Results 1 to 19 of 19
  1. #1

    My host won't fix their Trojan

    The server hosting shii.org is hacked with a certain Trojan which is inserting malicious Javascript.

    See these threads:
    http://www.webhostingtalk.com/showthread.php?t=387710
    http://www.programmingtalk.com/showthread.php?t=18289

    --

    Hi,

    We are working on your issue and you will be updated shortly regarding this issue.

    --

    Hi,

    We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

    --

    > We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

    The Trojan does not appear every time you visit the site; it inserts
    itself after the tag at random times, maybe 10% of total hits.
    I don't see it most of the time, but once or twice. Other people have
    seen it on my website, too:
    http://forums.animesuki.com/showthread.php?t=26409&page=31

    According to the webhostingtalk thread, the hack is performed by a
    file called "flame.php" or "img.php", which runs an OpenSSL exploit.
    The webhost itself need not be hacked-- just one of its users with a
    weak FTP password. The attacker then runs
    "http://weakly-passworded-website/flame.php" which executes the
    exploit. Some of the admins in the thread tried things like rebooting,
    disabling dl() in PHP, or disabling the execution of .so files.

    --

    Hi,

    We are working on your issue. We are monitoring the server for trojan and you will updated shortly regarding this issue.

    --

    Sorry to interrupt, but it's been over a day now...

    --


    Hi,

    We are investigating on this issue, Regarding this you will be updated shortly.

    --

    Hi,

    Now we are able to access the domain with out any problem. So, Please do check and get back to us for any further assistance on this issue.

    --



    I have tried accessing the front page of my website through several
    different proxies. Some of them are still showing the trojan (i.e.,
    there is still a script calling "wxpel.js" or similar, which I didn't
    put there). Please look into this, my website is small but I do not
    like the idea of visitors getting hacked or getting virus warnings. If
    this is the same variant I described, there ought toa be a file named
    "flame.php" or "flame.so" in one of your clients' directories.

    --

    Hi,

    We are investigating on this issue, Regarding this you will be updated shortly.

    Cliffsnotes summary: My tech support is basically useless, and my poor visitors are getting Trojaned.

    Does anyone have suggestions to deal with this, or is it time for me to abandon them and start moving over all my files and databases?

  2. #2
    Abandon them and make backups, then move hosts. There is nothing you can do, as they are the only ones that can really stop this.
    || ServaxNet (AS46974)
    || Server Management and Managed Hosting Experts Since 2004

  3. #3
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    192
    Tell your host to set:

    enable_dl = On
    to
    enable_dl = Off

    in the php.ini. There's not really any reason to permit that... if you need ioncube or sourceguardian.. just add them globally to the php.ini as well. That should put a stop to the flame.so/flame.php deal...
    ** ByteFortress Technologies ** - Instant Setup Remote Backup Solutions
    ===== Encrypted Remote Backup Solutions with Instant Setup =====
    ** TheByteShack.com - Shared Hosting ** - 'Gimmick-less' High Performance Webhosting Solutions.

  4. #4
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    You can just create a phpinfo and check whether dl is turned on or off. If it is turned on, ask them to turn it off as Aaron as explained.

  5. #5
    The host should know that anyway.

    But yes, tell them to do the above =)
    Thanks,
    NS-Hosting
    http://www.ns-hosting.co.uk

  6. #6
    Join Date
    May 2003
    Location
    Ottawa
    Posts
    2,478
    Find a new host. It doesn't matter if they correct the issue at this point, with responses like that you could definately find a better host that cares about their clients.
    Webmaster Forum • webmastertalk.net • Webmaster Community Forum
    Website Tools • domainfocus.com • Webmaster Tools | IP Lookup | Domain Whois | PageRank Checker | HTTP Header Info | Link Analysis | Favicon Generator

  7. #7
    What the heck is that? I'd look into a new host since the one you have doesn't seem to prioritize security...

  8. #8
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Indeed, this is unfortunate that they won't take responsibility and fix the problem.

  9. #9
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    As others have said it is a good time to start looking for a new host, this host is being pretty unresponsive which is not a good quality in a webhost.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  10. #10
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by ByteFortressAaron
    Tell your host to set:

    enable_dl = On
    to
    enable_dl = Off

    in the php.ini. There's not really any reason to permit that....
    There are plenty of uses for all of the php functions, all of them very valid. It's not the function's fault that some designer wrote sloppy code that could be abused easily, that's the designer's fault.

    Personally, if I signed up for a host that had most of what the users "recommend" to be disabled, disabled, I'd leave, after demanding a refund, because this does not provide "hosting", it provides a limited environment in which very little can get done, in return for a false sense of security.

    It's all about the code you use and the security of it, really. Disabling functions isn't an answer or solution, using proper, secured code is .
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  11. #11
    They seem to have "fixed" the problem (by rebooting the server, I assume, although they won't tell me what they did), but I will switch to DreamHost as soon as I can justify the $7/month. Thanks for backing me up here.

