Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
05-15-2009, 07:54 PM | #1 |
Two fresh affiliate progs
Industry Role:
Join Date: Nov 2004
Location: Inside teen pussy
Posts: 29,602
|
Gumblar exploit going around...
This somehow got onto one of my sites... anyone else experience this?
http://blog.unmaskparasites.com/2009...jected-script/
__________________
[email protected] Skype: 17026955414 Vacares Web Hosting - Protect Your Ass with Included Daily Backups |
05-15-2009, 08:25 PM | #2 |
Confirmed User
Industry Role:
Join Date: Jan 2004
Location: Wisconsin
Posts: 4,518
|
Had to clean up a customer's site with this a few days ago. Like the article said, it was a compromised ftp password.
I had the customer scan his pc before giving him his new password of course... he said he had Norton and it did NOT find the customer's trojan. I told him to install Avast and rerun the scan - he did and it DID find it. |
05-15-2009, 08:58 PM | #3 | |
Confirmed User
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
|
Quote:
@Get Naughty: I assume you're using Filezilla, since it attacks only sites that use Filezilla as FTP client AFAIK. If so, I'll try to find how to fix it, but be prepared to some heavy registry editing. Just in case, if you're using Filezilla and you have a lot of sites or sites you don't remember the user/pass because you've Filezilla set to remember it, save your filezilla.xml file in another location and do not change passwords for your servers before cleaning your computer or you'll have to do everything again. My partner Ed has cleaned 2 computers and we had to clean servers as well. This shit is nasty, and Avast catches it, but desn't clean it, no matter what the Avast results say. Plus, most chances are your server is infected and you'll be infected every time you use Filezilla. I'll send a message to Ed to write me the instructions and post it here later as soon as he sends them. In the meanwhile, backup your sites and try to get a backup of your servers before the date you assume you had your sites infected
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth |
|
05-15-2009, 09:27 PM | #4 |
Two fresh affiliate progs
Industry Role:
Join Date: Nov 2004
Location: Inside teen pussy
Posts: 29,602
|
Thats fucked up. Yeah I use Filezilla.
__________________
[email protected] Skype: 17026955414 Vacares Web Hosting - Protect Your Ass with Included Daily Backups |
05-15-2009, 09:31 PM | #5 |
Confirmed User
Industry Role:
Join Date: Mar 2007
Location: Arizona
Posts: 8,437
|
Hmm. I use FileZilla as well, should I find a new client?
__________________
Conversion Sharks - 1,000+ adult dating offers, traffic management, and consistently high payouts. We will guarantee and beat your current EPC to win your dating traffic! Skype: ConversionSharks || Email: info /@/ conversionsharks.com |
05-15-2009, 10:57 PM | #6 |
Confirmed User
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
|
not really. This trojan is installed using an Acrobat Reader vulnerability so you get infected when opening PDF files if you didn't update Acrobat. However, if you have Avast or any real antivirus (ie: NOT NORTON!), it will warn you and kill the worm or move it to the chest if you choose to download it anyway. Another way to get infected is opening infected local scripts in your PC. But if your PC is secured with good antivirus and antispyware (I recommend Super anti spyware, it's free and catches almost everything), you won't have any problem. Another way to be safe is to use your PC as an user, not as admin. Do regular backups, make restoration points just in case and you're covered. This applies to everything, not just this trojan, of course.
Alternatively, for further security don't save Filezilla passwords, and use any password tool or simply copy and paste when needed, but if you follow the steps above you'll be probably safe
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth |
05-15-2009, 11:26 PM | #7 | |
Confirmed User
Industry Role:
Join Date: Aug 2006
Location: Nassau, Bahamas
Posts: 3,133
|
Quote:
__________________
|
|
05-16-2009, 12:09 AM | #8 | |
Show Yer Tits!
Industry Role:
Join Date: Feb 2002
Location: Somewhere Out there...
Posts: 25,793
|
Quote:
Nice read. Thank you.
__________________
Scammer Alert: acer19 acer [email protected] [email protected] Money stolen using PayPal
|
|
05-16-2009, 02:32 PM | #9 | ||
Confirmed User
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
|
np
so here is the way to fix it (thanx muchas ED!!!!!): 1- backup filezilla.xml just in case. Create a clean filezilla.xml file (simply open notepad and save as filezilla.xml without adding anything) 2- backup your registry 3- backup your server. 4- if you don't have Avast, install it, it's free. Download it at http://www.avast.com and scan your PC in thorough mode (NOT FAST MODE!) 5- With Avast installed and running, surf all your sites. If any of them is infected, Avast will warn you. 6- If your server is infected, Avast will tell you which files are compromised. Usually it will be php and js files, but I've seen html files and heard pdf and swf files are infected as well. You may have to edit them or re-upload files. It's faster to reupload, but you may not have the files, so it's your choice. However, wait before doing anything. 7- If you find out either your PC or your server are compromised, do the following:
8- Run Avast again. You'd be fine, but do it to confirm 9- Now clean your server files. If possible (ie Wordpress, Joomla, phpBB, VBulletin and such) replace all but the uploads folders. To play on the safe side, check that folder's php or html files to see if they have the code, if not, you're safe. Since databases aren't compromised, replace the regular files plus your theme or skin's files if you have'em. 10- Also check for strange files that aren't supposed to be there, the most common is image.php 11- Check files up to 2 levels BELOW the infected folder, pay attention to strange php or js files. Check your .htaccess as well 12- Once everything is cleaned, change your FTP passwords 13- Done. Annoying, but that's what you gotta do On a side note, it isn't supposed to have a keylogger "per se" (regarding eroticsexxx post), but it will try to download a keylogger that scans for financial info at a later time, I don't know if that's for real, but it's supposed to be that way according to several sources. Another thing: this bitch WAITS before re-infect. Once you've cleaned everything in your server (or you thought you did), it will wait a few hours or up to a couple of days and reinfect you again, so CLEAN EVERYTHING ON YOUR SIDE BEFORE CLEANING YOUR SERVER Just lmk if you have any problem, I'm no expert by any mean but my partner is quite knowlegeable on the matter
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth |
||
05-17-2009, 12:59 PM | #10 |
Giggity
Industry Role:
Join Date: Jul 2003
Location: S.E. Asia
Posts: 31,779
|
Jesus Christ this sounds nasty.
