I keep getting hacked... - GoFuckYourself.com

RobV · 09-28-2006, 03:45 PM

Every 3 days or so my website [possible virus link removed] will have some new encrypted code embeded to the top of the page causing lots of shit to go down.

Anyone have any info on any wordpress flaws? Or what this could be?

To remove it I have to litteraly delete every file on the server and reupload or it wont go away. This is getting annoying.

Thanks

Scott McD · 09-28-2006, 03:49 PM

That's gay...

RobV · 09-28-2006, 03:50 PM

Quote:

Originally Posted by Scott McD

That's gay...

how gay?

madawgz · 09-28-2006, 03:51 PM

yeah, how gay is that....

just playing

RobV · 09-28-2006, 03:52 PM

Serioulsy, how the fuck does this keep happening.

CyberHustler · 09-28-2006, 03:53 PM

gotta switch up your paswwords or something

yahoo-xxx-girls.com · 09-28-2006, 03:56 PM

Perhaps I can help you out... Please ICQ me at: 397994057

Later,

dissipate · 09-28-2006, 04:06 PM

that's very gay, some would say... homosexually gay.

Spunky · 09-28-2006, 04:07 PM

Must be a gay basher

justsexxx · 09-28-2006, 04:08 PM

What's your host? Better ask them no?

RobV · 09-28-2006, 04:09 PM

Quote:

Originally Posted by BuySexProducts

gotta switch up your paswwords or something

I don't think its just a password thing.

HairToStay · 09-28-2006, 04:10 PM

What other scripts are on the server? Does the host have everything updated? Is telnet open?

RobV · 09-28-2006, 04:10 PM

Quote:

Originally Posted by justsexxx

What's your host? Better ask them no?

My host is webair. I have asked them 10 times with the responce of, "Its all your fault, nothing is wrong on our end."

RobV · 09-28-2006, 04:12 PM

Quote:

Originally Posted by HairToStay

What other scripts are on the server? Does the host have everything updated? Is telnet open?

The only other coding in this anywhere is ifram code to my sponsor. Everything else is straight from wordpress.

Dveron · 09-28-2006, 04:15 PM

Using latest Wordpress version?

RobV · 09-28-2006, 04:16 PM

Quote:

Originally Posted by Dveron

Using latest Wordpress version?

Yes sir.

DutchTeenCash · 09-28-2006, 04:23 PM

whats that crap virus again everyone had some months ago

it added some code on top, many sites got hit with it

FelixFlow · 09-28-2006, 04:25 PM

NICE FUCKING TROJAN VIRUS ON THAT PAGE!!

RobV · 09-28-2006, 04:28 PM

Quote:

Originally Posted by FelixFlow

NICE FUCKING TROJAN VIRUS ON THAT PAGE!!

I agree. Any imput on how to keep it off?

johnny o · 09-28-2006, 04:30 PM

Quote:

Originally Posted by RobV

how gay?

VERY ghey

DutchTeenCash · 09-28-2006, 04:31 PM

Quote:

Originally Posted by RobV

I agree. Any imput on how to keep it off?

ok now I know for sure - thats the virus that infects the server

thats OLD at least 4-5 months lemme search

Fucksakes · 09-28-2006, 04:32 PM

glad i did my research on hosts before making my switch.. weblair has alot of bad things said about them here.

DutchTeenCash · 09-28-2006, 04:36 PM

damn what was it - wasnt it a local pc virus that attaches itself to any webpage if you FTP it? someone help

09-28-2006, 04:39 PM

It's not uniqcount.net is it? I keep getting hit by them

DutchTeenCash · 09-28-2006, 04:43 PM

it was some VB virus that attached when uploading pages - ask Webair they should know for sure

DutchTeenCash · 09-28-2006, 04:48 PM

here you go

its Win32:trojano-p also known as Win32/Anserin!generic.

Nookster · 09-28-2006, 04:51 PM

Quote:

Originally Posted by RobV

My host is webair. I have asked them 10 times with the responce of, "Its all your fault, nothing is wrong on our end."

