Anyone else getting viruses and trojans at The Red Cherry?

tranza · 2006-02-08, 04:40 PM

After I submit any freesite to The Red Cherry I get TONS of viruses and trojans warnings from Norton Anti Virus.

Here's the site: http://www.theredcherry.com/

Anyone else getting this? (not on the main page, but after you hit the submit button)

Simon · 2006-02-08, 05:00 PM

Might be related to the hacking that Virgina posted about here...
http://www.greenguysboard.com/board/...ad.php?t=28637

LowryBigwood · 2006-02-08, 05:01 PM

I havne't submitted there in a week or two, but never got anything like that, and am running Norton Antivirus 2006.

Is this a recent thing or has it been ongoing?

tranza · 2006-02-08, 05:22 PM

Quote:

Originally Posted by LowryBigwood

I havne't submitted there in a week or two, but never got anything like that, and am running Norton Antivirus 2006.

Is this a recent thing or has it been ongoing?

Pretty recent, until Friday last week I didn't notice anything wrong. I think I noticed this Monday or Yesterday but hadn't figured out which site since it always crashed my system.

RedCherry · 2006-02-08, 09:02 PM

Welcome to my bloody nightmare.

I got hacked on 2/4/06 on all 3 of my link lists, several of my straight domains, plus they took down my content program the BASTARDS. I didn't realize that they had placed pages with downloadable trojans on the site until today.

As of about 1pm PST, as far as phatservers and I can tell, we got every file they have changed off the servers.

I'm in the process of switching over to DragonLinks for the link lists, but don't have that ready yet to switch to yet, been dealing with finding and deleting all their defacements and files they placed on my server. One ONE domain I had a printout of over 40 pages of files they had changed.

I NEVER EVER want to go through this again, never had anything like this happen to me before...and we still don't know how they got in my box, although I have some suspicions it was a particular script they exploited I was using for a blog/newsletter type script.

I'm VERY sorry for anyone that visited and got any kind of trojan alerts on the link lists, I feel very very bad about that.

RedCherry · 2006-02-08, 09:06 PM

If any of you have any problems from here forward, please icq me asap
474-199. Like I said, I've tried to go over every domain, every file, and make sure we got them all, but I could have missed something.

MrYum · 2006-02-08, 11:05 PM

Damn that sucks V...really sorry to hear it

Had a box hacked a few years ago...cocksuckers completely wiped my sites...EVERYTHING. But, it got worse before it got better as the host I had at the time was completely inept. As soon as I uploaded everything...the fuckers got back in and wiped it again! This went on for over a week...needless to say, I dumped that host immediately thereafter

Good luck on the recovery darlin...hope you're on the top side of things now

Oh, from your other thread...I've heard nothing but great things about Dragon List

RedCherry · 2006-02-08, 11:20 PM

This is the image they had on the hacked page, maybe someone will recognize the tag.

I changed the name of the file when I reuploaded it, so they don't find it and cheer or whatever these cocksuckers do.

RedCherry · 2006-02-08, 11:23 PM

Quote:

Originally Posted by MrYum

Damn that sucks V...really sorry to hear it

Had a box hacked a few years ago...cocksuckers completely wiped my sites...EVERYTHING. But, it got worse before it got better as the host I had at the time was completely inept. As soon as I uploaded everything...the fuckers got back in and wiped it again! This went on for over a week...needless to say, I dumped that host immediately thereafter

Good luck on the recovery darlin...hope you're on the top side of things now

Oh, from your other thread...I've heard nothing but great things about Dragon List

I'm sooooo afraid of them coming back!

RedCherry · 2006-02-08, 11:26 PM

Holy Crap! these guys have a home page, with a phone number on it that says if you are experiencing network security problems that are clearly originating from them, call us at blah blah. The fucking NERVE!

I am not going to name them or link to them here, and please don't anyone else. Just look at what is on that image, it is easy to find.

MrYum · 2006-02-08, 11:44 PM

Quote:

Originally Posted by RedCherry

Holy Crap! these guys have a home page, with a phone number on it that says if you are experiencing network security problems that are clearly originating from them, call us at blah blah. The fucking NERVE!

I am not going to name them or link to them here, and please don't anyone else. Just look at what is on that image, it is easy to find.

