Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

> Exabytes server got compromise or?, webmaster or tech expert pls come in

views
     
xDragonZ
post Jul 19 2012, 06:54 PM, updated 9y ago

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

This few days I saw my website requesting me to run Java or download a PDF file. Its a drive by download, when you visit a site you computer will get infected (If you did't update your computer software eg:Java/Adobe).

**Let's cut short the story...**

After some investigation I notice that the site is infected with "RedKit exploit kit / BlackHole Exploit Kit"

So what I did is get all the domain that hosted under "sphinx" server and did some check and even others site that hosted under "sphinx" was infected.

Also I asked my host to remove all my public_html files and I upload a simple index.php and the webpage is still infected. (and I checked the source code on the server is 100% untouched and its clean) but it is reported it contain another iframe. (I also try load the page on another computer, it contain hidden iframe that you need to use the tools like "Inspect Element" in Google Chrome to find that.)

http://www.webpagetest.org/result/120719_YY_CEZ/1/details/

More Information about this malware and list of others site:
http://forum.lowyat.net/topic/2434138
I assume more than 100+ sites on this IP is infected.

vmad.gif vmad.gif vmad.gif vmad.gif vmad.gif


So is the hackers upload the exploit to my files or do you guys have any idea for this problem?

NOTE: I DID NOT SAY Exabytes got hacked or what. I just cant figure out why some others site that hosted under the same IP got infected as well, and my sites too!

This post has been edited by xDragonZ: Jul 20 2012, 06:45 PM
fridel
post Jul 19 2012, 06:55 PM

kuran ka? ok e oi?
******
Senior Member
1,656 posts

Joined: Nov 2010
From: the tip of borneo
Promoting ur site?
xDragonZ
post Jul 19 2012, 06:57 PM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(fridel @ Jul 19 2012, 06:55 PM)
Promoting ur site?
*
Do you think I am trying to do that!?

Just refer to http://forum.lowyat.net/topic/2434138 , I open a topic at here because I cant really figure out what is the problem and at /k more expert lurking at here.
roimekoi
post Jul 19 2012, 07:17 PM

Casual
***
Junior Member
337 posts

Joined: Jul 2007
got extra process running?
gs20
post Jul 19 2012, 07:23 PM

Regular
******
Senior Member
1,683 posts

Joined: Jan 2003
No I don't get it from what you posted.

One of my client site previously was infected with malware as well (as reported by Google Chrome when you try to access the site).

I found out a code was padded at the end of the index file as well as all .js file. I replaced those files & the malware keep coming back after awhile.

I then change the ftp password & update those files again. The malware no longer come back.

So I conclude it's a FTP password leak.
akmalhisyam
post Jul 19 2012, 07:27 PM

New Member
*
Junior Member
8 posts

Joined: Dec 2009


probably jumping..
one of the website on that server got hacked, and then the attacker 'jump' to attack another website on that server..

indon hackers always do this =_="
edwardstevens
post Jul 19 2012, 07:31 PM

Casual
***
Junior Member
366 posts

Joined: Nov 2007
From: Sin City
dns poisoning?
wodenus
post Jul 19 2012, 07:37 PM

Tree Octopus
********
All Stars
14,990 posts

Joined: Jan 2003
QUOTE(gs20 @ Jul 19 2012, 07:23 PM)
No I don't get it from what you posted.

One of my client site previously was infected with malware as well (as reported by Google Chrome when you try to access the site).

I found out a code was padded at the end of the index file as well as all .js file. I replaced those files & the malware keep coming back after awhile.

I then change the ftp password & update those files again. The malware no longer come back.

So I conclude it's a FTP password leak.
*
I found out how too.. there are some trojaned FTP clients out there. FTP passwords are sent in cleartext, if your PC is compromised it's easy to pick out the password, especially since FTP is not a protocol used for anything else.

If you've ever sat in a wi-fi enabled cafe snooping on traffic, you can easily see how someone can get the FTP password that way smile.gif

This post has been edited by wodenus: Jul 19 2012, 07:37 PM
bunnyexpert
post Jul 19 2012, 07:43 PM

Getting Started
**
Junior Member
70 posts

Joined: Jun 2011


check log files...

This post has been edited by bunnyexpert: Jul 19 2012, 07:44 PM
xDragonZ
post Jul 19 2012, 07:44 PM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

I also notice that some site like jefferson.com.my and thundermatch.com.my also have the malware in their site.

The malware will show up randomly.


http://jsunpack.jeek.org/?report=edffe0129...5a83da4680332b1

http://www.webpagetest.org/result/120719_RX_D4H/1/details/
matiko95
post Jul 19 2012, 07:47 PM

Enthusiast
*****
Senior Member
895 posts

Joined: Dec 2006
browser hijacker, i think it hijack ur ftp password since it broadcast in plain text..

and that exploit are like sniffing hole to open backdoor communication to spyware monitoring program... trace the virus trace the programmer..
wodenus
post Jul 19 2012, 07:58 PM

Tree Octopus
********
All Stars
14,990 posts

Joined: Jan 2003
QUOTE(matiko95 @ Jul 19 2012, 07:47 PM)
browser hijacker, i think it hijack ur ftp password since it broadcast in plain text..

and that exploit are like sniffing hole to open backdoor communication to spyware monitoring program... trace the virus trace the programmer..
*
If you use a trojaned FTP client it will likely send the password directly to the hacker lol smile.gif

gs20
post Jul 19 2012, 08:02 PM

Regular
******
Senior Member
1,683 posts

Joined: Jan 2003
I don't think it's a trojaned FTP client but more like a trojan that read saved password from the popular FTP client.
xDragonZ
post Jul 19 2012, 08:09 PM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(gs20 @ Jul 19 2012, 08:02 PM)
I don't think it's a trojaned FTP client but more like a trojan that read saved password from the popular FTP client.
*
I'm using filezilla. I dont think so FTP account got hacked. Changed my password yesterday and did s full scan for virus on my computer too. hmm.gif


http://thehackernews.com/2012/05/redkit-ex...eb-malware.html

This post has been edited by xDragonZ: Jul 19 2012, 08:29 PM
wodenus
post Jul 19 2012, 08:34 PM

Tree Octopus
********
All Stars
14,990 posts

Joined: Jan 2003
QUOTE(gs20 @ Jul 19 2012, 08:02 PM)
I don't think it's a trojaned FTP client but more like a trojan that read saved password from the popular FTP client.
*
That's possible too. The solution would be to never save your password smile.gif

VinluV
post Jul 19 2012, 08:37 PM

Clop Clop
******
Senior Member
1,889 posts

Joined: Nov 2005
i can say they got compromised before. BIG TIME.
so best clean your images and back up your stuff.

pm me to converse. I don't want to blow shit up in public
xDragonZ
post Jul 20 2012, 05:55 PM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

Update :

Please DONT purchase from them. Very bad service. Reply tickets too slow and it takes hours for them to reply my ticket.

I request account recreate on the same hosting they keep ignoring me and keep saying that the site is clean.

But when I check and load my site is still infected even I did online check to verify again.

I can prove that all the site hosted under the same server with me is infected. vmad.gif

anyone who wanted to have FTP access to my account to verify this, please PM me.
I just put a simple index.php in my FTP and contain nothing else ready, it still contain hidden iframe when you load the site.

This post has been edited by xDragonZ: Jul 20 2012, 05:57 PM
edwardstevens
post Jul 20 2012, 06:01 PM

Casual
***
Junior Member
366 posts

Joined: Nov 2007
From: Sin City
i think dns poisoning la brader

crackers hijack the dns server and embed some line when people loading up the site

if you want to play safe, change to 3rd party dns server like cloudflare.com

thats one is free
xDragonZ
post Jul 20 2012, 06:10 PM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(edwardstevens @ Jul 20 2012, 06:01 PM)
i think dns poisoning la brader

crackers hijack the dns server and embed some line when people loading up the site

if you want to play safe, change to 3rd party dns server like cloudflare.com

thats one is free
*
I am CloudFlare user, before that I have contacted CloudFlare about this issue.

Even using CloudFlare the malware still exists that's why now I using my host DNS to explain tell them about this and they keep say that the site is clean.

Here's the latest result scanned few mins ago:

http://www.webpagetest.org/result/120720_J4_BH5/1/details/

http://wepawet.iseclab.org/view.php?hash=3...2778010&type=js

» Click to show Spoiler - click again to hide... «


also the malware don't show up many times to a same user, and it show to user that mostly from Europe, But sometime when I load the site it will still contain the malware.

