hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : My host won't fix their Trojan
Reply

Forum Jump

My host won't fix their Trojan

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: May 2006
Posts: 9

My host won't fix their Trojan


Quote:
The server hosting shii.org is hacked with a certain Trojan which is inserting malicious Javascript.

See these threads:
http://www.webhostingtalk.com/showthread.php?t=387710
http://www.programmingtalk.com/showthread.php?t=18289

--

Hi,

We are working on your issue and you will be updated shortly regarding this issue.

--

Hi,

We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

--

> We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

The Trojan does not appear every time you visit the site; it inserts
itself after the tag at random times, maybe 10% of total hits.
I don't see it most of the time, but once or twice. Other people have
seen it on my website, too:
http://forums.animesuki.com/showthread.php?t=26409&page=31

According to the webhostingtalk thread, the hack is performed by a
file called "flame.php" or "img.php", which runs an OpenSSL exploit.
The webhost itself need not be hacked-- just one of its users with a
weak FTP password. The attacker then runs
"http://weakly-passworded-website/flame.php" which executes the
exploit. Some of the admins in the thread tried things like rebooting,
disabling dl() in PHP, or disabling the execution of .so files.

--

Hi,

We are working on your issue. We are monitoring the server for trojan and you will updated shortly regarding this issue.

--

Sorry to interrupt, but it's been over a day now...

--


Hi,

We are investigating on this issue, Regarding this you will be updated shortly.

--

Hi,

Now we are able to access the domain with out any problem. So, Please do check and get back to us for any further assistance on this issue.

--



I have tried accessing the front page of my website through several
different proxies. Some of them are still showing the trojan (i.e.,
there is still a script calling "wxpel.js" or similar, which I didn't
put there). Please look into this, my website is small but I do not
like the idea of visitors getting hacked or getting virus warnings. If
this is the same variant I described, there ought toa be a file named
"flame.php" or "flame.so" in one of your clients' directories.

--

Hi,

We are investigating on this issue, Regarding this you will be updated shortly.

Cliffsnotes summary: My tech support is basically useless, and my poor visitors are getting Trojaned.

Does anyone have suggestions to deal with this, or is it time for me to abandon them and start moving over all my files and databases?



Sponsored Links
  #2  
Old
Aspiring Evangelist
 
Join Date: Mar 2005
Posts: 399
Abandon them and make backups, then move hosts. There is nothing you can do, as they are the only ones that can really stop this.

__________________
|| Dennis Liang,
|| ServaxNet LLC

  #3  
Old
Junior Guru
 
Join Date: Apr 2006
Location: Dallas, Texas USA
Posts: 192
Tell your host to set:

enable_dl = On
to
enable_dl = Off

in the php.ini. There's not really any reason to permit that... if you need ioncube or sourceguardian.. just add them globally to the php.ini as well. That should put a stop to the flame.so/flame.php deal...

__________________
** ByteFortress Technologies ** - Instant Setup Remote Backup Solutions
===== Encrypted Remote Backup Solutions with Instant Setup =====
** TheByteShack.com - Shared Hosting ** - 'Gimmick-less' High Performance Webhosting Solutions.

Sponsored Links
  #4  
Old
Web Hosting Master
 
Join Date: Oct 2004
Location: Kerala, India
Posts: 4,740
You can just create a phpinfo and check whether dl is turned on or off. If it is turned on, ask them to turn it off as Aaron as explained.

  #5  
Old
Newbie
 
Join Date: May 2006
Posts: 10
The host should know that anyway.

But yes, tell them to do the above =)

__________________
Thanks,
NS-Hosting
http://www.ns-hosting.co.uk

  #6  
Old
Superhero
 
Join Date: May 2003
Location: Ottawa
Posts: 2,478
Find a new host. It doesn't matter if they correct the issue at this point, with responses like that you could definately find a better host that cares about their clients.