Unfuckinbelievable

As to them coming back...you're with a pretty good host...I suspect they've got you locked down now

The ONLY reason the asshats got back into my server was my host was completely inept. I'd suspected it before the hack, but afterwards I had someone log in and look at my server. The idiots hadn't installed several patches that had been out for months so I was a hack waiting to happen. Oddly enough...I just checked...and that host is still in business though...that's fuckin |shocking|

cd34 · 2006-02-08, 11:58 PM

url removed

Here are your boys.

Typically they don't attack freebsd boxes so, I am wondering if they planted it there to gain recognition, but it wasn't a sanctioned hack. Have your host save all of their logs on that machine. that box is running an old compromisable sshd and a potentially compromisable bind -- unless someone has hacked the scripts to return false versions, but then, a production machine is no place for a honeypot.

You need to look over any open source software you have on that machine -- the way this particular script works is that it is run from a php script that wgets code that is then executed. That program goes up as far as it can and searches the entire disk for any file that it can write -- and then tries to cleanly write to the pages -- a strong case for NOT running apache setuid.

Any file that is writeable by apache can then be overwritten -- as you have seen. I don't know what software you're running, but, commonly wordpress, phpbb, phpmyadmin, some cms software have had holes that allow this. Depending on the version of php running and how the machine is configured, you'll probably find a number of entry points.

You should also search for any script containing passthru|system|exec for angelshell/phpshell/etc. That will probably have been dropped in many locations on the server. There are also scripts that may be dropped in place that mimic other filenames that exec $_ENV variables -- the first search will probably find those.

Securing a box that has been hacked is much harder than reloading things with known good routines. Once a box has been hacked, its a constant thing. Have your host figure out what the entry point was -- I would start by searching the apache error logs for wget/lynx/GET executed and then figure out by time what scripts were called that could have executed that. Also check /tmp and /var/tmp for the remnants of other botscripts that allow remote access into the machine.

Until you find the entry point, that box will be continually compromised, or, could be running a bot allowing them free reign on the box. Have your host check every process that is running -- especially those listening to ports. I wouldn't be surprised to find a few daemons listening to higher ports allowing shell access into the machine.

Good luck with it. Its never fun to recover from things like that.

RedCherry · 2006-02-09, 01:11 AM

Quote:

Originally Posted by cd34

Good luck with it. Its never fun to recover from things like that.

I forwarded your post onto support for my host to have them look at what you suggested thanks.

I also took down that image (I can't seem to edit the post) so that no one else puts up a url to them even for a brief time.

2006-02-08, 04:40 PM	#1
tranza A woman is like beer. They look good, they smell good, and you'd step over your own mother just to get one! Join Date: Feb 2004 Location: Brasil!!! Posts: 59	Anyone else getting viruses and trojans at The Red Cherry? After I submit any freesite to The Red Cherry I get TONS of viruses and trojans warnings from Norton Anti Virus. Here's the site: http://www.theredcherry.com/ Anyone else getting this? (not on the main page, but after you hit the submit button) __________________ ICQ: 197-556-237 \| E-mail me

2006-02-08, 05:00 PM	#2
Simon That which does not kill us, will try, try again. Join Date: Aug 2003 Location: Conch Republic Posts: 5,150	Might be related to the hacking that Virgina posted about here... http://www.greenguysboard.com/board/...ad.php?t=28637 __________________ "If you're happy and you know it, think again." -- Guru Pitka

2006-02-08, 05:01 PM	#3
LowryBigwood Don't get discouraged; it's usually the last key that opens the lock... Join Date: Aug 2003 Location: Dallas, Tx Posts: 1,203	I havne't submitted there in a week or two, but never got anything like that, and am running Norton Antivirus 2006. Is this a recent thing or has it been ongoing? __________________ Free Porn Buddy \| Porn Buddy Blog

2006-02-08, 09:02 PM	#5
RedCherry Of all the things I've lost, I miss my mind the most. Join Date: Apr 2004 Location: Middle of the Desert, Pahrump, NV Posts: 3,187	Welcome to my bloody nightmare. I got hacked on 2/4/06 on all 3 of my link lists, several of my straight domains, plus they took down my content program the BASTARDS. I didn't realize that they had placed pages with downloadable trojans on the site until today. As of about 1pm PST, as far as phatservers and I can tell, we got every file they have changed off the servers. I'm in the process of switching over to DragonLinks for the link lists, but don't have that ready yet to switch to yet, been dealing with finding and deleting all their defacements and files they placed on my server. One ONE domain I had a printout of over 40 pages of files they had changed. I NEVER EVER want to go through this again, never had anything like this happen to me before...and we still don't know how they got in my box, although I have some suspicions it was a particular script they exploited I was using for a blog/newsletter type script. I'm VERY sorry for anyone that visited and got any kind of trojan alerts on the link lists, I feel very very bad about that. __________________ Our 3D Comics and Props on Renderotica

