SinSational

The past couple of weeks I've been seeing this exploit happen to more and more people.
It's either a javascript trojan insertion connecting to uniqcontent.com
or an iframe trojan insertion connecting to megacount.com
or both....

We have had this happen to a couple customers. Unfortunately each fix has been slighly different. Some of the fixes have been:

Getting rid of a counter
Getting rid of a 3rd party WordPress template
Fixing WordPress file permissions

Below are some of the recent threads started:

http://www.gfy.com/showthread.php?t=660506

http://www.gofuckyourself.com/showthread.php?t=661811

http://www.gofuckyourself.com/showthread.php?t=662380

http://www.gofuckyourself.com/showthread.php?t=661965

http://www.gofuckyourself.com/showthread.php?t=662468

http://www.gofuckyourself.com/showthread.php?t=664196

Originally people thought this was directly related to WordPress, but it appears to be happening to non WP sites as well.
There are 4 or 5 hosts mentioned, so this is not host specific.
Then it was thought to be a cPanel issue, but not everyone is running cPanel.

dissipate posted these links:
http://www.securiteam.com/unixfocus/6R0030UH5W.html
http://www.securiteam.com/unixfocus/6M00315H5S.html

other suggestions:
http://www.securityfocus.com/bid/14088/info
http://www.securityfocus.com/bid/18372


No one has really followed up with h0w the issue has been resolved.
I'm basically trying to get all the info in to one thread for any others that may come across this exploit.

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

boneprone

Im VERY much in this with you.........

__________________

Industry Hall Of Fame Legend Mike Jones
Bow to the Power - Still BP4L
http://gfyawards.com/hall-of-fame
Learn about it kids.

boneprone

Two of my sites were hacked yesterday with this megacount.net expliot hidden and put onto my html pages.

I want to know how they got in...

According to Jupiter Hosting whom I host with it appears they simply logged in with a password... Maybe a harvester or something or keystroke logger.

But with the epidemic of sites that got hacked in the past few days, Im thinking there must be some security hole somewhere that we dont know about.

Im aware of the assumptions of cpanel and wordpress and the others. None of that applies to me...

Again, I dont know how they got in.

__________________

Industry Hall Of Fame Legend Mike Jones
Bow to the Power - Still BP4L
http://gfyawards.com/hall-of-fame
Learn about it kids.

boneprone

Im thinking, and have had it suggested to me to upgrade versions of Apache and php....

There are known security holes in older versions of them, but we have not concluded that this hack is due to any of this...

__________________

Industry Hall Of Fame Legend Mike Jones
Bow to the Power - Still BP4L
http://gfyawards.com/hall-of-fame
Learn about it kids.

boneprone

As I mentioned my host didnt notice any security breaches.. They noted that someone just logged right in and did this..

Which brings to mind, I think our local PC's have some trojan on them that is recording our logins, or corrupting files as we upload via ftp.....

I think this may be more of a local issue rather than a server one??

What do you think?

__________________

Industry Hall Of Fame Legend Mike Jones
Bow to the Power - Still BP4L
http://gfyawards.com/hall-of-fame
Learn about it kids.

bl4h

List what wordpress pluggins you have installed

its not a vanilla wordpress problem as the exploit isnt *THAT* common

SinSational

boneprone isn't running wordpress at all.

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

Calvinguy

Anyone without thirdparty software/scripts who got infected?

Dirty Dane

Got it on one static site. Shared server though.

SinSational

i'm thinking all it takes is one customer with an old/unpatched install of some script to be able to exploit any site on a shared server.

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

SinSational

but on the other hand....
i was chatting with boneprone and he mentioned that he scanned his computer and found a trojan, and the pages being exploited were ones that he had been working on and had uploaded to his server. so possibly his FTP info was grabbed, or the virus/trojan on his compter was automatically infecting the pages as he uploaded.

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

boneprone

My assumption was wrong.. I thought I had it pinned down.. But it appears a file also on nudedorms.com another domain on the server was also infected..

I had not uploaded anything to that domain.....

So my theory is shot..

Back to step 1.

__________________

Industry Hall Of Fame Legend Mike Jones
Bow to the Power - Still BP4L
http://gfyawards.com/hall-of-fame
Learn about it kids.

