Virus' / Redirects / Sites not Working - Read Me - Page 2

newhall · #26 09-22-2006, 09:09 PM

I agree!! HG, let us know what we can do to help. Any files or folders we should be looking for? Anything else we can assist with or information we can provide?

FYI, I first reported this problem to HG back on 8/14/2006. That may be relevant.

#27 09-22-2006, 09:15 PM

I have sent you a pm brent regarding the hacker interface and the link where you can download it.

Paul

#28 09-22-2006, 09:16 PM

regarding anonymous posts... I tried to log on and got warned away because apparently I don't know my own userid and password.

#29 09-22-2006, 09:17 PM

Quote:

Originally Posted by newhall

I agree!! HG, let us know what we can do to help. Any files or folders we should be looking for? Anything else we can assist with or information we can provide?

FYI, I first reported this problem to HG back on 8/14/2006. That may be relevant.

Look for a file called NC.php, if its there it will probably be in a directory, if the file is there then i suggest deleting it and changing your cpanel password.

Paul

#30 09-22-2006, 09:18 PM

Quote:

Originally Posted by ccrb

regarding anonymous posts... I tried to log on and got warned away because apparently I don't know my own userid and password.

It says i don't have privs when i sign in and try to make a post so i am now signing my messages.

Paul

#31 09-22-2006, 09:21 PM

Quote:

Originally Posted by Brett

The exploited site that housed the malware (mentioned above) has been disabled. fyi.

I think this issue is more complicated than just disable 1 or 2 websites... today many websites hosted on HG were attacked by at least 5 different IP addresses...

***GatorBrent*** · #32 09-22-2006, 09:34 PM

I did not receive your pm. What is your ticket number?

#33 09-22-2006, 09:45 PM

I sent it to Jay by accident, i have submitted a ticket with the details.

Ticket ID: FKP-982757
Subject: RE: Hacker Interface
Department: Support
Status: Open

#34 09-22-2006, 09:46 PM

I checked my files on ftp, and none of the files on the host had a recent date except a temp folder.

I'm presuming that, although my site(s) were affected, they haven't been corrupted.

Not wanting to change passwords, is there any need to?

wwobn · #35 09-22-2006, 09:59 PM

This issue is a PHP exploit that effects PHP on the sever. Your code should not have been compromised. The iframes were being inserted in to your page during the rendering of your PHP file.

Amazingly we thought this was being inserted by a few of our online advertisers via Interlclick and Adsense since the iframes were being added to the very end of our adzones.

I'm rounding up a team of engineers to help fix this bug. Feel free to add me on AIM or Skype if you'd like to be involved.

For extra security I'd probably stay away from Internet Explorer until everything is fixed. FireFox doesn't seem to be affected.

newhall · #36 09-22-2006, 10:05 PM

Hi Brad,

Could you give us more information about who you are and what organization/group you're working with/for? Your post provides some much needed information about this problem, but it would help to know a few more details so we can all understand the context better and in how you are helping and working to fix this horrible exploit.

Thanks a million!

wwobn · #37 09-22-2006, 10:23 PM

No problem. I'm a Systems Engineer and Web Architect for eBay.com / PayPal.com during the day, a small development company owner by night.

I'm an AVID HG customer and our sites / clientele sites are being affected by this issue which is why I'd like to assist in fixing this issue.

If you'd like to help hit me on AIM and we'll see where we can best fit you.

#38 09-22-2006, 10:30 PM

If this is a virus/exploit, why would your support staff lie to me and say otherwise?

Hello,
This is a known issue due to a automated update that cpanel rolled out without our knowledge,
we are working to resolve the issue and it should be fix momentarily.

Best Regards,
Shane
HostGator Technical Support

CPanel doesn't even roll out automated updates unless you let them; and if you let them, that would be WITH your knowledge.

realcasinos · #39 09-22-2006, 10:36 PM

Quote:

Originally Posted by Unregistered

If this is a virus/exploit, why would your support staff lie to me and say otherwise?

Hello,
This is a known issue due to a automated update that cpanel rolled out without our knowledge,
we are working to resolve the issue and it should be fix momentarily.