2006-02-08, 09:06 PM	#6
RedCherry Of all the things I've lost, I miss my mind the most. Join Date: Apr 2004 Location: Middle of the Desert, Pahrump, NV Posts: 3,187	If any of you have any problems from here forward, please icq me asap 474-199. Like I said, I've tried to go over every domain, every file, and make sure we got them all, but I could have missed something. __________________ Our 3D Comics and Props on Renderotica

2006-02-08, 11:05 PM	#7
MrYum Arghhhh...submit yer sites ya ruddy swabs! Join Date: May 2004 Location: Sunny Florida! Posts: 5,108	Damn that sucks V...really sorry to hear it Had a box hacked a few years ago...cocksuckers completely wiped my sites...EVERYTHING. But, it got worse before it got better as the host I had at the time was completely inept. As soon as I uploaded everything...the fuckers got back in and wiped it again! This went on for over a week...needless to say, I dumped that host immediately thereafter Good luck on the recovery darlin...hope you're on the top side of things now Oh, from your other thread...I've heard nothing but great things about Dragon List __________________ Porno Flixxx Submissions SOTI Site Submissions Free Porn Resource Submissions

2006-02-08, 11:20 PM	#8
RedCherry Of all the things I've lost, I miss my mind the most. Join Date: Apr 2004 Location: Middle of the Desert, Pahrump, NV Posts: 3,187	This is the image they had on the hacked page, maybe someone will recognize the tag. I changed the name of the file when I reuploaded it, so they don't find it and cheer or whatever these cocksuckers do. __________________ Our 3D Comics and Props on Renderotica Last edited by cd34; 2006-02-09 at 01:19 AM.. Reason: removed image link

2006-02-08, 11:26 PM	#10
RedCherry Of all the things I've lost, I miss my mind the most. Join Date: Apr 2004 Location: Middle of the Desert, Pahrump, NV Posts: 3,187	Holy Crap! these guys have a home page, with a phone number on it that says if you are experiencing network security problems that are clearly originating from them, call us at blah blah. The fucking NERVE! I am not going to name them or link to them here, and please don't anyone else. Just look at what is on that image, it is easy to find. __________________ Our 3D Comics and Props on Renderotica

2006-02-08, 11:58 PM	#12
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	url removed Here are your boys. Typically they don't attack freebsd boxes so, I am wondering if they planted it there to gain recognition, but it wasn't a sanctioned hack. Have your host save all of their logs on that machine. that box is running an old compromisable sshd and a potentially compromisable bind -- unless someone has hacked the scripts to return false versions, but then, a production machine is no place for a honeypot. You need to look over any open source software you have on that machine -- the way this particular script works is that it is run from a php script that wgets code that is then executed. That program goes up as far as it can and searches the entire disk for any file that it can write -- and then tries to cleanly write to the pages -- a strong case for NOT running apache setuid. Any file that is writeable by apache can then be overwritten -- as you have seen. I don't know what software you're running, but, commonly wordpress, phpbb, phpmyadmin, some cms software have had holes that allow this. Depending on the version of php running and how the machine is configured, you'll probably find a number of entry points. You should also search for any script containing passthru\|system\|exec for angelshell/phpshell/etc. That will probably have been dropped in many locations on the server. There are also scripts that may be dropped in place that mimic other filenames that exec $_ENV variables -- the first search will probably find those. Securing a box that has been hacked is much harder than reloading things with known good routines. Once a box has been hacked, its a constant thing. Have your host figure out what the entry point was -- I would start by searching the apache error logs for wget/lynx/GET executed and then figure out by time what scripts were called that could have executed that. Also check /tmp and /var/tmp for the remnants of other botscripts that allow remote access into the machine. Until you find the entry point, that box will be continually compromised, or, could be running a bot allowing them free reign on the box. Have your host check every process that is running -- especially those listening to ports. I wouldn't be surprised to find a few daemons listening to higher ports allowing shell access into the machine. Good luck with it. Its never fun to recover from things like that. __________________ SnapReplay.com a different way to share photos - iPhone & Android