Dirty Dane

Neither had I. In fact 4 months without uploading anything.

boneprone

My server Support guy:

"Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am
I renamed it from geoip.php to geoip.php.txt so it cant be executed, but we can read it. I already made a copy for myself, so delete it if you want.
http://nudedorms.com/aff/geoip.php.txt

It was owned by webmaster, and not the apache user, so it wasnt a php exploit.

A corresponding login during that time was from as the user MuratAT3, Gavin suspected that was one of the hackers IPs,

So if it was a weak password, and they guessed it, thats one way they could have done this. Or maybe they somehow got the password via some other way, but one thing is for sure, they just straight up logged in and knew the password, then uploaded their junk. "

They are convinced the server wasnt comprimised... But that indeed the hacker got his login and pass from some other means and simply walked on in with info on hand..

And It couldnt have been a corrupt file that I uploaded, casue I never used the username MuratAT3.. ITs an old user name to the box.

Naturally its been removed by now.. But thats what these guys used so it seems.

__________________

Industry Hall Of Fame Legend Mike Jones
Bow to the Power - Still BP4L
http://gfyawards.com/hall-of-fame
Learn about it kids.

Makingcoin

Hope you get this resolved guys

__________________

www.MAKINGCOIN.com
icq. 166-662-831
"Start making large coin!"

Daddy I Get Paid To Be A Whore - Coming Soon

sandman!

i just had an account on a shared server running hsphere hacked and megacount added

tech is working on finding the hole they got in thru.

only one account was hacked tho not the whole server.

__________________
Need WebHosting ? Email me for some great deals [email protected]

Calvinguy

That script is evil

RobV

I am still a bit confused by it all.

My hosting company (webair) stated that someone had just logged in with my info.

This was my first inital thought and had changed the password, my account was still hacked after this.

My password was changed again and now nothing has happend.

At all times I had anti virus/trojan/spywear programs running and had scan my system at least 1 time per week and nothing was found.

Also - at some times that my site was hacked I did nothing to the site, shut my computers off and took a vacation. But most of the time it was hacked I never even uploaded anything I would just write posts in the blog.

__________________
ICQ: 619221

SinSational

ok, so 2 times it has been said that someone had logged in to the account and uploaded the infected files.

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

SinSational

i just read on one of the other boards about someone having the same issue. This is what they said:

"ok here is what my hosting company says:
I checked your login history and I see logins from several different
addresses, in addition, in the index.html on domain.com it
looks like it contains malicious javascript.

What I'm guessing happened was someone got your password somehow, then
modified your index pages to include this. You can go in and delete it
from the index pages."

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

SinSational

i'm seeing some new domains now:

clvcnt.com/nmd/trf/ (DON'T load this, it tries to download a trojan)
clvcnt.com/nmd/trf/gc2/

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

Solid Bob

xmlrpc no?

__________________
[email protected]

SinSational

i believe the trojan downloads:

sploit.anr and xpl.wmf

but the issue is how peoples pages are being altered with the code

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

Machete_

My webair accounts are still clean after the update. Imagine how many computers is infected now.

Im sure we will see a drop in sales, because its likely that the Trojan is replacing the affiliate-codes.

I think its quite targeted these attacks. ONLY my adult sites have been touched. Its like they scanned for sites that link to selected affiliate programs.

SinSational

what did you have updated?

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

Machete_

PhP and CPanel was patched

spasmo

It appears to be another spin on an old php exploit with phpSecurePages.

I'd be interested in knowing if there were any machines hit that did *not* have a copy of the file secure.php anywhere on their server.

Here is another version of the one that hit boneprone...from Iranian hackers.

http://www.milw0rm.com/exploits/2452

Though the above link is safe, I do not recommend going to any links found in that code (or any other exploit code for that matter).

__________________

Surfers: Go here for hot babes.

tranza

Damn, I'm sorry to hear that...

I hope you can fix everything...

__________________
I'm just a newbie.

SinSational

added info/suggestions...

http://www.gofuckyourself.com/showthread.php?t=666473

__________________

ICQ# 273099174 - monthly specials - 2 Month Free Credit on All Plans - 100% Referrals - chris@ for details
Virtual from $14.95/month, Dedicated from $149.95/month
Dual-Core Xeon > 1000GB @ $149.95 | 1500GB @ $169.95 | 10Mbps @ $269.95

JD

buuuuump just got hit AGAIN today