    By the way, the name of this crappy host is WoolNet.

  12. #12
    Join Date
    May 2006
    Location
    Saint Paul, MN
    Posts
    105
    Wow, it sounds like listening to a broken record, reading there responses. It is also dissapointing that they seem to net be "investigating" this issue when they say they are.
    Andrew Kuriger
    I.T. Specific LLC. !!NOW OFFERING VPS ON ALL SERVERS!!
    BurstNET™ Discount Reseller!
    www.ITSpecific.com

  13. #13
    Join Date
    Sep 2003
    Location
    Saskatchewan, Canada
    Posts
    946
    Quote Originally Posted by Shii
    They seem to have "fixed" the problem (by rebooting the server, I assume, although they won't tell me what they did), but I will switch to DreamHost as soon as I can justify the $7/month. Thanks for backing me up here.

    By the way, the name of this crappy host is WoolNet.
    There are so many better hosts out there who actually deliver what they advertise on their website. I'd be running away very fast from DreamHost. Just my opinion.

  14. #14
    Join Date
    Aug 2002
    Location
    here
    Posts
    1,566
    ----edited by self----
    humor got away from me again...apologies.
    Dave

  15. #15
    Pertinent update: I cancelled my hosting with WoolNet and switched to Dreamhost around the time this thread was posted, back in May. It is now December 24 and WoolNet has just now gotten back to me to let me know that they successfully cancelled my hosting. Luckily, I was on the cheapass plan so I wasn't bilked for too much, but this would probably be hell on anyone else who tries to cancel.

    Warning to everyone: AVOID WOOLNET.

  16. #16
    Join Date
    Feb 2003
    Posts
    71
    The cancellation was resolved outside of WHMAutopilot long before you have recieved the e-mail. The e-mail you have gotten is from WHMAutopilot when we clicked 'process' to removed your account from WHMAutopilot (our billing system).

  17. #17
    Join Date
    Jul 2002
    Posts
    3,734
    Quote Originally Posted by linux-tech
    There are plenty of uses for all of the php functions, all of them very valid. It's not the function's fault that some designer wrote sloppy code that could be abused easily, that's the designer's fault.

    Personally, if I signed up for a host that had most of what the users "recommend" to be disabled, disabled, I'd leave, after demanding a refund, because this does not provide "hosting", it provides a limited environment in which very little can get done, in return for a false sense of security.

    It's all about the code you use and the security of it, really. Disabling functions isn't an answer or solution, using proper, secured code is .
    While I appreciate the sentiments of your rant, you are aware of what the flame.so/flame.php 'exploit' is, aren't you? You are aware that it does not (other than perhaps how it is uploaded to the machine...in our case though, it was uploaded via ftp.) exploit any code written by anyone? It merely exploits the fact that the dl() function is enabled.

    I'm not saying that the user in question is actually experiencing the flame.so/flame.php 'exploit' or any of it's derivatives, but if he/she is, the only solution is to disable dl(). That may be an inconvenience, but it is not an insurmountable one.

    We were lucky enough to be 0day on the wonderful flame.so thing back in early 2005. For that reason and for the forehead skin that was left on my desk from banging my head on it during the problem, I do take a personal interest in it.

  18. #18
    Quote Originally Posted by macdonaldp View Post
    There are so many better hosts out there who actually deliver what they advertise on their website. I'd be running away very fast from DreamHost. Just my opinion.
    hi
    we have had a problem with trojans on our websites, at dreamhost, who claim that their policy will not allow them to deal with it. they have suggested that we reinstall all our wordpress sites, and our main site of 2500 dynamic pages.
    surely it is easier for a host to scan their servers, find the problem and deal with it, than for us to manually look at every file?
    is it bast practise for hosts to deal with trojans, or to insist that clients sort it themselves.

    we are very unhappy with dreamhosts response to this. any suggestions of better (and perhaps renewably powered) hosts?

    thanks

  19. #19
    Quote Originally Posted by abelhas View Post
    hi
    we have had a problem with trojans on our websites, at dreamhost, who claim that their policy will not allow them to deal with it. they have suggested that we reinstall all our wordpress sites, and our main site of 2500 dynamic pages.
    surely it is easier for a host to scan their servers, find the problem and deal with it, than for us to manually look at every file?
    is it bast practise for hosts to deal with trojans, or to insist that clients sort it themselves.

    we are very unhappy with dreamhosts response to this. any suggestions of better (and perhaps renewably powered) hosts?

    thanks


    I can understand the hosts stance of 'hands off'. In this case, you could download all your site files and run a scan on those locally. You wouldn't have to go through each file individually, and it'll report which files are infected, and where they are. You could then take care of them on the server.

    On the other hand, I'm surprised DreamHost wouldn't be proactive in eliminating any viral threat. That doesn't make sense to me. I mean, you pay for their company to exist. If they treat you (and everyone else) poorly and you go somewhere else, they won't have a company for very long.

    Durak.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •