Recent uniqcontent / megacount trojan exploits summary

[SinSational]

The past couple of weeks I've been seeing this exploit happen to more and more people.
It's either a javascript trojan insertion connecting to uniqcontent.com
or an iframe trojan insertion connecting to megacount.com
or both....

We have had this happen to a couple customers. Unfortunately each fix has been slighly different. Some of the fixes have been:

Getting rid of a counter
Getting rid of a 3rd party WordPress template
Fixing WordPress file permissions

Below are some of the recent threads started:

http://www.gfy.com/showthread.php?t=660506

http://www.gofuckyourself.com/showthread.php?t=661811

http://www.gofuckyourself.com/showthread.php?t=662380

http://www.gofuckyourself.com/showthread.php?t=661965

http://www.gofuckyourself.com/showthread.php?t=662468

http://www.gofuckyourself.com/showthread.php?t=664196

Originally people thought this was directly related to WordPress, but it appears to be happening to non WP sites as well.
There are 4 or 5 hosts mentioned, so this is not host specific.
Then it was thought to be a cPanel issue, but not everyone is running cPanel.

dissipate posted these links:
http://www.securiteam.com/unixfocus/6R0030UH5W.html
http://www.securiteam.com/unixfocus/6M00315H5S.html

other suggestions:
http://www.securityfocus.com/bid/14088/info
http://www.securityfocus.com/bid/18372


No one has really followed up with h0w the issue has been resolved.
I'm basically trying to get all the info in to one thread for any others that may come across this exploit.

[boneprone]

Im VERY much in this with you.........

[boneprone]

Two of my sites were hacked yesterday with this megacount.net expliot hidden and put onto my html pages.

I want to know how they got in...

According to Jupiter Hosting whom I host with it appears they simply logged in with a password... Maybe a harvester or something or keystroke logger.

But with the epidemic of sites that got hacked in the past few days, Im thinking there must be some security hole somewhere that we dont know about.

Im aware of the assumptions of cpanel and wordpress and the others. None of that applies to me...

Again, I dont know how they got in.

[boneprone]

Im thinking, and have had it suggested to me to upgrade versions of Apache and php....

There are known security holes in older versions of them, but we have not concluded that this hack is due to any of this...

[boneprone]

As I mentioned my host didnt notice any security breaches.. They noted that someone just logged right in and did this..

Which brings to mind, I think our local PC's have some trojan on them that is recording our logins, or corrupting files as we upload via ftp.....

I think this may be more of a local issue rather than a server one??

What do you think?

[bl4h]

List what wordpress pluggins you have installed

its not a vanilla wordpress problem as the exploit isnt *THAT* common

[SinSational]

boneprone isn't running wordpress at all.

[Calvinguy]

Anyone without thirdparty software/scripts who got infected?

[Dirty Dane]

Quote:

Originally Posted by Calvinguy

Anyone without thirdparty software/scripts who got infected?

Got it on one static site. Shared server though.

[SinSational]

Quote:

Originally Posted by Dirty Dane

Got it on one static site. Shared server though.

i'm thinking all it takes is one customer with an old/unpatched install of some script to be able to exploit any site on a shared server.

[SinSational]

but on the other hand....
i was chatting with boneprone and he mentioned that he scanned his computer and found a trojan, and the pages being exploited were ones that he had been working on and had uploaded to his server. so possibly his FTP info was grabbed, or the virus/trojan on his compter was automatically infecting the pages as he uploaded.

[boneprone]

Quote:

Originally Posted by SinSational

but on the other hand....
i was chatting with boneprone and he mentioned that he scanned his computer and found a trojan, and the pages being exploited were ones that he had been working on and had uploaded to his server. so possibly his FTP info was grabbed, or the virus/trojan on his compter was automatically infecting the pages as he uploaded.

My assumption was wrong.. I thought I had it pinned down.. But it appears a file also on nudedorms.com another domain on the server was also infected..

I had not uploaded anything to that domain.....

So my theory is shot..

Back to step 1.

[Dirty Dane]

Quote:

Originally Posted by boneprone

My assumption was wrong.. I thought I had it pinned down.. But it appears a file also on nudedorms.com another domain on the server was also infected..

