Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1

    My host won't fix their Trojan

    The server hosting shii.org is hacked with a certain Trojan which is inserting malicious Javascript.

    See these threads:
    http://www.webhostingtalk.com/showthread.php?t=387710
    http://www.programmingtalk.com/showthread.php?t=18289

    --

    Hi,

    We are working on your issue and you will be updated shortly regarding this issue.

    --

    Hi,

    We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

    --

    > We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

    The Trojan does not appear every time you visit the site; it inserts
    itself after the tag at random times, maybe 10% of total hits.
    I don't see it most of the time, but once or twice. Other people have
    seen it on my website, too:
    http://forums.animesuki.com/showthread.php?t=26409&page=31

    According to the webhostingtalk thread, the hack is performed by a
    file called "flame.php" or "img.php", which runs an OpenSSL exploit.
    The webhost itself need not be hacked-- just one of its users with a
    weak FTP password. The attacker then runs
    "http://weakly-passworded-website/flame.php" which executes the
    exploit. Some of the admins in the thread tried things like rebooting,
    disabling dl() in PHP, or disabling the execution of .so files.

    --

    Hi,

    We are working on your issue. We are monitoring the server for trojan and you will updated shortly regarding this issue.

    --

    Sorry to interrupt, but it's been over a day now...

    --


    Hi,

    We are investigating on this issue, Regarding this you will be updated shortly.

    --

    Hi,

    Now we are able to access the domain with out any problem. So, Please do check and get back to us for any further assistance on this issue.

    --



    I have tried accessing the front page of my website through several
    different proxies. Some of them are still showing the trojan (i.e.,
    there is still a script calling "wxpel.js" or similar, which I didn't
    put there). Please look into this, my website is small but I do not
    like the idea of visitors getting hacked or getting virus warnings. If
    this is the same variant I described, there ought toa be a file named
    "flame.php" or "flame.so" in one of your clients' directories.

    --

    Hi,

    We are investigating on this issue, Regarding this you will be updated shortly.

    Cliffsnotes summary: My tech support is basically useless, and my poor visitors are getting Trojaned.

    Does anyone have suggestions to deal with this, or is it time for me to abandon them and start moving over all my files and databases?

  2. #2
    Abandon them and make backups, then move hosts. There is nothing you can do, as they are the only ones that can really stop this.
    || Dennis Liang,
    || ServaxNet LLC

  3. #3
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    192
    Tell your host to set:

    enable_dl = On
    to
    enable_dl = Off

    in the php.ini. There's not really any reason to permit that... if you need ioncube or sourceguardian.. just add them globally to the php.ini as well. That should put a stop to the flame.so/flame.php deal...
    ** ByteFortress Technologies ** - Instant Setup Remote Backup Solutions
    ===== Encrypted Remote Backup Solutions with Instant Setup =====
    ** TheByteShack.com - Shared Hosting ** - 'Gimmick-less' High Performance Webhosting Solutions.

  4. #4
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,743
    You can just create a phpinfo and check whether dl is turned on or off. If it is turned on, ask them to turn it off as Aaron as explained.

  5. #5
    The host should know that anyway.

    But yes, tell them to do the above =)
    Thanks,
    NS-Hosting
    http://www.ns-hosting.co.uk

  6. #6
    Join Date
    May 2003
    Location
    Ottawa
    Posts
    2,478
    Find a new host. It doesn't matter if they correct the issue at this point, with responses like that you could definately find a better host that cares about their clients.
    Webmaster Forum • webmastertalk.net • Webmaster Community Forum
    Website Tools • domainfocus.com • Webmaster Tools | IP Lookup | Domain Whois | PageRank Checker | HTTP Header Info | Link Analysis | Favicon Generator

  7. #7
    What the heck is that? I'd look into a new host since the one you have doesn't seem to prioritize security...

  8. #8
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    498
    Indeed, this is unfortunate that they won't take responsibility and fix the problem.

  9. #9
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,075
    As others have said it is a good time to start looking for a new host, this host is being pretty unresponsive which is not a good quality in a webhost.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  10. #10
    Join Date
    Sep 2002
    Location
    Among the corn
    Posts
    10,621
    Quote Originally Posted by ByteFortressAaron
    Tell your host to set:

    enable_dl = On
    to
    enable_dl = Off

    in the php.ini. There's not really any reason to permit that....
    There are plenty of uses for all of the php functions, all of them very valid. It's not the function's fault that some designer wrote sloppy code that could be abused easily, that's the designer's fault.

    Personally, if I signed up for a host that had most of what the users "recommend" to be disabled, disabled, I'd leave, after demanding a refund, because this does not provide "hosting", it provides a limited environment in which very little can get done, in return for a false sense of security.

    It's all about the code you use and the security of it, really. Disabling functions isn't an answer or solution, using proper, secured code is .

  11. #11
    They seem to have "fixed" the problem (by rebooting the server, I assume, although they won't tell me what they did), but I will switch to DreamHost as soon as I can justify the $7/month. Thanks for backing me up here.

    By the way, the name of this crappy host is WoolNet.

  12. #12
    Join Date
    May 2006
    Location
    Saint Paul, MN
    Posts
    105
    Wow, it sounds like listening to a broken record, reading there responses. It is also dissapointing that they seem to net be "investigating" this issue when they say they are.
    Andrew Kuriger
    I.T. Specific LLC. !!NOW OFFERING VPS ON ALL SERVERS!!
    BurstNET™ Discount Reseller!
    www.ITSpecific.com

  13. #13
    Join Date
    Sep 2003
    Location
    Saskatchewan, Canada
    Posts
    946
    Quote Originally Posted by Shii
    They seem to have "fixed" the problem (by rebooting the server, I assume, although they won't tell me what they did), but I will switch to DreamHost as soon as I can justify the $7/month. Thanks for backing me up here.

    By the way, the name of this crappy host is WoolNet.
    There are so many better hosts out there who actually deliver what they advertise on their website. I'd be running away very fast from DreamHost. Just my opinion.

  14. #14
    Join Date
    Aug 2002
    Location
    here
    Posts
    1,538
    ----edited by self----
    humor got away from me again...apologies.
    -Dave

  15. #15
    Pertinent update: I cancelled my hosting with WoolNet and switched to Dreamhost around the time this thread was posted, back in May. It is now December 24 and WoolNet has just now gotten back to me to let me know that they successfully cancelled my hosting. Luckily, I was on the cheapass plan so I wasn't bilked for too much, but this would probably be hell on anyone else who tries to cancel.

    Warning to everyone: AVOID WOOLNET.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •