Comments on: The "onload if this" website infection http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/ Website Security Mon, 23 Jan 2012 22:26:33 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: visitor http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-53 visitor Fri, 19 Mar 2010 06:41:04 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-53 Thanks for sharing this usefull information. One site I detected also as a virus: xg1.es/images/gifimg. php (DON"t follow this link!! but I post it here so that others can find it - so, be aware !!!!) Thanks for sharing this usefull information.
One site I detected also as a virus:
xg1.es/images/gifimg. php (DON”t follow this link!! but I post it here so that others can find it – so, be aware !!!!)

]]> By: admin http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-52 admin Mon, 01 Mar 2010 20:15:17 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-52 Tachyon, What do you mean by "a secure editor"? The infected won't infect your PC unless you open them up in a browser. If you open them up with Dreamweaver or whatever your editor is, you won't get infected. Tachyon,

What do you mean by “a secure editor”?

The infected won’t infect your PC unless you open them up in a browser. If you open them up with Dreamweaver or whatever your editor is, you won’t get infected.

]]> By: Tachyon http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-51 Tachyon Thu, 11 Feb 2010 04:22:59 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-51 Nice read. Thanks for tips. Domains I recently found where: - fujikvl.ge/ - adsolutionindia.com/ - cumportal.com/ Does anyone know a secure editor who scan files on FTP-site (with regular expressions) so I don't have to download any possible infected files??? Thanks, Tachyon Nice read. Thanks for tips.
Domains I recently found where:
- fujikvl.ge/
- adsolutionindia.com/
- cumportal.com/

Does anyone know a secure editor who scan files on FTP-site (with regular expressions) so I don’t have to download any possible infected files???

Thanks,
Tachyon

]]> By: peyman http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-50 peyman Mon, 07 Dec 2009 09:55:36 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-50 I found Line 72: Line 73: Line 74: our website designed by asp.net 2 (aspx and vbx) could i couldn't find any eval(base64_decode i need your help to solve this problem I found

Line 72:
Line 73:
Line 74:

our website designed by asp.net 2 (aspx and vbx)

could i couldn’t find any eval(base64_decode
i need your help to solve this problem

]]> By: admin http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-49 admin Mon, 23 Nov 2009 18:03:48 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-49 @Luc, The hackers have been leaving all sorts of malicious remote control code on websites. But the common thread is the virus/trojan on a PC with FTP access to the site. Please, please have your PC checked and any other PC with FTP access to your sites. When analyzing these infections you have to look for common denominators. In this case you have 5 sites, 4 on one server and 1 on another server. So I would look deeper for a common denominator - like the PCs being used for FTPing files to the 5 different sites. Keep looking for the .php files with various base64_decoding strings. Also look for php files with "echo (insert obfuscated javascript here)" Let me know if you need further help. Are you comfortable with grep? There's an awesome program: grepWin that works great at cleaning websites. Let me know... @Luc,

The hackers have been leaving all sorts of malicious remote control code on websites. But the common thread is the virus/trojan on a PC with FTP access to the site. Please, please have your PC checked and any other PC with FTP access to your sites.

When analyzing these infections you have to look for common denominators. In this case you have 5 sites, 4 on one server and 1 on another server. So I would look deeper for a common denominator – like the PCs being used for FTPing files to the 5 different sites.

Keep looking for the .php files with various base64_decoding strings. Also look for php files with “echo (insert obfuscated javascript here)”

Let me know if you need further help.

Are you comfortable with grep? There’s an awesome program: grepWin that works great at cleaning websites.

Let me know…

]]> By: Luc http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-48 Luc Mon, 23 Nov 2009 16:36:33 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-48 I've found this on 5 of my sites today, along with a few new commonalities (although not between every site, just 1 or 2 on each); 1) A file called "mailtest.php" was created on the root a some base64_decode string 2) Where timthumb.php (a popular image resizing script) was being used, new, randomly named directories had been created (presumably to test the attack) 3) 14 lines of document write script tags at the bottom of pages, linking to starktourism.com and ssmgulf.com 4) A file called chat.pl in a cgi-bin 4 of the 5 sites were all on the same server (and the 5th externally hosted with a completely different host), so I'm hoping that it's a server vulnerability, rather than my PC (which is part of a larger, protected nextwork) that's been compromised. The newest one I found was only attacked yesterday (22nd Nov), so there might be a new wave of attacks gearing up... I’ve found this on 5 of my sites today, along with a few new commonalities (although not between every site, just 1 or 2 on each);

1) A file called “mailtest.php” was created on the root a some base64_decode string
2) Where timthumb.php (a popular image resizing script) was being used, new, randomly named directories had been created (presumably to test the attack)
3) 14 lines of document write script tags at the bottom of pages, linking to starktourism.com and ssmgulf.com
4) A file called chat.pl in a cgi-bin

4 of the 5 sites were all on the same server (and the 5th externally hosted with a completely different host), so I’m hoping that it’s a server vulnerability, rather than my PC (which is part of a larger, protected nextwork) that’s been compromised.

The newest one I found was only attacked yesterday (22nd Nov), so there might be a new wave of attacks gearing up…

]]> By: miramis http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-47 miramis Fri, 20 Nov 2009 17:28:30 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-47 Thank you for all information. I found http://biocasa-inmobiliaria.com/images/start-ES.php classicholidays.co.in/ freddyboy1.se/ thepascoedifference.com/ leuchtmittel-welt.com/ Thank you for all information.
I found
http://biocasa-inmobiliaria.com/images/start-ES.php
classicholidays.co.in/
freddyboy1.se/
thepascoedifference.com/
leuchtmittel-welt.com/

]]> By: b h http://wewatchyourwebsite.com/wordpress/2009/11/the-onload-if-this-website-infection/#comment-46 b h Sat, 14 Nov 2009 08:49:06 +0000 http://www.wewatchyourwebsite.com/wordpress/?p=278#comment-46 I found http://starktourism.com/flash/mt_global.php as a script that was injected into the HTML using eval I found http://starktourism.com/flash/mt_global.php as a script that was injected into the HTML using eval

]]>