Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

> Exabytes server got compromise or?, webmaster or tech expert pls come in

views
     
xDragonZ
post Jul 19 2012, 06:54 PM, updated 9y ago

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

This few days I saw my website requesting me to run Java or download a PDF file. Its a drive by download, when you visit a site you computer will get infected (If you did't update your computer software eg:Java/Adobe).

**Let's cut short the story...**

After some investigation I notice that the site is infected with "RedKit exploit kit / BlackHole Exploit Kit"

So what I did is get all the domain that hosted under "sphinx" server and did some check and even others site that hosted under "sphinx" was infected.

Also I asked my host to remove all my public_html files and I upload a simple index.php and the webpage is still infected. (and I checked the source code on the server is 100% untouched and its clean) but it is reported it contain another iframe. (I also try load the page on another computer, it contain hidden iframe that you need to use the tools like "Inspect Element" in Google Chrome to find that.)

http://www.webpagetest.org/result/120719_YY_CEZ/1/details/

More Information about this malware and list of others site:
http://forum.lowyat.net/topic/2434138
I assume more than 100+ sites on this IP is infected.

vmad.gif vmad.gif vmad.gif vmad.gif vmad.gif


So is the hackers upload the exploit to my files or do you guys have any idea for this problem?

NOTE: I DID NOT SAY Exabytes got hacked or what. I just cant figure out why some others site that hosted under the same IP got infected as well, and my sites too!

This post has been edited by xDragonZ: Jul 20 2012, 06:45 PM
xDragonZ
post Jul 19 2012, 06:57 PM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(fridel @ Jul 19 2012, 06:55 PM)
Promoting ur site?
*
Do you think I am trying to do that!?

Just refer to http://forum.lowyat.net/topic/2434138 , I open a topic at here because I cant really figure out what is the problem and at /k more expert lurking at here.
xDragonZ
post Jul 19 2012, 07:44 PM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

I also notice that some site like jefferson.com.my and thundermatch.com.my also have the malware in their site.

The malware will show up randomly.


http://jsunpack.jeek.org/?report=edffe0129...5a83da4680332b1

http://www.webpagetest.org/result/120719_RX_D4H/1/details/
xDragonZ
post Jul 19 2012, 08:09 PM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(gs20 @ Jul 19 2012, 08:02 PM)
I don't think it's a trojaned FTP client but more like a trojan that read saved password from the popular FTP client.
*
I'm using filezilla. I dont think so FTP account got hacked. Changed my password yesterday and did s full scan for virus on my computer too. hmm.gif


http://thehackernews.com/2012/05/redkit-ex...eb-malware.html

This post has been edited by xDragonZ: Jul 19 2012, 08:29 PM
xDragonZ
post Jul 20 2012, 05:55 PM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

Update :

Please DONT purchase from them. Very bad service. Reply tickets too slow and it takes hours for them to reply my ticket.

I request account recreate on the same hosting they keep ignoring me and keep saying that the site is clean.

But when I check and load my site is still infected even I did online check to verify again.

I can prove that all the site hosted under the same server with me is infected. vmad.gif

anyone who wanted to have FTP access to my account to verify this, please PM me.
I just put a simple index.php in my FTP and contain nothing else ready, it still contain hidden iframe when you load the site.

This post has been edited by xDragonZ: Jul 20 2012, 05:57 PM
xDragonZ
post Jul 20 2012, 06:10 PM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(edwardstevens @ Jul 20 2012, 06:01 PM)
i think dns poisoning la brader

crackers hijack the dns server and embed some line when people loading up the site

if you want to play safe, change to 3rd party dns server like cloudflare.com

thats one is free
*
I am CloudFlare user, before that I have contacted CloudFlare about this issue.

Even using CloudFlare the malware still exists that's why now I using my host DNS to explain tell them about this and they keep say that the site is clean.

Here's the latest result scanned few mins ago:

http://www.webpagetest.org/result/120720_J4_BH5/1/details/

http://wepawet.iseclab.org/view.php?hash=3...2778010&type=js

» Click to show Spoiler - click again to hide... «


also the malware don't show up many times to a same user, and it show to user that mostly from Europe, But sometime when I load the site it will still contain the malware.

I assume more than 100+ website is infected on their server.

This post has been edited by xDragonZ: Jul 20 2012, 06:11 PM
xDragonZ
post Jul 20 2012, 06:29 PM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(edwardstevens @ Jul 20 2012, 06:13 PM)
is that a windows or linux server?

because i've experience this before on windows server

i'm running IIS with PHP addon and some line meant for ASP script appear on my php script
*
its linux.

Here's another company website (Not under my account but hosted on the same IP) : thundermatch.com.my

http://www.webpagetest.org/result/120720_3Q_C3Q/1/details/
The malware link is : http://kunsjiendevie...ien.eu/57254443.htm'

http://wepawet.iseclab.org/view.php?hash=d...2779747&type=js
The malware link is : http://epi3d.fr /53534443.html

http://urlquery.net/report.php?id=97533
The malware link is : http://epi3d.fr /48874443.html

I really can't figure out what's the problem/root cause.

I think I'll just switch to another host.

This post has been edited by xDragonZ: Jul 20 2012, 06:31 PM
xDragonZ
post Aug 16 2012, 12:02 AM

On my way
****
Senior Member
539 posts

Joined: Jul 2008
From: Just behide you !

QUOTE(ray871106 @ Aug 15 2012, 03:11 PM)
Thank you for posting this! I found that many websites has been infected by this even my html homepage is infected too!
Do you know how RedKit Exploit kit works?
Is it from Server side or caused by the website developer itself?
*
Its from server side where Exabytes apache module was infected by malware.

FYI : It seems they have fixed this (I not sure about others server is still infected or not) after 1 week of submitting support tickets with them and they keep telling me is from my script (even i put empty html page it also infected) . vmad.gif
and I give up on exabytes ready.

Some more info on that http://www.symantec.com/connect/blogs/exte...serve-malware-0

and http://www.stopthehacker.com/2011/05/23/ap...inject-malware/

This post has been edited by xDragonZ: Aug 16 2012, 12:11 AM

Bump Topic Add ReplyOptions New Topic
 

Change to:
| Lo-Fi Version
0.0239sec    0.58    6 queries    GZIP Disabled
Time is now: 28th January 2021 - 05:25 PM