That explains it. Switch hosts and that will solve your problem...I guarantee it.

Vox · 09-28-2006, 04:53 PM

Quote:

Originally Posted by RobV

My host is webair. I have asked them 10 times with the responce of, "Its all your fault, nothing is wrong on our end."

Yeah webair won't really help you out if your box has been comprimised.
Here's a little suggestion to see what is running in the background:
I'm pressuming this malicious script is being called by a cron job so log in by ssh with your root password and type in crontab -l
See what is running in the background, if there is nothing then it's time to call in a security expert and have the whole box scanned.

Lycanthrope · 09-28-2006, 04:55 PM

Are you running an older version of AW Stats?

DutchTeenCash · 09-28-2006, 04:56 PM

Quote:

Originally Posted by Vox

Yeah webair won't really help you out if your box has been comprimised.
Here's a little suggestion to see what is running in the background:
I'm pressuming this malicious script is being called by a cron job so log in by ssh with your root password and type in crontab -l
See what is running in the background, if there is nothing then it's time to call in a security expert and have the whole box scanned.

If I still remember ok, it was a local PC virus that attached a VB line on top. Lotsa sites had that, google for the names I gave, the virus is like 6 months old at least, maybe older. As long as its on your local PC, itll infect your files everytime you FTP.

Vox · 09-28-2006, 05:01 PM

Quote:

Originally Posted by thinkx

If I still remember ok, it was a local PC virus that attached a VB line on top. Lotsa sites had that, google for the names I gave, the virus is like 6 months old at least, maybe older. As long as its on your local PC, itll infect your files everytime you FTP.

That's as nasty as a rootkit on the server.

HairToStay · 09-28-2006, 05:03 PM

If you don't know how, ask your host to read Apache logs to see what was compromised and how.

Then, change hosts to someone who will actually help you.

RobV · 09-28-2006, 05:13 PM

Quote:

Originally Posted by thinkx

If I still remember ok, it was a local PC virus that attached a VB line on top. Lotsa sites had that, google for the names I gave, the virus is like 6 months old at least, maybe older. As long as its on your local PC, itll infect your files everytime you FTP.

Yeah I am reading about that, the only thing that gets me is I have Norton Internet Security (and virus scanner) and I have the most up to date definitions and its not pulling anything on the sytem (yet I do still think its on my comp) Any ideas?

Secondly I have asked webair for help, honestly about 5 times with the same reply of "nothing we can do, its all on you, make sure your wordpress is uptodate."

RobV · 09-28-2006, 08:16 PM

Quote:

Originally Posted by shermsshack

It's not uniqcount.net is it? I keep getting hit by them

Thats exactly who it is.

marketsmart · 09-28-2006, 08:18 PM

Quote:

Originally Posted by Scott McD

That's gay...

haha

escorpio · 09-28-2006, 08:41 PM

Quote:

Originally Posted by RobV

Thats exactly who it is.

They got me the other day. I also host at Webair.

09-28-2006, 09:14 PM

Quote:

Originally Posted by escorpio

They got me the other day. I also host at Webair.

I'm on Phatservers... They have been looking over it for me today.... Seems to be something with sites running form submits.

Superterrorizer · 09-28-2006, 09:16 PM

To be fair, it's not really the hosts fault you got hacked unless it was done through a hole in the OS/Kernel.

I would argue it's the customers responsibility to ensure any scripts on their sites are up to date, as would many hosting companies both adult and mainstream. Certainly there are hosts who will take care of things like that but for the price point many adult webmasters are looking for it's simply not realistic to expect your host to keep your scripts up to date for you unless you are paying a premium.

Having said that, once something has been exploited it's my opinion that it's the host's responsibility to find the cause of the problem and correct it if you are unable to do so on your own. There's a plethora of tools and methods out there to combat these exploits as well as remove them from your server.

Any host who values their clients, as well as the integrity of their client's sites should do whatever they can to assist you in getting the issue resolved. If they refuse, there are hosting companies out there who would be happy to take care of you.