I had not uploaded anything to that domain.....

So my theory is shot..

Back to step 1.

Neither had I. In fact 4 months without uploading anything.

[boneprone]

My server Support guy:

"Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am
I renamed it from geoip.php to geoip.php.txt so it cant be executed, but we can read it. I already made a copy for myself, so delete it if you want.
http://nudedorms.com/aff/geoip.php.txt

It was owned by webmaster, and not the apache user, so it wasnt a php exploit.

A corresponding login during that time was from as the user MuratAT3, Gavin suspected that was one of the hackers IPs,

So if it was a weak password, and they guessed it, thats one way they could have done this. Or maybe they somehow got the password via some other way, but one thing is for sure, they just straight up logged in and knew the password, then uploaded their junk. "

They are convinced the server wasnt comprimised... But that indeed the hacker got his login and pass from some other means and simply walked on in with info on hand..

And It couldnt have been a corrupt file that I uploaded, casue I never used the username MuratAT3.. ITs an old user name to the box.

Naturally its been removed by now.. But thats what these guys used so it seems.

[Makingcoin]

Hope you get this resolved guys

[sandman!]

i just had an account on a shared server running hsphere hacked and megacount added

tech is working on finding the hole they got in thru.

only one account was hacked tho not the whole server.

[Calvinguy]

Quote:

Originally Posted by boneprone

My server Support guy:

"Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am

http://nudedorms.com/aff/geoip.php.txt

That script is evil

[RobV]

I am still a bit confused by it all.

My hosting company (webair) stated that someone had just logged in with my info.

This was my first inital thought and had changed the password, my account was still hacked after this.

My password was changed again and now nothing has happend.

At all times I had anti virus/trojan/spywear programs running and had scan my system at least 1 time per week and nothing was found.

Also - at some times that my site was hacked I did nothing to the site, shut my computers off and took a vacation. But most of the time it was hacked I never even uploaded anything I would just write posts in the blog.

[SinSational]

ok, so 2 times it has been said that someone had logged in to the account and uploaded the infected files.

[SinSational]

i just read on one of the other boards about someone having the same issue. This is what they said:

"ok here is what my hosting company says:
I checked your login history and I see logins from several different
addresses, in addition, in the index.html on domain.com it
looks like it contains malicious javascript.

What I'm guessing happened was someone got your password somehow, then
modified your index pages to include this. You can go in and delete it
from the index pages."

[SinSational]

i'm seeing some new domains now:

clvcnt.com/nmd/trf/ (DON'T load this, it tries to download a trojan)
clvcnt.com/nmd/trf/gc2/

[Solid Bob]

xmlrpc no?

[SinSational]

i believe the trojan downloads:

sploit.anr and xpl.wmf

but the issue is how peoples pages are being altered with the code

[Machete_]

My webair accounts are still clean after the update. Imagine how many computers is infected now.

Im sure we will see a drop in sales, because its likely that the Trojan is replacing the affiliate-codes.

I think its quite targeted these attacks. ONLY my adult sites have been touched. Its like they scanned for sites that link to selected affiliate programs.

[SinSational]

Quote:

Originally Posted by ebus_dk

My webair accounts are still clean after the update. Imagine how many computers is infected now.

Im sure we will see a drop in sales, because its likely that the Trojan is replacing the affiliate-codes.

I think its quite targeted these attacks. ONLY my adult sites have been touched. Its like they scanned for sites that link to selected affiliate programs.

what did you have updated?

[Machete_]

Quote:

Originally Posted by SinSational

what did you have updated?

PhP and CPanel was patched

[spasmo]

It appears to be another spin on an old php exploit with phpSecurePages.

I'd be interested in knowing if there were any machines hit that did *not* have a copy of the file secure.php anywhere on their server.

Here is another version of the one that hit boneprone...from Iranian hackers.

http://www.milw0rm.com/exploits/2452

Though the above link is safe, I do not recommend going to any links found in that code (or any other exploit code for that matter).

[tranza]

Damn, I'm sorry to hear that...

I hope you can fix everything...

[SinSational]

added info/suggestions...

http://www.gofuckyourself.com/showthread.php?t=666473

[JD]

buuuuump just got hit AGAIN today