I assume more than 100+ website is infected on their server.

This post has been edited by xDragonZ: Jul 20 2012, 06:11 PM
edwardstevens
post Jul 20 2012, 06:13 PM

Casual
***
Junior Member
366 posts

Joined: Nov 2007
From: Sin City
is that a windows or linux server?

because i've experience this before on windows server

i'm running IIS with PHP addon and some line meant for ASP script appear on my php script
Mech Warrior 6
post Jul 20 2012, 06:25 PM

Casual
***
Junior Member
343 posts

Joined: May 2012
no doubt..it is malaria...
xDragonZ
post Jul 20 2012, 06:29 PM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(edwardstevens @ Jul 20 2012, 06:13 PM)
is that a windows or linux server?

because i've experience this before on windows server

i'm running IIS with PHP addon and some line meant for ASP script appear on my php script
*
its linux.

Here's another company website (Not under my account but hosted on the same IP) : thundermatch.com.my

http://www.webpagetest.org/result/120720_3Q_C3Q/1/details/
The malware link is : http://kunsjiendevie...ien.eu/57254443.htm'

http://wepawet.iseclab.org/view.php?hash=d...2779747&type=js
The malware link is : http://epi3d.fr /53534443.html

http://urlquery.net/report.php?id=97533
The malware link is : http://epi3d.fr /48874443.html

I really can't figure out what's the problem/root cause.

I think I'll just switch to another host.

This post has been edited by xDragonZ: Jul 20 2012, 06:31 PM
ray871106
post Aug 15 2012, 03:11 PM

New Member
*
Newbie
3 posts

Joined: May 2012


Thank you for posting this! I found that many websites has been infected by this even my html homepage is infected too!
Do you know how RedKit Exploit kit works?
Is it from Server side or caused by the website developer itself?
xDragonZ
post Aug 16 2012, 12:02 AM

On my way
****
Senior Member
535 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(ray871106 @ Aug 15 2012, 03:11 PM)
Thank you for posting this! I found that many websites has been infected by this even my html homepage is infected too!
Do you know how RedKit Exploit kit works?
Is it from Server side or caused by the website developer itself?
*
Its from server side where Exabytes apache module was infected by malware.

FYI : It seems they have fixed this (I not sure about others server is still infected or not) after 1 week of submitting support tickets with them and they keep telling me is from my script (even i put empty html page it also infected) . vmad.gif
and I give up on exabytes ready.

Some more info on that http://www.symantec.com/connect/blogs/exte...serve-malware-0

and http://www.stopthehacker.com/2011/05/23/ap...inject-malware/

This post has been edited by xDragonZ: Aug 16 2012, 12:11 AM
ray871106
post Aug 16 2012, 12:24 AM

New Member
*
Newbie
3 posts

Joined: May 2012


QUOTE(xDragonZ @ Aug 16 2012, 01:02 AM)
Its from server side where Exabytes apache module was infected by malware.

FYI : It seems they have fixed this (I not sure about others server is still infected or not) after 1 week of submitting support tickets with them and they keep telling me is from my script (even i put empty html page it also infected) .  vmad.gif
and I give up on exabytes ready.

Some more info on that http://www.symantec.com/connect/blogs/exte...serve-malware-0

and http://www.stopthehacker.com/2011/05/23/ap...inject-malware/
*
Thank you for your information!

No wonder, my website was infected too.
Submitted the ticket and they said it was caused my script. Then request me to Request a Review from Google Webmaster if I have clean.
I restored clean code three times and the website was still infected, and even just a temporary small HTML page.

I got a reply from an unmaskparasites' expert who wrote about the malware that infected my website.
http://blog.unmaskparasites.com/2012/08/13...ame-injections/
It seemed to work on a server level.

They should admit it that the server was infected!
Haiz, wasted my time to monitor the website whole day. rclxub.gif
Hopefully they can fix it quickly next time!

Bump Topic Add ReplyOptions New Topic
 

Change to:
| Lo-Fi Version
0.0276sec    0.68    5 queries    GZIP Disabled
Time is now: 2nd December 2020 - 05:28 PM