Best Regards,
Shane
HostGator Technical Support

CPanel doesn't even roll out automated updates unless you let them; and if you let them, that would be WITH your knowledge.

Thats what they told me but i know otherwise since its obvious when i visit my site and it trys to download a trojan on me, everything is working at the moment. I also found the script the hackers were using on my server. There is a non official release to fix there exploit for explorer users, its at the bottom of this article http://news.netcraft.com/archives/20...e_exploit.html

***GatorBrent*** · #40 09-22-2006, 10:48 PM

We're finally onto something here. update to come....

realcasinos · #41 09-22-2006, 10:50 PM

Quote:

Originally Posted by GatorBrent

We're finally onto something here. update to come....

Excellent, i'll wait for the update untill i head off to bed, did it have anything to do with that file i sent you?

newhall · #42 09-22-2006, 10:53 PM

Quote:

Originally Posted by GatorBrent

We're finally onto something here. update to come....

I hope this is finally it. Thanks for the update!

wwobn · #43 09-22-2006, 10:56 PM

Quote:

Originally Posted by Unregistered

If this is a virus/exploit, why would your support staff lie to me and say otherwise?

Hello,
This is a known issue due to a automated update that cpanel rolled out without our knowledge,
we are working to resolve the issue and it should be fix momentarily.

Best Regards,
Shane
HostGator Technical Support

CPanel doesn't even roll out automated updates unless you let them; and if you let them, that would be WITH your knowledge.

No one lied to you. The issue is several different issues rolled into one Synopsys. No one has ever seen an exploit like this. All of the information that is being provided by us the clients is helping to figure out ever aspect of this issue. Thus, everyone should remain calm and know that it is being addressed right now. Trust me, you should be Thankful that your sites are on HG, their system engineers are second to none.

#44 09-22-2006, 11:06 PM

Quote:

Originally Posted by wwobn

No one lied to you. The issue is several different issues rolled into one Synopsys. No one has ever seen an exploit like this. All of the information that is being provided by us the clients is helping to figure out ever aspect of this issue. Thus, everyone should remain calm and know that it is being addressed right now. Trust me, you should be Thankful that your sites are on HG, their system engineers are second to none.

Yeah but there's no such thing as an automated CPanel update that nobody knows about. You either set it to grab updates automatically or you don't.

#45 09-22-2006, 11:23 PM

Quote:

Originally Posted by Unregistered

Yeah but there's no such thing as an automated CPanel update that nobody knows about. You either set it to grab updates automatically or you don't.

cPanel can push updates despite your upgrade settings in cpanel. Check the cpanel forums, this behavior has casued problems in the past.

#46 09-22-2006, 11:28 PM

Quote:

Originally Posted by Unregistered

Yeah but there's no such thing as an automated CPanel update that nobody knows about. You either set it to grab updates automatically or you don't.

Doesnt really matter. Its a unprecedented attack on a major company. I am glad to see that they have called out for help and even more gratefull for the people in the know that have stepped up to the plate to help them. Mistakes may had been made but were in good hands. I just hope they fry the s o b that started all this.

Daniel M.

newhall · #47 09-22-2006, 11:40 PM

Quote:

Originally Posted by Unregistered

I just hope they fry the s o b that started all this.

I'm with you on this one! They need to make the b a s t a r d (s) pay for all the damages, additional costs, lost business, and lost revenues they have caused HG and all of us; not to mention the stress and headaches. And then, for good measure, the authorities need to throw them in jail for at least 5-10 years so they can think things through before terrorizing someone else.

#48 09-23-2006, 12:15 AM

Thank You for the update. I was getting VERY frustrated by the internal lack of communication on this issue. One support operator would have no idea about previous fixes/discussions.

I have thought seriously about changing hosts until you publically acknowledged the problem. For now, I will try to be patient if you think the issue has been permanently resolved (per the trouble ticket reply I just received - though this isn't the first time I have heard it).

wwobn · #49 09-23-2006, 12:31 AM

Perhaps a good old lynching is in order?

Make sure that you all thank HG Techs when they're done. They've all just worked a million hours for you.

steelkat · #50 09-23-2006, 12:36 AM

Oh, I think about thirty years in the electric chair would be about right

TD