1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Solution to <IFRAME> and JAVA SCRIPT HACK

Discussion in 'Security' started by Irfi0009, Jun 24, 2008.

  1. #1
    How does this hacking takes place:

    This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

    ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

    How it's done

    This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

    After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


    This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

    ===============================================
    Solution:
    ===============================================


    For Server Administrators:

    If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

    For individual person owning just a domain and not server:

    If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

    You must have removed the code many times and it comes again, why ???
    As you dont change the FTP password. So change that first.

    Just changing password is not complete solution but is the first step.
    Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

    Just do the two things:

    1) Change the FTP or root password of server
    2) Clean format the PC

    and take care in future, you dont visit any of the virus links made by this hack.
    Also to keep your password secure I would suggest you to use any password manager software.


    Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.
     
    Irfi0009, Jun 24, 2008 IP
    nowares, invisible and jasonsc like this.
  2. roxite

    roxite Peon

    Messages:
    66
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    thank you for the heads up
     
    roxite, Jun 24, 2008 IP
  3. ceweqsakti

    ceweqsakti Banned

    Messages:
    1,192
    Likes Received:
    22
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Wow.thanks.
    I will do this
     
    ceweqsakti, Aug 3, 2008 IP
  4. invisible

    invisible Banned

    Messages:
    2,031
    Likes Received:
    95
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Thanks for that. Rep added.
     
    invisible, Aug 3, 2008 IP
  5. Leena21

    Leena21 Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Great solution, this really worked for me. Rep added.

    Thanks,
     
    Leena21, Aug 15, 2008 IP
  6. confusion

    confusion Guest

    Messages:
    108
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #6
    A couple of additional notes...

    1. The scenario you describe is far and away the minority of cases. The majority of compromises occur due to exploiting vulnerable web applications - wordpress, smf, phpbb, etc, etc. Most of those apps parade their version number around, which makes it easy to search for vulnerable sites. Mpack is a scary thing to be sure. Don't visit your porn sites from the same PC you use to manage your sites.

    2. Once an attacker has had access to your server, you must consider all of the contents of the server suspect, and it's strongly recommended to reload the server and restore from back up. Once I have had access, I can drop many backdoors that will give me continued control of your server after you change the password.
     
    confusion, Aug 30, 2008 IP
  7. MikeDVB

    MikeDVB Peon

    Messages:
    113
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Wouldn't it make more sense to clean format the PC *THEN* change the password so your infected PC doesn't send out the changed password before you format?

    That is, if clean formatting is required. Clean formatting may be best for the average user but for a power user they should be able to find/remove the keylogger/malicious software with the appropriate research.

    Just a thought.
     
    MikeDVB, Sep 9, 2008 IP
  8. Irfi0009

    Irfi0009 Banned

    Messages:
    17,584
    Likes Received:
    33
    Best Answers:
    1
    Trophy Points:
    48
    #8
    Yes, Its the right way ;)
     
    Irfi0009, Sep 18, 2008 IP
  9. Irfi0009

    Irfi0009 Banned

    Messages:
    17,584
    Likes Received:
    33
    Best Answers:
    1
    Trophy Points:
    48
    #9
    But if you do not clean format your PC then there are highly chances that virus will again corrupt your site thru FTP you are using with new password.
     
    Irfi0009, Oct 8, 2008 IP
  10. killer2021

    killer2021 Peon

    Messages:
    872
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    0
    #10
    I have been looking for this thank you!
     
    killer2021, Nov 9, 2008 IP
  11. muhabbatain

    muhabbatain Active Member

    Messages:
    195
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #11
    Nice tips man. Great
     
    muhabbatain, Nov 14, 2008 IP
  12. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    132
    Best Answers:
    0
    Trophy Points:
    210
    #12
    One of the first things you need to do is unplug the system from the internet. UNPLUG IT.

    Next you reinstall your OS.

    This assumes you have backups somewhere.

    If you believe your email passwords were compromised you need to immediately work on getting those changed but do it from a clean system.

    fyi...one way to defeat keyloggers...

    copy and paste..yup...

    You can create a text file in notepad...start typing pure gibberash...now copy and paste a new password into your email.

    You just defeated a keylogger. It's that easy.
     
    RectangleMan, Nov 16, 2008 IP
  13. Irfi0009

    Irfi0009 Banned

    Messages:
    17,584
    Likes Received:
    33
    Best Answers:
    1
    Trophy Points:
    48
    #13
    Thanks for nice tips ;)
     
    Irfi0009, Nov 16, 2008 IP
  14. WeWatch

    WeWatch Active Member

    Messages:
    75
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    50
    #14
    I will have to agree with confusion on this. The cybercriminals have many, many ways of getting into your website.

    Honestly, you can't tell without some good forensics, if they got in via keylogged ftp account, php vuln, sql injection, file inclusion, etc. Many successful attacks are based on software vulnerabilities (as stated earlier by confusion).

    The point is, you need to be aware of security for your website. Assume anything you download is vulnerable until you prove it otherwise. We've worked on cases where people were infected by downloading what they thought was the free version of AVG. Cyber gangs know how you think. They know how to get high SE rankings either by using blackhat techniques or by using traffic from some well known site to redirect to them.

    There are so many people out there looking to make money on the Internet. Some are legitimate some aren't. The ones that aren't don't care if they use your site or any other site to make money. They just want to make money. To many of them there's something "cool" about making money hacking. That's their mindset.

    You need to adopt the mindset that everything is suspect. One of the postings on this site said that his site was hacked because of an ad server he was using on his site. Here he was trying to make money with an ad and turns out some of his visitors were getting infected by this. You can't trust just everyone.

    Recently an infected update to Wordpress was offered. It was a version 2.6.4. Anyone who downloaded it and upgraded was serving up infectious code to their visitors. How rude!

    I read that a lot of forums were getting spammed recently. People were stating that they're even using captcha. Many hackers/crackers... have tools to help them get past captchas. Their tools aren't 100% effective, but they don't need 100%.

    As I read about and hear about all this level of forum spamming increasing, I immediately think, "What is the real motivation behind this?"

    One possible answer is that the hackers/crackers have modified some anti-spam module and they have posted it online. Now to drive people who aren't using it already, to Google it, they start spamming every forum they can find. You as a forum website owner, seek out solutions - maybe on Google. You find someone offering a free download for anti-spam module for your forum software. You download it and install it.

    Unknowingly to you, you just gave hackers a way into your website.

    This kind of strategy goes on all the time. Be suspicious of everything online. You'll be better off.

    That's just my 2 cents worth. In the current economic slump, maybe it's worth even less...
     
    WeWatch, Nov 16, 2008 IP
  15. nowares

    nowares Active Member

    Messages:
    115
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    80
    #15
    Very usefull post, thanks!

    Great solution, but a little time consuming.... Guess it's a must tho.

    +Repped
     
    nowares, Nov 17, 2008 IP
  16. and_y

    and_y Active Member

    Messages:
    287
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    58
    #16
    Thanks for the post
     
    and_y, Nov 18, 2008 IP
  17. yuskurn

    yuskurn Peon

    Messages:
    17
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #17
    yes.. just becarefull in outside there... its too many hacker want to hack to get benefit from yours
     
    yuskurn, Nov 22, 2008 IP
  18. yajur

    yajur Banned

    Messages:
    193
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #18
    install mod_security it will help u
     
    yajur, Nov 26, 2008 IP
  19. bread102

    bread102 Peon

    Messages:
    40
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #19
    great post! Very informative, it will help a great deal!

    Thanks again!
     
    bread102, Dec 6, 2008 IP
  20. hostindya

    hostindya Banned

    Messages:
    46
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #20
    update all ur source to latest version
     
    hostindya, Dec 7, 2008 IP