There are many things the average webmaster can do to make sure things like this are unlikely to happen. Scripts are not Ronco Rotisseries. You can't just "set it and forget it" with a script. Many popular scripts have older versions with giant-gaping-goatse-like holes in them that do not exist in current versions. You should check weekly (At the very least monthly) for updates to your scripts, and if there are updates update them immediately

FelixFlow · 09-28-2006, 09:52 PM

YOUR PAGE IS INFECTING EVERYONE WHO VISITS IT WITH THE VIRUS!!

BE RESPONSIBLE AND STOP DIRECTING PEOPLE TO YOUR PAGE!@!

RevSand · 09-28-2006, 09:53 PM

THis shit is going around.. I have been hit by this bullshit also every few days now it seems. I took a look at sherms site and mine and we are not running ANY similar scripts...

FelixFlow · 09-28-2006, 09:55 PM

NAME: Exploit.HTML.Mht
ALIAS: MS04-025, CAN-2004-0549, HTML/MHT@EXPL, Mht

Summary

An exploit is a short code or script that uses a vulnerability to perform malicious actions.

The HTML.Mht exploit is embedded to HTML web pages. It attempts to download and install a malicious program on your computer by using a security vulnerability in Internet Explorer.

More information about this security vulnerability, including a fix, is available from Microsoft: http://www.microsoft.com/technet/sec.../MS04-025.mspx

================================================== ===

Dagwolf · 09-28-2006, 09:57 PM

Quote:

Originally Posted by FelixFlow

YOUR PAGE IS INFECTING EVERYONE WHO VISITS IT WITH THE VIRUS!!

BE RESPONSIBLE AND STOP DIRECTING PEOPLE TO YOUR PAGE!@!

Remember who else did something like this? ...

SmokeyTheBear · 09-28-2006, 10:03 PM

Quote:

Originally Posted by Superterrorizer

To be fair, it's not really the hosts fault you got hacked unless it was done through a hole in the OS/Kernel.

I would argue it's the customers responsibility to ensure any scripts on their sites are up to date, as would many hosting companies both adult and mainstream. Certainly there are hosts who will take care of things like that but for the price point many adult webmasters are looking for it's simply not realistic to expect your host to keep your scripts up to date for you unless you are paying a premium.

Having said that, once something has been exploited it's my opinion that it's the host's responsibility to find the cause of the problem and correct it if you are unable to do so on your own. There's a plethora of tools and methods out there to combat these exploits as well as remove them from your server.

Any host who values their clients, as well as the integrity of their client's sites should do whatever they can to assist you in getting the issue resolved. If they refuse, there are hosting companies out there who would be happy to take care of you.

There are many things the average webmaster can do to make sure things like this are unlikely to happen. Scripts are not Ronco Rotisseries. You can't just "set it and forget it" with a script. Many popular scripts have older versions with giant-gaping-goatse-like holes in them that do not exist in current versions. You should check weekly (At the very least monthly) for updates to your scripts, and if there are updates update them immediately

this is true but its not your mechanics job to tell you not to stick orange juice in your gas tank but if you do and your car fucks it it would be nice to at least let him know the problem ( easily accomplished in this case with a quick peek at the server )

Hosts that wont help in this situation really piss me off, its obvious the guy doesnt know what the problem is , and he will just leave if he cant get it fixed so its hardly not worth it to the host to quicly tell them what the problem is , if the customer INSISTS on running something unsecure , thats a diff story but if they are just clueless it seems a no-brainer to help them out for the 10 minutes it might take to fix the problem for a tech

pornpf69 · 09-28-2006, 10:18 PM

do you have any counter on your page?

FelixFlow · 09-28-2006, 10:24 PM

Quote:

Originally Posted by Dagwolf

Remember who else did something like this? ...

no i dont?

who the fuck is this guy? my fucking computer has this shit now!