|
05-17-2009, 02:25 PM | #11 | |
Confirmed User
Industry Role:
Join Date: Mar 2007
Location: Arizona
Posts: 8,437
|
Quote:
__________________
Conversion Sharks - 1,000+ adult dating offers, traffic management, and consistently high payouts. We will guarantee and beat your current EPC to win your dating traffic! Skype: ConversionSharks || Email: info /@/ conversionsharks.com |
|
05-21-2009, 07:24 AM | #12 |
Confirmed User
Join Date: Feb 2006
Posts: 169
|
I've been dealing with this since last friday and it SUCKS! I found it by accident...went to check a members user/pass using chrome and when I went to my site it popped a warning which IE and FF didnt. I checked my page and sure enough there was a script in the head tag! Mojohost got on it did a restore on the server and thenext day it was infected all over agian!
I use AVG Premium at home (at least I did til now) and it didnt detect a thing. I installed avast and it found the backdoor.Trojan Over 35k files infected all the html pages on my entire site! over 500 galleries with auto duplicated page for auto submits in each! it fucking sucks! I've done a re-install of my OS and scan after scan and nothing so hopefully i'm in the clear. the way i could tell i was re-infected was i went to my site in FF and in the status bar it said waiting for maturz.cn that will tell you your home machine is fucked. ALl good now but what a righteous pain in the tits! We didnt know what it was so we did a restore on the server. oh and btw I have filezilla installed but never used it one time after I set it up!!!!! I use Ipswitch so it got my info from filezilla even though I never connected with it! |
05-21-2009, 12:23 PM | #13 | |
Confirmed User
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
|
Quote:
As I said, this sucker hides itself in your server, and doing further investigation we found out people getting infected on shared hosting (different accounts), which talks very bad about that server, of course. So probably you had some file waiting for you to clean everything and then reinfecting it. Like I said above, it waits up to 48 hours, maybe it waits more, who knows... however, the re-infections usually takes 5-6 hours after cleaning everything. IMHO, they're triggered by infected computers, so any surfer that has the crap I mentioned in their registry will re-activate the trojan in your server by doing a request. Again, that's my opinion, not really sure it's that way Anyway, just be sure to patch FF with the latest version, since the PDF FF plugin was outdated and that was what caused the massive infection, now it's fixed, but you gotta have the latest patches
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth |
|
05-22-2009, 05:02 AM | #14 |
Confirmed User
Join Date: Feb 2006
Posts: 169
|
thank you so much for the help! very much appreciated!
xoxo |
05-24-2009, 02:18 PM | #15 |
Two fresh affiliate progs
Industry Role:
Join Date: Nov 2004
Location: Inside teen pussy
Posts: 29,602
|
Trying to fix this now but I dont see....
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8} I have no AppID
__________________
[email protected] Skype: 17026955414 Vacares Web Hosting - Protect Your Ass with Included Daily Backups |
05-24-2009, 02:21 PM | #16 |
Two fresh affiliate progs
Industry Role:
Join Date: Nov 2004
Location: Inside teen pussy
Posts: 29,602
|
Actually I can't find any of the first part... maybe Avast fixed it.
__________________
[email protected] Skype: 17026955414 Vacares Web Hosting - Protect Your Ass with Included Daily Backups |
05-24-2009, 03:02 PM | #17 |
Hmm
Industry Role:
Join Date: Sep 2005
Location: On an endless road around the world for rock and roll.
Posts: 12,642
|
Nasty shit indeed!
Fortunately, I am running avast all the time along with sophos. |
05-24-2009, 08:01 PM | #18 |
Confirmed User
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
|
Is that the only thing you don't find? If so, then don't worry. If what you mean is that you didn't find anything at all of those values and keys, there are 2 chances: a) you're not infected; or b) you've another virus/trojan (or version of the same virus). This is for the version we had and what we cleaned
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth |
05-24-2009, 09:32 PM | #19 |
Two fresh affiliate progs
Industry Role:
Join Date: Nov 2004
Location: Inside teen pussy
Posts: 29,602
|
All Avast found and all I could find was JQSIESta rtDetector.DLL
__________________
[email protected] Skype: 17026955414 Vacares Web Hosting - Protect Your Ass with Included Daily Backups |
05-29-2009, 10:08 AM | #20 |
Two fresh affiliate progs
Industry Role:
Join Date: Nov 2004
Location: Inside teen pussy
Posts: 29,602
|
Bump this got taken care of but you guys should all read this. Its bad stuff.
__________________
[email protected] Skype: 17026955414 Vacares Web Hosting - Protect Your Ass with Included Daily Backups |
05-29-2009, 12:26 PM | #21 |
Confirmed User
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
|
nice to hear if you still have trouble just lmk
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth |
05-29-2009, 01:44 PM | #22 |
So Fucking Banned
Industry Role:
Join Date: Jul 2007
Location: Babylon
Posts: 5,889
|
Yup, i've been dealing with all of these lately
reddii.ru brugeni.net gumblar.cn internetcountercheck.com nakulpi.net complete fucking nightmares. You should check your source codes for all of these |