__________________
Webmaster Forum • webmastertalk.net • Webmaster Community Forum
Website Tools • domainfocus.com • Webmaster Tools | IP Lookup | Domain Whois | PageRank Checker | HTTP Header Info | Link Analysis | Favicon Generator


  #7  
Old
Newbie
 
Join Date: May 2006
Posts: 6
What the heck is that? I'd look into a new host since the one you have doesn't seem to prioritize security...

  #8  
Old
Web Hosting Evangelist
 
Join Date: Apr 2006
Location: Jacksonville, FL
Posts: 498
Indeed, this is unfortunate that they won't take responsibility and fix the problem.

  #9  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: NC
Posts: 2,970
As others have said it is a good time to start looking for a new host, this host is being pretty unresponsive which is not a good quality in a webhost.

__________________
John W, CISSP
MS Information Security and Assurance
www.yawig.com - Managed VPS and Dedicated Servers with VIP Service
www.eth0.us - Server Admin Info

  #10  
Old
Just me
 
Join Date: Sep 2002
Location: Among the corn
Posts: 10,504
Quote:
Originally Posted by ByteFortressAaron
Tell your host to set:

enable_dl = On
to
enable_dl = Off

in the php.ini. There's not really any reason to permit that....
There are plenty of uses for all of the php functions, all of them very valid. It's not the function's fault that some designer wrote sloppy code that could be abused easily, that's the designer's fault.

Personally, if I signed up for a host that had most of what the users "recommend" to be disabled, disabled, I'd leave, after demanding a refund, because this does not provide "hosting", it provides a limited environment in which very little can get done, in return for a false sense of security.

It's all about the code you use and the security of it, really. Disabling functions isn't an answer or solution, using proper, secured code is .

  #11  
Old
Newbie
 
Join Date: May 2006
Posts: 9
They seem to have "fixed" the problem (by rebooting the server, I assume, although they won't tell me what they did), but I will switch to DreamHost as soon as I can justify the $7/month. Thanks for backing me up here.

By the way, the name of this crappy host is WoolNet.

  #12  
Old
WHT Addict
 
Join Date: May 2006
Location: Saint Paul, MN
Posts: 105
Wow, it sounds like listening to a broken record, reading there responses. It is also dissapointing that they seem to net be "investigating" this issue when they say they are.

__________________
Andrew Kuriger
I.T. Specific LLC. !!NOW OFFERING VPS ON ALL SERVERS!!
BurstNET™ Discount Reseller!
www.ITSpecific.com

  #13  
Old
Web Hosting Master
 
Join Date: Sep 2003
Location: Saskatchewan, Canada
Posts: 946
Quote:
Originally Posted by Shii
They seem to have "fixed" the problem (by rebooting the server, I assume, although they won't tell me what they did), but I will switch to DreamHost as soon as I can justify the $7/month. Thanks for backing me up here.

By the way, the name of this crappy host is WoolNet.
There are so many better hosts out there who actually deliver what they advertise on their website. I'd be running away very fast from DreamHost. Just my opinion.

  #14  
Old
Web Hosting Master
 
Join Date: Aug 2002
Location: here
Posts: 1,538
----edited by self----
humor got away from me again...apologies.

__________________
-Dave

  #15  
Old
Newbie
 
Join Date: May 2006
Posts: 9
Pertinent update: I cancelled my hosting with WoolNet and switched to Dreamhost around the time this thread was posted, back in May. It is now December 24 and WoolNet has just now gotten back to me to let me know that they successfully cancelled my hosting. Luckily, I was on the cheapass plan so I wasn't bilked for too much, but this would probably be hell on anyone else who tries to cancel.

Warning to everyone: AVOID WOOLNET.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Introducing .HOST: The Exciting New gTLD for the Global Hosting Community Webinars 2014-10-03 10:41:09
Spam Tops Malware as Most Common External Security Threat to Companies: Report Web Hosting News 2014-07-09 12:31:03
Hackers Steal €500,000 from European Bank Using Luuuk Trojan Web Hosting News 2014-06-25 12:45:19
Host Alive Listing 2014-10-22 09:49:00
Web Host Online Tech Expands Management Team with New Executives Web Hosting News 2012-10-25 16:49:01


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?