DateDoc · 09-28-2006, 10:31 PM

Quote:

Originally Posted by FelixFlow

YOUR PAGE IS INFECTING EVERYONE WHO VISITS IT WITH THE VIRUS!!

BE RESPONSIBLE AND STOP DIRECTING PEOPLE TO YOUR PAGE!@!

He said he had issues on his page and you clicked the link. He is trying to get it sorted out. If your pc is not protected why click a link when it is typed out that it has issues he is seeking help to fix?

RobV · 09-28-2006, 10:37 PM

Quote:

Originally Posted by Superterrorizer

To be fair, it's not really the hosts fault you got hacked unless it was done through a hole in the OS/Kernel.

I would argue it's the customers responsibility to ensure any scripts on their sites are up to date, as would many hosting companies both adult and mainstream. Certainly there are hosts who will take care of things like that but for the price point many adult webmasters are looking for it's simply not realistic to expect your host to keep your scripts up to date for you unless you are paying a premium.

Having said that, once something has been exploited it's my opinion that it's the host's responsibility to find the cause of the problem and correct it if you are unable to do so on your own. There's a plethora of tools and methods out there to combat these exploits as well as remove them from your server.

Any host who values their clients, as well as the integrity of their client's sites should do whatever they can to assist you in getting the issue resolved. If they refuse, there are hosting companies out there who would be happy to take care of you.

There are many things the average webmaster can do to make sure things like this are unlikely to happen. Scripts are not Ronco Rotisseries. You can't just "set it and forget it" with a script. Many popular scripts have older versions with giant-gaping-goatse-like holes in them that do not exist in current versions. You should check weekly (At the very least monthly) for updates to your scripts, and if there are updates update them immediately

I agree that it is not the hosting companies responsibility to monitor everything that is installed and ran on the server. I agree that the client (me) should have everything up to date and attempt to keep it that way.

Again I would like to share that there is NOTHING ELSE aside from the most up to date verison of wordpress running. Thats it.

My system has been scanned, re scanned, cleaned, anything to make sure nothing was on my end, I am clean.

So where do I go now? Or.... Who takes the next step?

MarkMan · 09-28-2006, 10:38 PM

well , a good idea is to have a new password setup .. huge one .. about 12+

with numbers and Letters + have your host put in a firewall for you.. so only your ip can ssh or ftp to your server

and if this dosn't work .. have someone check all your scripts

also .. have your own system at home or the office checkes for spyware.. just incase

good luck

RobV · 09-28-2006, 10:38 PM

Quote:

Originally Posted by pornpf69

do you have any counter on your page?

No counter. Just wordpress.

RobV · 09-28-2006, 10:40 PM

Quote:

Originally Posted by BusterPorn

He said he had issues on his page and you clicked the link. He is trying to get it sorted out. If your pc is not protected why click a link when it is typed out that it has issues he is seeking help to fix?

FelixFlow, I really am sorry. I left it up for the purpose stated, so people could view it in the "hacked" form, instead of me trying to visually and verbally discribe the situation.

09-28-2006, 03:45 PM	#1
RobV Confirmed User Join Date: Oct 2005 Posts: 111	I keep getting hacked... Every 3 days or so my website [possible virus link removed] will have some new encrypted code embeded to the top of the page causing lots of shit to go down. Anyone have any info on any wordpress flaws? Or what this could be? To remove it I have to litteraly delete every file on the server and reupload or it wont go away. This is getting annoying. Thanks __________________ ICQ: 619221 Last edited by TexasDreams; 09-28-2006 at 10:06 PM..

09-28-2006, 03:49 PM	#2
Scott McD Too lazy to set a custom title Join Date: Nov 2002 Location: Glasgow, Scotland Posts: 67,795	That's gay... __________________ I Buy My High Quality Traffic Here, You Should Too!

09-28-2006, 03:51 PM	#4
madawgz 8.8.8.8 Industry Role: Join Date: Mar 2006 Location: Noordermarkt Posts: 30,509	yeah, how gay is that.... just playing __________________ TAEMDLRMSKRJIXMRLSMRJ.

09-28-2006, 03:52 PM	#5
RobV Confirmed User Join Date: Oct 2005 Posts: 111	Serioulsy, how the fuck does this keep happening. __________________ ICQ: 619221

09-28-2006, 03:56 PM	#7
yahoo-xxx-girls.com Confirmed User Join Date: Jul 2006 Location: Canada Posts: 3,143	Hey RobV, I think I can help ! Perhaps I can help you out... Please ICQ me at: 397994057 Later, __________________ sig too big

09-28-2006, 03:53 PM	#6
CyberHustler So Fucking Banned Industry Role: Join Date: Feb 2006 Posts: 25,214	gotta switch up your paswwords or something

09-28-2006, 04:06 PM	#8
dissipate The Dirty Frenchman Industry Role: Join Date: Nov 2005 Location: Lost Angeles Posts: 8,904	that's very gay, some would say... homosexually gay.

09-28-2006, 04:07 PM	#9
Spunky I need a beer Industry Role: Join Date: Jun 2002 Location: ♠ Toiletville ♠ Posts: 133,928	Must be a gay basher __________________ CONTACT FOR YOUR INFORMATION HERE

09-28-2006, 04:08 PM	#10
justsexxx Too lazy to set a custom title Join Date: Aug 2001 Location: The Netherlands Posts: 13,723	What's your host? Better ask them no? __________________ Questions? ICQ: 125184542

09-28-2006, 04:10 PM	#12
HairToStay Confirmed User Join Date: Oct 2002 Location: Southcoast, Mass. Posts: 1,521	What other scripts are on the server? Does the host have everything updated? Is telnet open? __________________ Make bank by giving your surfers free pics every day and it costs you NOTHING! Use POTD Sponsors to find adult sponsors in more than 75 niches who offer a POTD feature!

09-28-2006, 04:15 PM	#15
Dveron Confirmed User Join Date: Dec 2002 Location: Vancouver Posts: 2,794	Using latest Wordpress version?

09-28-2006, 04:23 PM	#17
DutchTeenCash I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com Posts: 21,684	whats that crap virus again everyone had some months ago it added some code on top, many sites got hit with it __________________ ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)?

09-28-2006, 04:25 PM	#18
FelixFlow Confirmed User Industry Role: Join Date: Nov 2004 Posts: 2,779	NICE FUCKING TROJAN VIRUS ON THAT PAGE!! __________________ ICQ: 643 339 687

09-28-2006, 04:32 PM	#22
Fucksakes Shit... Fuck! What the Hell? Industry Role: Join Date: Dec 2003 Posts: 7,567	glad i did my research on hosts before making my switch.. weblair has alot of bad things said about them here.

09-28-2006, 04:36 PM	#23
DutchTeenCash I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com Posts: 21,684	damn what was it - wasnt it a local pc virus that attaches itself to any webpage if you FTP it? someone help __________________ ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)?

09-28-2006, 04:39 PM	#24
shermo Guest Posts: n/a	It's not uniqcount.net is it? I keep getting hit by them

09-28-2006, 04:43 PM	#25
DutchTeenCash I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com Posts: 21,684	it was some VB virus that attached when uploading pages - ask Webair they should know for sure __________________ ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)?

09-28-2006, 04:48 PM	#26
DutchTeenCash I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com Posts: 21,684	here you go its Win32:trojano-p also known as Win32/Anserin!generic. __________________ ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)?

09-28-2006, 04:55 PM	#29
Lycanthrope Confirmed User Industry Role: Join Date: Jan 2004 Location: Wisconsin Posts: 4,517	Are you running an older version of AW Stats? __________________

09-28-2006, 05:03 PM	#32
HairToStay Confirmed User Join Date: Oct 2002 Location: Southcoast, Mass. Posts: 1,521	If you don't know how, ask your host to read Apache logs to see what was compromised and how. Then, change hosts to someone who will actually help you. __________________ Make bank by giving your surfers free pics every day and it costs you NOTHING! Use POTD Sponsors to find adult sponsors in more than 75 niches who offer a POTD feature!

