back since.... If it works then you might want to hit up sami next time you need a new box since the service is excellent and he was the only one able to find a way to make this stop for me.. __________________ BadBitchesGoodWeed Hire me for all your video shooting needs!! Skype = RevSandx

10-17-2006, 11:25 PM	#8
CaptainHowdy Too lazy to set a custom title Industry Role: Join Date: Dec 2004 Location: Happy in the dark. Posts: 93,664	!! __________________ Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted Windows VPS now available Great for TSS, Nifty Stats, remote work, virtual assistants, etc.

10-17-2006, 11:49 PM	#9
boldy Macdaddy coder Industry Role: Join Date: Feb 2002 Location: MacDaddy pimp coder Posts: 2,806	Got it to a couple of weeks ago, no wordpress or smartthumbs or other software installed, seems a php exploit ir something. If you ask me it has nothing to do with Wordpress. B. __________________ MacDaddy Coder.

10-21-2006, 11:22 AM	#12
remii Confirmed User Join Date: Jan 2006 Location: Austria Posts: 226	Take a look on your server - maybe you have a file called iframe.php - delete it - change your FTP pass. It should fix your problem. __________________ NASTYGODCASH - Club Silvia Saint - Club Nella - Teen Pink Traffic

10-21-2006, 11:49 AM	#13
RawAlex So Fucking Banned Join Date: Oct 2003 Location: In a house. Posts: 9,465	Has anyone bothered to allow themselves to be infected to see what the asswipe is up to? I am betting pretty good money that he is the fuckwad sending out all the stock tip pump and dump scam mails right now, using many computers as zombies to do the mailing for him. I would really be interested to see what the payload really ends up being. Alex

10-21-2006, 02:18 PM	#15
bdld $100,000 Join Date: Dec 2001 Posts: 11,452	got hit on a dozen plus sites too. it reminds me i need to check my sites at least weekly or else i'd never notice these types of things.

10-21-2006, 04:42 PM	#17
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	it's fucking amazing that no one has come up with a fucking solution to this shit yet.... I wonder when the asshole is going to start pushing Zango installs...

10-21-2006, 06:57 PM	#18
King of Queens Confirmed User Join Date: Aug 2006 Location: Atlanta, Georgia ICQ 276-218-214 Posts: 1,288	this fucking sucks big time __________________ Emails = $3.50 each \| girls gone wild \| Big Booty \| Big Booty Videos

10-21-2006, 08:03 PM	#19
Kimo ... Join Date: Jan 2006 Location: Maryland ICQ:87038677 Posts: 11,542	yeah ive seen this on a bunch of sites lately __________________ ...

10-21-2006, 09:11 PM	#20
ridikuloz Confirmed User Join Date: Jun 2005 Location: ▓NY▓ Posts: 2,080	LOL, I totally ignored your messaged and watched that monkey sig of yours for a good 5 minutes... what the FUCK __________________ Each persons' level of stupidity makes us different.

10-24-2006, 07:43 AM	#22
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	anyone know how to fix this shit? It hit me again this morning. this time a new url http://fdghewrtewrtyrew [DOT] biz

10-25-2006, 07:44 AM	#24
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	happened again today with read only perms on the file. it's not the symlink thing either. C'mon SOMEONE has to know how to stop this shit.

10-25-2006, 10:45 AM	#25
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	buuuuuump

11-20-2006, 10:33 AM	#26
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	buuuuump just got hit AGAIN today

11-20-2006, 11:19 AM	#28
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	thanks rob

11-20-2006, 11:26 AM	#29
Sosa In Tushy Land Join Date: Oct 2002 Location: Nebraska Posts: 40,149	had the same thing happen, glad to get it fixed though

11-20-2006, 11:45 AM	#30
Kimo ... Join Date: Jan 2006 Location: Maryland ICQ:87038677 Posts: 11,542	this fucker must be stopped! __________________ ...