This few days I saw my website requesting me to run Java or download a PDF file. Its a drive by download, when you visit a site you computer will get infected (If you did't update your computer software eg:Java/Adobe).

**Let's cut short the story...**

After some investigation I notice that the site is infected with "RedKit exploit kit / BlackHole Exploit Kit"

So what I did is get all the domain that hosted under "sphinx" server and did some check and even others site that hosted under "sphinx" was infected.

Also I asked my host to remove all my public_html files and I upload a simple index.php and the webpage is still infected. (and I checked the source code on the server is 100% untouched and its clean) but it is reported it contain another iframe. (I also try load the page on another computer, it contain hidden iframe that you need to use the tools like "Inspect Element" in Google Chrome to find that.)

http://www.webpagetest.org/result/120719_YY_CEZ/1/details/

More Information about this malware and list of others site:
http://forum.lowyat.net/topic/2434138
I assume more than 100+ sites on this IP is infected.




So is the hackers upload the exploit to my files or do you guys have any idea for this problem?

NOTE: I DID NOT SAY Exabytes got hacked or what. I just cant figure out why some others site that hosted under the same IP got infected as well, and my sites too!

This post has been edited by xDragonZ: Jul 20 2012, 06:45 PM

Promoting ur site?

Do you think I am trying to do that!?

Just refer to http://forum.lowyat.net/topic/2434138 , I open a topic at here because I cant really figure out what is the problem and at /k more expert lurking at here.

got extra process running?

No I don't get it from what you posted.

One of my client site previously was infected with malware as well (as reported by Google Chrome when you try to access the site).

I found out a code was padded at the end of the index file as well as all .js file. I replaced those files & the malware keep coming back after awhile.

I then change the ftp password & update those files again. The malware no longer come back.

So I conclude it's a FTP password leak.

probably jumping..
one of the website on that server got hacked, and then the attacker 'jump' to attack another website on that server..

indon hackers always do this =_="

dns poisoning?

I found out how too.. there are some trojaned FTP clients out there. FTP passwords are sent in cleartext, if your PC is compromised it's easy to pick out the password, especially since FTP is not a protocol used for anything else.

If you've ever sat in a wi-fi enabled cafe snooping on traffic, you can easily see how someone can get the FTP password that way

This post has been edited by wodenus: Jul 19 2012, 07:37 PM

check log files...

This post has been edited by bunnyexpert: Jul 19 2012, 07:44 PM

I also notice that some site like jefferson.com.my and thundermatch.com.my also have the malware in their site.

The malware will show up randomly.


http://jsunpack.jeek.org/?report=edffe0129...5a83da4680332b1

http://www.webpagetest.org/result/120719_RX_D4H/1/details/

browser hijacker, i think it hijack ur ftp password since it broadcast in plain text..

and that exploit are like sniffing hole to open backdoor communication to spyware monitoring program... trace the virus trace the programmer..

If you use a trojaned FTP client it will likely send the password directly to the hacker lol

I don't think it's a trojaned FTP client but more like a trojan that read saved password from the popular FTP client.

I'm using filezilla. I dont think so FTP account got hacked. Changed my password yesterday and did s full scan for virus on my computer too.


http://thehackernews.com/2012/05/redkit-ex...eb-malware.html

This post has been edited by xDragonZ: Jul 19 2012, 08:29 PM

That's possible too. The solution would be to never save your password

i can say they got compromised before. BIG TIME.
so best clean your images and back up your stuff.

pm me to converse. I don't want to blow shit up in public

Update :

Please DONT purchase from them. Very bad service. Reply tickets too slow and it takes hours for them to reply my ticket.

I request account recreate on the same hosting they keep ignoring me and keep saying that the site is clean.

But when I check and load my site is still infected even I did online check to verify again.

I can prove that all the site hosted under the same server with me is infected.

anyone who wanted to have FTP access to my account to verify this, please PM me.
I just put a simple index.php in my FTP and contain nothing else ready, it still contain hidden iframe when you load the site.

This post has been edited by xDragonZ: Jul 20 2012, 05:57 PM

i think dns poisoning la brader

crackers hijack the dns server and embed some line when people loading up the site

if you want to play safe, change to 3rd party dns server like cloudflare.com

thats one is free

I am CloudFlare user, before that I have contacted CloudFlare about this issue.

Even using CloudFlare the malware still exists that's why now I using my host DNS to explain tell them about this and they keep say that the site is clean.

Here's the latest result scanned few mins ago:

http://www.webpagetest.org/result/120720_J4_BH5/1/details/

http://wepawet.iseclab.org/view.php?hash=3...2778010&type=js



also the malware don't show up many times to a same user, and it show to user that mostly from Europe, But sometime when I load the site it will still contain the malware.

I assume more than 100+ website is infected on their server.

This post has been edited by xDragonZ: Jul 20 2012, 06:11 PM

is that a windows or linux server?

because i've experience this before on windows server

i'm running IIS with PHP addon and some line meant for ASP script appear on my php script

no doubt..it is malaria...

its linux.

Here's another company website (Not under my account but hosted on the same IP) : thundermatch.com.my

http://www.webpagetest.org/result/120720_3Q_C3Q/1/details/
The malware link is : http://kunsjiendevie...ien.eu/57254443.htm'

http://wepawet.iseclab.org/view.php?hash=d...2779747&type=js
The malware link is : http://epi3d.fr /53534443.html

http://urlquery.net/report.php?id=97533
The malware link is : http://epi3d.fr /48874443.html

I really can't figure out what's the problem/root cause.

I think I'll just switch to another host.

This post has been edited by xDragonZ: Jul 20 2012, 06:31 PM

Thank you for posting this! I found that many websites has been infected by this even my html homepage is infected too!
Do you know how RedKit Exploit kit works?
Is it from Server side or caused by the website developer itself?

Its from server side where Exabytes apache module was infected by malware.

FYI : It seems they have fixed this (I not sure about others server is still infected or not) after 1 week of submitting support tickets with them and they keep telling me is from my script (even i put empty html page it also infected) .
and I give up on exabytes ready.

Some more info on that http://www.symantec.com/connect/blogs/exte...serve-malware-0

and http://www.stopthehacker.com/2011/05/23/ap...inject-malware/

This post has been edited by xDragonZ: Aug 16 2012, 12:11 AM

Thank you for your information!

No wonder, my website was infected too.
Submitted the ticket and they said it was caused my script. Then request me to Request a Review from Google Webmaster if I have clean.
I restored clean code three times and the website was still infected, and even just a temporary small HTML page.

I got a reply from an unmaskparasites' expert who wrote about the malware that infected my website.
http://blog.unmaskparasites.com/2012/08/13...ame-injections/
It seemed to work on a server level.

They should admit it that the server was infected!
Haiz, wasted my time to monitor the website whole day.
Hopefully they can fix it quickly next time!