09-28-2006, 09:16 PM	#38
Superterrorizer Confirmed User Join Date: Sep 2003 Posts: 509	To be fair, it's not really the hosts fault you got hacked unless it was done through a hole in the OS/Kernel. I would argue it's the customers responsibility to ensure any scripts on their sites are up to date, as would many hosting companies both adult and mainstream. Certainly there are hosts who will take care of things like that but for the price point many adult webmasters are looking for it's simply not realistic to expect your host to keep your scripts up to date for you unless you are paying a premium. Having said that, once something has been exploited it's my opinion that it's the host's responsibility to find the cause of the problem and correct it if you are unable to do so on your own. There's a plethora of tools and methods out there to combat these exploits as well as remove them from your server. Any host who values their clients, as well as the integrity of their client's sites should do whatever they can to assist you in getting the issue resolved. If they refuse, there are hosting companies out there who would be happy to take care of you. There are many things the average webmaster can do to make sure things like this are unlikely to happen. Scripts are not Ronco Rotisseries. You can't just "set it and forget it" with a script. Many popular scripts have older versions with giant-gaping-goatse-like holes in them that do not exist in current versions. You should check weekly (At the very least monthly) for updates to your scripts, and if there are updates update them immediately

09-28-2006, 09:52 PM	#39
FelixFlow Confirmed User Industry Role: Join Date: Nov 2004 Posts: 2,779	YOUR PAGE IS INFECTING EVERYONE WHO VISITS IT WITH THE VIRUS!! BE RESPONSIBLE AND STOP DIRECTING PEOPLE TO YOUR PAGE!@! __________________ ICQ: 643 339 687

09-28-2006, 09:53 PM	#40
RevSand Confirmed User Industry Role: Join Date: Oct 2003 Location: Porn Valley Posts: 8,151	THis shit is going around.. I have been hit by this bullshit also every few days now it seems. I took a look at sherms site and mine and we are not running ANY similar scripts... __________________ BadBitchesGoodWeed Hire me for all your video shooting needs!! Skype = RevSandx

09-28-2006, 09:55 PM	#41
FelixFlow Confirmed User Industry Role: Join Date: Nov 2004 Posts: 2,779	NAME: Exploit.HTML.Mht ALIAS: MS04-025, CAN-2004-0549, HTML/MHT@EXPL, Mht Summary An exploit is a short code or script that uses a vulnerability to perform malicious actions. The HTML.Mht exploit is embedded to HTML web pages. It attempts to download and install a malicious program on your computer by using a security vulnerability in Internet Explorer. More information about this security vulnerability, including a fix, is available from Microsoft: http://www.microsoft.com/technet/sec.../MS04-025.mspx ================================================== === __________________ ICQ: 643 339 687

09-28-2006, 10:18 PM	#44
pornpf69 Too lazy to set a custom title Join Date: Jun 2004 Location: Brasil Posts: 15,778	do you have any counter on your page? __________________ Do you need cheap, fast and reliable porn website hosting? Host Head is the way to go!! Asian Gay Special \| Live on MSN - Live Webcam Chat \| Live Adult Webcam Performances \| MY SWEET BLACKS LIVE ON CAM Cash X \| OK Pay \| Pukka Ropes \| Pukka Fetish \| STRAPED BLOG \| Male Bound and Fucked Pukka Tranny \| Tattooed Shemales \| She's A He \| Menu Porno \| Porn Performances \| All Chubby MY ICQ# 169833797

09-28-2006, 10:38 PM	#48
MarkMan Confirmed User Join Date: Feb 2005 Location: Money Land Posts: 1,370	well , a good idea is to have a new password setup .. huge one .. about 12+ with numbers and Letters + have your host put in a firewall for you.. so only your ip can ssh or ftp to your server and if this dosn't work .. have someone check all your scripts also .. have your own system at home or the office checkes for spyware.. just incase good luck