Hackers?

twintone · 2007-02-26, 02:35 AM

People need to chill on immediately blaming your host. A host can not prevent someone from logging into your FTP account when they have the valid username and password! If you find this code on one of your sites, the first thing you need to do is change your password.

The problem is not with your host. Albeit possible that you have an exploit in a script, and they are dumping the code in that way. You still can't blame your host for that.

The far better chance is you have a Trojan key logger on your PC or PCs that you use to access your FTP account.

The key logger dumps your key strokes to an ICQ channel, and they have a bot that filters out the info they want. They then embed their code in your index files in attempt to infect more people.

Why do they do this? To feed their botnet. This is just a massive botnet ring. The code that is in your html will actually infect you and surfers with 2 Trojans. One to key log all your info, and another is a backdoor to control your PC. So you too can be part of their massive botnet.

I bet you anything if you SSH into your machine, and do a last | grep [username] you will see a login from an IP that is not yours.

Download this AVS http://www.avast.com/eng/download-avast-home.html (it is free) and scan your machine in "safe mode". You will find you have a Trojan that your current AVS is not picking up.

Just on a side note. Norton AV is the biggest piece of shit on the planet, and WILL NOT find this Trojan. I would suggest getting rid of Norton immediately. It is truly garbage. http://en.wikipedia.org/wiki/Norton...irus#Criticisms

We are 100% confident from our research, and running a honeypot for a few months that Avast WILL find this Trojan. I am sure there is other AVS that will, but we know for sure Avast will, and Norton will NOT.

Good luck with it. It has been something we have seen, and have been investigating since Sep 2006.

Useless · 2007-02-26, 07:42 AM

Quote:

Originally Posted by twintone

People need to chill on immediately blaming your host.

Chill Winston!
No one is putting blame upon the host, merely stating that the host is the one who is going to typically figure the mess out. (And the one time I had that type of thing pop up on my sites, it was the virtual server I hosted on that had an Apache exploit.)

If you think we're a bunch of dummies, I'll point you toward the mainstream board I'm hanging at. GoDaddy All the Way! with that crowd.

twintone · 2007-02-26, 10:05 AM

Quote:

Originally Posted by Useless Warrior

Chill Winston!
No one is putting blame upon the host, merely stating that the host is the one who is going to typically figure the mess out. (And the one time I had that type of thing pop up on my sites, it was the virtual server I hosted on that had an Apache exploit.)

If you think we're a bunch of dummies, I'll point you toward the mainstream board I'm hanging at. GoDaddy All the Way! with that crowd.

Quote:

Originally Posted by Useless Warrior

Your site has an exploit and it's definatley an issue for your host to handle. It may even be a server-wide issue.

To me, that sounds like putting the responsibility on the host.

Useless · 2007-02-26, 03:40 PM

Quote:

Originally Posted by twintone

To me, that sounds like putting the responsibility on the host.

I said "Your site has an exploit and it's definatley an issue for your host to handle. It may even be a server-wide issue." That statement doesn't place the blame anywhere. Expecting the assistance of one's host when dealing with an exploit shouldn't be a GREAT BIG FUCKING SHOCK!!!

Quote:

Originally Posted by twintone

In your case it very well may be the host. I know Servage is extremely unsecure with their FTP setup. Logging into FTP you are able to go up a directory and view files of other users on that machine.

That, my friend, is blaming the host.

2007-02-26, 02:35 AM	#1
twintone Heh Heh Heh! Lisa! Vampires are make believe, just like elves and gremlins and eskimos! Join Date: Jul 2004 Location: Wisconsin Posts: 77	People need to chill on immediately blaming your host. A host can not prevent someone from logging into your FTP account when they have the valid username and password! If you find this code on one of your sites, the first thing you need to do is change your password. The problem is not with your host. Albeit possible that you have an exploit in a script, and they are dumping the code in that way. You still can't blame your host for that. The far better chance is you have a Trojan key logger on your PC or PCs that you use to access your FTP account. The key logger dumps your key strokes to an ICQ channel, and they have a bot that filters out the info they want. They then embed their code in your index files in attempt to infect more people. Why do they do this? To feed their botnet. This is just a massive botnet ring. The code that is in your html will actually infect you and surfers with 2 Trojans. One to key log all your info, and another is a backdoor to control your PC. So you too can be part of their massive botnet. I bet you anything if you SSH into your machine, and do a last \| grep [username] you will see a login from an IP that is not yours. Download this AVS http://www.avast.com/eng/download-avast-home.html (it is free) and scan your machine in "safe mode". You will find you have a Trojan that your current AVS is not picking up. Just on a side note. Norton AV is the biggest piece of shit on the planet, and WILL NOT find this Trojan. I would suggest getting rid of Norton immediately. It is truly garbage. http://en.wikipedia.org/wiki/Norton...irus#Criticisms We are 100% confident from our research, and running a honeypot for a few months that Avast WILL find this Trojan. I am sure there is other AVS that will, but we know for sure Avast will, and Norton will NOT. Good luck with it. It has been something we have seen, and have been investigating since Sep 2006. __________________ Last edited by twintone; 2007-02-26 at 02:43 AM..