All My Sites Here Got Virus! My Hosting got hacked?

[frozen.fish 0]

im using fluxbb i dont think sql injection is possible there are no known exploits nor in the plugin installed.what can be causing this one?! this is twice already.. are the host here secure?

[webishqiptar 0]

Well, you can't be sure if the problem relies to the forum, but I have to ask, does your site encounter any problems visually rather than on the cpanel and host?I had tremendous trouble with some kind of viruses, on my computer, and so you have to be careful with this, as it is not easy to remove some spyware.

[frozen.fish 0]

Well, you can't be sure if the problem relies to the forum, but I have to ask, does your site encounter any problems visually rather than on the cpanel and host?
I had tremendous trouble with some kind of viruses, on my computer, and so you have to be careful with this, as it is not easy to remove some spyware.

What do you mean my site encounter visual problems? kindly elaborate..

thanks webishqiptar for looking into this..

[webishqiptar 0]

And so, did you check the website visual appearance? What is the report?

[-Sky- 0]

A very highly impropable possibility there. There are only a few known possibilities that your site has a virus.

 

1. Bad scripting/coding mistakes or .js/iframe scripts

2. You have been uploading .exe's to your account.

3. Your scripts/.php files or anything else has been infected by a virus ON your PC.

4. You are not running Up-To-Date scripts.

 

I don't see how you have a "virus" as you say in your account anyway. Run your Anti-Virus Scanner in your cPanel.

[frozen.fish 0]

A very highly impropable possibility there. There are only a few known possibilities that your site has a virus.

 

1. Bad scripting/coding mistakes or .js/iframe scripts

2. You have been uploading .exe's to your account.

3. Your scripts/.php files or anything else has been infected by a virus ON your PC.

4. You are not running Up-To-Date scripts.

 

I don't see how you have a "virus" as you say in your account anyway. Run your Anti-Virus Scanner in your cPanel.

I pulled it down before it gets seen by google..

 

1. no dont have js scripts nor coding mistake. its a one page site with one image and not a text at all

2. no exes

3. possible, but it was loading well before the past few days.

4. the forum software im running is up to date and has no known exploits.

 

i saw the problem when the sites with php won't load gives an error then checked the other ones, the html only site they are loading but my antivirus pops up notifying of a script virus.. i downloaded the indexes and inside them is this:

 

 

Also in times like this specially when you put critical on the support ticket i think they should reply quicker..

 

*edit: on the second attack the code or script wasnt completely written it's like half my site and the maliscious script was not done.

Edited June 2, 2009 by frozen.fish (see edit history)

[jlhaslip 4]

Frozen,Link us to your site, please, so we can see what is on there. I am running Linux, so please give me a link that has the 'virus' script on it. I can handle it.Thanks.

[frozen.fish 0]

Ive taken down the virus.. but i can send it to you..

[Saint_Michael 3]

Instead of having a ton of quoted posts I will just number them based on the order of the post count.

Post #1

First your index files cannot get a virus, impossible, but your website could have been hacked to have a virus or maleware get installed. Of course, it would been nice to have screen shots of all this and of course a link to website to get a better idea whats going on.

As for breaking in, SQL injection, insecured scripts either from bad programming or improper CHMODing of them. XSS attacks could be another possibility or the fact your passwords were easy to guess.

Post #2

Xisto wouldn't do anything of the sorts, and so odds are your site got hack and was used as a portal for someone to upload malware, trojans and virus files. Then when a person visits that site or clicks on a link in that site, the attack will commence. As for the origin odds are your site got hacked somehow from one of the various methods and I doubt a keylogger would have been necessary if the website used a common enough script or coding that can be easily cracked.

Post #3
No, you cannot transmit a virus from your computer to your hosting account as the coding to infect PC's and hosting accounts is quite different in terms of setting it up. Even if you are infected with a virus/trojan/spyware youor security software should have picked it up if it is current or you actually use such security soft.

Besides, reinstalling your computer because of an virus would be a last resort if your security software can get rid of it, and even then it would have to be a brand new virus to get that far.

Password managers wouldn't matter with a keylogger as a keylogger is used to record your key strokes and so it wouldn't even matter that you have that password manager encrypted with a password.

Since you dected a trojan on your computer I can reassure you that it wouldn't transmit to your site, it would be kind of pointless to do so.

Post #4

That is the first think you want to do is clean up your computer of any viruses, but the best removal method is to go into safe mode and have your System Restore points turned off before cleaning. As some like to hide in there and even though you cleaned it out it could show up again.

As for the website itself, usually a backup is a good idea, however, depending on when you made that back your not really solving the problem. However, since I don't know what your website looks like it is hard to say what would be best to properly secure your website.

Post 5

If you did have the conficker virus, it would be next to impossible to clean your computer because of what conficker does. You wouldn't be able to patch your system because Windows Update would be disabled and your security software wouldn't work. So I highly doubt you have the conficker worm on your computer and even then it wouldn't get uploaded to your website because that is not how the worm works.

