GoFuckYourself.com - Adult Webmaster Forum - View Single Post

HEAT · 09-17-2009, 11:19 AM

When the script is executed(I visited a infected site accidently yesterday. I guess) it loaded malware which disguised as .pdf or .swf file that steals username/password data from PC.
The malware is hosted at another infected site and loaded via iframe then excuted on the browser.
Now the hacker got my site's login and infected my sites too.
I don't know how he connected my box though. I guess he's using remote script that doesn't leave log info.

Even if I remove those malwares in my PC and change ftp password, the hacker can get my new password easily since I had to load my sites to check.
So it is very important that never load the sites during troubleshooting.

This is what I did and seems like the code is gone finally. but still monitering..
1. reboot PC and scan it for spyware.
2. reboot again and change all server passwords.
3. remove the code from all server files(index.html, category.html, index.php, etc..) with serverside text editor.
4. Never load infected webpages on browser during #3.
5. install mod_security and change file permissons.

This thing reminds me of BackOrifice at 98'. It's the most annoying fuckware I had ever. it passed mcafee.
Remember to use a good antivirus on your PC. I had good result with Malwarebytes.org

Thanks for advices.

09-17-2009, 11:19 AM
HEAT Confirmed User Join Date: Sep 2003 Posts: 2,255	Problem solved. When the script is executed(I visited a infected site accidently yesterday. I guess) it loaded malware which disguised as .pdf or .swf file that steals username/password data from PC. The malware is hosted at another infected site and loaded via iframe then excuted on the browser. Now the hacker got my site's login and infected my sites too. I don't know how he connected my box though. I guess he's using remote script that doesn't leave log info. Even if I remove those malwares in my PC and change ftp password, the hacker can get my new password easily since I had to load my sites to check. So it is very important that never load the sites during troubleshooting. This is what I did and seems like the code is gone finally. but still monitering.. 1. reboot PC and scan it for spyware. 2. reboot again and change all server passwords. 3. remove the code from all server files(index.html, category.html, index.php, etc..) with serverside text editor. 4. Never load infected webpages on browser during #3. 5. install mod_security and change file permissons. This thing reminds me of BackOrifice at 98'. It's the most annoying fuckware I had ever. it passed mcafee. Remember to use a good antivirus on your PC. I had good result with Malwarebytes.org Thanks for advices. __________________ 254-282-542 Last edited by HEAT; 09-17-2009 at 11:21 AM..