Virus' / Redirects / Sites not Working - Read Me

***GatorBrent*** · #1 09-22-2006, 06:56 PM

*****************************************
Update : For the latest please read http://forums.hostgator.com/showthre...6448#post36448

This thread is being closed

****************************

We have everyone working on the situation, even a few cto's from other companies we know personally. We can make the problem disapear for a little while but it keeps coming back on a majority of our servers. We believe this a 0 day exploit with hostgator being the target. We are being completely overhwhelmed currently chat, phones, ticket, etc. The boxes aren't rooted as it's being ran from remote

We are working on finding the root of the problem so we can put a stop to it.

The thing leaves files in /tmp each time (.kdesamplesock always) and .mod_layout.body.26827 (26827 being random). I need to get back to calling some more people related to this issue. As soon as I have any news I'll update everyone.

Pitrow · #2 09-22-2006, 06:59 PM

Thanks for the update Brent!

bucket · #3 09-22-2006, 07:02 PM

thank you for the update.

#4 09-22-2006, 07:03 PM

I really hope to see a message from HG soon, when this issue is REALLY solved for good - and not some funny answers in the email like "Delete your IE cache, and refresh.. it is okay now".

Good luck... otherwise we'll all have to move to a different host.

#5 09-22-2006, 07:03 PM

how do we know if our own computers are compromised by the trojan? what can we do ouselves/tell our visitors they can do about removing it?? This is the second most important question besides fixing the root of the problem. Thank you.

#6 09-22-2006, 07:44 PM

Anyone who suspects they may have this exploit/trojan/virus on there system can use http://uk.trendmicro-europe.com/housecall/ to check and clean.

***GatorBrent*** · #7 09-22-2006, 07:49 PM

We got verisigns rapid defense team looking into this with us. Their security team is bigger then mcaffees I was told on the phone.

Also have the planet's security team involved.

newhall · #8 09-22-2006, 07:57 PM

Quote:

Originally Posted by GatorBrent

We got verisigns rapid defense team looking into this with us. Their security team is bigger then mcaffees I was told on the phone.

Also have the planet's security team involved.

Thank you Brent! This is very helpful to know and reassuring for all of us. I can't imagine how things are like on your end. Those are the kinds of resources that can help with this emergency.

Given the insane situation we have all been dealing with, we're all hoping and praying this finally gets resolved and permanently fixed. Whoever launched this attack MUST be PROSECUTED to the fullest extent of the law. Make sure you let the FBI and Homeland Security know once the emergency passes.

Thanks again!

Roaddog · #9 09-22-2006, 08:08 PM

Were you aware of the problem a few weeks ago when you were saying it was a cpanel update issue?

***GatorBrent*** · #10 09-22-2006, 08:13 PM

I see that someone from netcraft is in here actively reading. If you read this could you send me a pm? We could use some of your contacts to help us with this situation.

The more people involved in working on this the quicker we can figure this out.

***GatorBrent*** · #11 09-22-2006, 08:37 PM

We have just gotten off the phone with a reverse engineer whos specialty is in malcode. He's currently calling all his contacts to make this a bigger team effort.

#12 09-22-2006, 08:38 PM

Maybe the fella's over at Google can provide some assitance. Overall, maybe Microsoft should foot the bill on this problem. It would only cost a days interest from Bill Gates.

#13 09-22-2006, 08:42 PM

It seems many people have contacted HostPC.com where the redirect and trojan are located. They can't figure it out either it seems because the user dir is still active!

[DONT GO] http://198.87.87.24/~monkey/index.htm(l) [DONT GO] is where my sites are being directed

BVV
www.nevatechpc.com

#14 09-22-2006, 08:47 PM

Brent, make sure you look at that file i sent to your support team, it is the hacker interface that allows commands to be executed and i found it in my forums directory. I expect that it might of been loaded onto all effected websites/servers.

#15 09-22-2006, 08:49 PM

What happened to the 2-3 different Topics that discussed the attacks today? They're gone! Why would HG delete them?

***GatorBrent*** · #16 09-22-2006, 08:52 PM

What's the ticket number on that? I would like to take a look asap.

***GatorJay*** · #17 09-22-2006, 08:54 PM

Quote:

Originally Posted by Unregistered

What happened to the 2-3 different Topics that discussed the attacks today? They're gone! Why would HG delete them?

Please keep all discussion to this thread, all updates and information reguarding these issues will be posted here.

#18 09-22-2006, 08:59 PM

The exploited site that housed the malware (mentioned above) has been disabled. fyi.

BVV
ww.nevatechpc.com

#19 09-22-2006, 09:01 PM

funny, I used firefox and couldn't see the problem. but a bunch of my customers had grief and called me. I dusted off IE for the first time in a long time, and saw the testmonkey url...

***GatorBrent*** · #20 09-22-2006, 09:01 PM

What's the ticket number on the "hacker interface"

Dwight · #21 09-22-2006, 09:02 PM

Quote:

Originally Posted by GatorJay

Please keep all discussion to this thread, all updates and information reguarding these issues will be posted here.

And I'd like to suggest a couple of things as well...

Please don't post infected links here, without disabling them.. such as changing http: to hxxp: or else someone might click on them without realizing it's a bad thing to do...

Also, if you aren't registered to this forum yet, at least sign your posts... you get several unregistered posters and it looks like you are talking to yourself.

And lastly, is there anything we can do that would be helpful to HG, such as checking folders for files, and if so, what files where? Brent mentioned a couple in the /tmp folder... are there any others? And if we find them, what does HG want us to do besides just notify them. Or is it more helpful to HG that we stay off the bandwidth and let you guys work? Obviously HG is in charge and needs to have our full cooperation.

Dwight

#22 09-22-2006, 09:07 PM

Quote:

Originally Posted by GatorBrent

What's the ticket number on the "hacker interface"

I didn't submit a ticket i spoke to a guy called JT through live support and zipped the file up and he downloaded it and said he would alert the people working on this issue.

#23 09-22-2006, 09:07 PM

Quote:

Originally Posted by Dwight

And I'd like to suggest a couple of things as well...

Please don't post infected links here, without disabling them.. such as changing http: to hxxp: or else someone might click on them without realizing it's a bad thing to do...

sorry about the link. I did however remove the last L from the link so as not to lead anyone there ..

BVV
www.nevatechpc.com

***GatorJay*** · #24 09-22-2006, 09:08 PM

Quote:

Originally Posted by Unregistered

I didn't submit a ticket i spoke to a guy called JT through live support and zipped the file up and he downloaded it and said he would alert the people working on this issue.

Do you have this ticket number? If not please PM me the email address you sent the ticket from. Thanks!

97transam · #25 09-22-2006, 09:08 PM

Quote:

Originally Posted by Dwight

... is there anything we can do that would be helpful to HG, such as checking folders for files, and if so, what files where? Brent mentioned a couple in the /tmp folder... are there any others? And if we find them, what does HG want us to do besides just notify them. Or is it more helpful to HG that we stay off the bandwidth and let you guys work? Obviously HG is in charge and needs to have our full cooperation.

Dwight

Nice point Dwight.
Yes, is there anything we can do that may help the situation for you all?
I greatly appreciate the breath of effort that is being thrown at this situation on our behalf.

ron