As for your hosting, that would be tricky to say, of course the first thing I would suggest is not to use password generators. They maybe useful, however, it is best to make your own password by scratch for better security. Also, if your using databases, you want to use a very strong and seperate password as well and that will add another level of security. The reason for that is your don't want to use the same password over and over again because if they find out that is the only password you use, your hosting is screwed.

post #7

Well odds are it was a XSS, SQL injection or a script kiddie who knows those specific scripts well. Again a computer virus will not affecting your hosting account it would be the other way around.

Post #8

Heck you should had reported the problem to Xisto - Support right away and hopefully you did that during this 21 post bonaza. As they need to know this to help better protect their servers and of course block that IP and even report it as well.

Post #11
Odds are they used that site to cover their tracks as they hack your site and booby trap with malware/spyware/trojans and stuff like that.

Post #12
You need to change your passwords ASAP and also remove the scripts that your using. My suggestion would be to start your website over, and not use whatever scripts your using or find better scripts that are better secured. Of course, the best thing to do is to keep on changing your passwords until the attacks stop and by changing passwords I mean not using generators as odds are they might know what generator your using.

Post #14

It all depends on the scripts that your using, and if your using databases along with those scripts as well, and the only sure way to prevent SQL injections is strong passwords and making your scripts unreadable to outside sources, and Chmodding everything properly.

Post #16

Of course they wouldn't be known, but odds are the designers of fluxbb have created a lot of places to get into the software and mess everything up. SQL Injections are possible just because of the lack of security the designers put into there software or that there are too many security holes in the coding it self. Now that I know what is causing all the problems, my suggestion would be to drop that forum and go with something more secured like PHPBB or SMF or AEF and a lot of your problems will go away.

Post #20

#1 correct
#2 unlikely but even then running exe through a hosting account is quite tricky
#3 impossible, they would have to hack the fluxbb website, then upload their own version of the infected forum for that to be possible. Most computer viruses do not work like that and would be kind of stupid to so if they wanted to infect the computer with their goodies.
#4 a possibility

Post #21
#3 the point of running a infected website is not for the owner to dectect that anything is wrong and so while the site could have been running normally for you, odds are your computer was compromise with a silent download through the website ie that trojan you have. As for google it would take more then a day then to have them block your website, however, depending on what browser your using it could difficult to tell if your site was compromise. As not all browsers use the same lists to block potential bad sites.

#4
the designers are ignorant because regardless if its current, most of the time they won't spot their own programmers errors until someone tells them. So odds they have not found either the SQL injection leak or not making sure to properly CHMOD the forum software.

As for the image your posted instead of typing it out for you, here is a link to the reference all the key strokes and stuff. However, since I am not a big security expert I can't really tell you what is doing, for all I know it pick those to to be logged and stuff.

Post #22-23

Yeah it would have been good to have a link to this site and that way we could have had a better time trying to figure out what is/was wrong with your website and offer a better solution.

[jlhaslip 4]

Got your PM, Downlaoded the source file and found the javascript entry in the file.

It was a series of digits, comma-separated, inside an eval function which translated into an iframe injection onto your page. The Iframe was only 1 px wide by 3 px high, so impossible to find with the eye.

Anyway, the iframe contained a link to a site which will remain un-named. The purpose of this script is still unknown, too, but rest assured that it was a script-kiddie who did this. The Security sites have this code available on them and anyone with any degree of Googleese would be able to find it.

How it got onto your site is anybody's guess, but the very next thing you need to do, before taking another breathe, is to delete any unused FTP accounts, change the passwords to the remaining FTP accounts, change your password of your Hosting Account, and then delete all occurrences of the script snippets in your files. You need to check all of them on your account. Each and every one. There might be a script out there to do that for you, but I could not find it.

 

And quit hanging around script-kiddies...

 

reference this link: http://linuxsysadminblog.com/2009/03/heurtrojanscriptiframe/

 

Postings around #35 are the ones you need to review. Clearly, it is an FTP issue on your local machine according to the 'experts' on there.

[frozen.fish 0]

Thank you for clearing this up.. atleast now i know what is happening.. ive just rescanned with different scanner since reformatting is not an option for now.. and changed ftp passwords as well..now question is how do i use sFTP? ive accidentally blocked myself now with numerous failed attempts and support is taking a while.. :XD:and i hope we could see some guide on how to CHMOD files and folders properly..Lastly you said it was getting FTP credentials so ive checked my other hosting and only two hosting accounts got hit.. the free ones on other servers are pretty fine, very odd..I really really hope that was the last..

[The Simpleton 2]

Wow this sure is scary to beginners! This just goes to show how a simple tool like a keylogger/trojan can cause so much devastation. I hope your problems end really soon and your site stays safe as before.If you find out the problem and the solution please tell it here as it might be useful to someone else who might be having the same problem...