Results 1 to 14 of 14
  1. #1
    Join Date
    Jun 2002
    Posts
    1,682

    Angry weird line in customer website

    Today a customer send me an email stating that this line
    appeared in the html code of his website.

    http://u0r.in:8080/ts/in.cgi?pepsi106

    What is it? Is it a virus? a Trojan?

  2. #2
    Join Date
    May 2008
    Posts
    340
    I don't see the line you're referring to. When the URL is accessed it's redirecting to http://u7x.in:8080/index.php

    Can you paste the contents of the script so that everyone can check it ?
    Twitter : http://twitter.com/eth1networks
    Contact Us : support[at]eth1.in

  3. #3
    Join Date
    Jun 2002
    Posts
    1,682
    The website was corrected and the line removed....

    BTW, I found several references to that line in google

    http://tinyurl.com/npn2rl

  4. #4
    Join Date
    May 2009
    Location
    On a Speck!!!!!
    Posts
    216
    I just see a white page. Can you paste the code here?

  5. #5
    Join Date
    May 2008
    Posts
    340
    Just for clarification, the URL http://u0r.in:8080/ts/in.cgi?pepsi106 was included in the code ?

    Can you post the file ownership and permissions of the affected file ?
    Twitter : http://twitter.com/eth1networks
    Contact Us : support[at]eth1.in

  6. #6
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    156
    Sounds like Gumblar.. change all passwords and virus/malware scan any machine that has accessed that account. Sounds like your customers machine is infected.

  7. #7
    Its seems to be an issue will a attack on the customers account due to insecure permissions.


    Similar ti iframe attacks.

  8. #8
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,785
    Quote Originally Posted by linux-engineer View Post
    Its seems to be an issue will a attack on the customers account due to insecure permissions.


    Similar ti iframe attacks.

    Far more likely it's a Gumblar or a virus attacking the same vulnerabilities. They've become very popular as of late.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and Cloud Hosting
    PHP 5.2.x - PHP 8.1.X Support!

  9. #9
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    867
    Mostly it happens over FTP.

    Check the FTP logs to find the source of injection. If you are using Active FTP change to Passive.

    Active is more vulnerable to data sniffing since it uses standard port for communication. Don't store FTP passwords in FTP clients.

    P.S: Also do set complex passwords for the accounts.
    █ WebHostRepo.com
    █ Linux | Windows
    | VPS | Cloud
    █ Outsourced Technical Support since 2009
    █ sales@webhostrepo.com

  10. #10
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    It's not gumblar but it does happen the same way as gumblar and martuz - compromised FTP credentials.

    One of the PCs that has FTP access to that site is infected. I know, everyone has an anti-virus program, but many AV companies were getting hit with so many new variants that they started using generic signatures. (Check out Commtouch's new report)

    This opened the door to new viruses that were clever enough to evade detection.

    These new virus strains work in one of three ways; they know where the username and passwords are stored in files for popular FTP programs, they use keyboard loggers and they also sniff FTP traffic. Since FTP transmits all data, including username and passwords, in plain text, sniffing for login credentials in an FTP stream is quite easy.

    The "pepsi" and "cocacola" iframes are the new gumblar and martuz infections.

    All PCs with FTP access to that site have to be scanned and cleaned with a new anti-virus program - one different from what's installed now because obviously the virus knows how to evade detection of the current AV.

    Then, and only then, can the FTP passwords be changed and then have the sites files all scanned or just replaced with a known good back-up.

  11. any one have doubt that it can be a virus or anything else ?

  12. #12
    Join Date
    Dec 2005
    Location
    Istanbul / Turkiye
    Posts
    3
    Quote Originally Posted by Networking Florida View Post
    any one have doubt that it can be a virus or anything else ?
    You can download and scan it with antivirus... All files are text...

  13. #13
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by albatroz View Post
    Today a customer send me an email stating that this line
    appeared in the html code of his website.

    http://u0r.in:8080/ts/in.cgi?pepsi106

    What is it? Is it a virus? a Trojan?
    scan/clean all files asap otherwise google will mark it malware, so don't be late.
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  14. #14
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    You should probably start a new thread for this. Your customer's website has been infected.

    These types of infections (3 character domain, then the TLD of either: ru, hk, in or tw, followed by :8080 and some string) have usually been the result of compromised FTP credentials.

    Your customer should have everyone with FTP access to their (including you if you have FTP access to their site) install a new anti-virus program and scan and clean every PC with FTP access to that site.

    The reason is, that the virus that steals the FTP credentials, already knows how to evade detection of the currently installed anti-virus program so you need to use something different. If you don't do this, your customer's site will just get hacked again and again.

    After cleaning all PCs with FTP access, you must change all FTP passwords.

    Then you can either restore the site with a known, clean version, or download the entire site to a newly cleaned PC, scan all the files for the above line (it will appear in iframe tags) and remove the malscript.

    These steps must be followed in the order listed. Otherwise your customer will just get hacked again.

Similar Threads

  1. Weird Website
    By mgphoto in forum Web Hosting Lounge
    Replies: 25
    Last Post: 07-29-2009, 08:05 AM
  2. how do you analyize the guest on your website on line?
    By baabb in forum Running a Web Hosting Business
    Replies: 6
    Last Post: 06-05-2006, 05:33 PM
  3. Weird email from customer
    By EuroVPS/Director in forum Web Hosting
    Replies: 18
    Last Post: 05-29-2005, 04:50 PM
  4. Merchant Accounts, off-line customer control software, accountance software.
    By Novice2k in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 08-02-2003, 04:39 AM
  5. Replies: 1
    Last Post: 09-08-2000, 07:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •