Comments on: Being web-cracked: experience and advice

By: konstantin

konstantin — Tue, 08 Sep 2009 06:36:05 +0000

Hi Lunesse,
Nope, I have not done anything to actually close the entry point. That’s because I was not able to find it. I removed the infected code from the web pages and also found a file in my home directory on the provider’s server which was likely used for the exploit. Got no idea on how it appeared there. Removed that one too, and the exploit does not seem to come back. I realize that the hole is most likely still open

By: Lunesse

Lunesse — Tue, 04 Aug 2009 18:49:13 +0000

Mine comes back every day even after I remove the code. I’m starting to suspect the database, as the files do not have modify dates. has it come back for you? did you do anything other than what is listed above in this article you wrote? I’m on DH too.

By: konstantin

konstantin — Thu, 18 Jun 2009 12:29:14 +0000

Talking back to self... this seems to be a problem not specific to WordPress; at least phpBB and MyBBoard users are reporting the same problem.

By: konstantin

konstantin — Thu, 18 Jun 2009 08:00:16 +0000

Exactly. The responsibility division between me and the provider is not absolutely clear, as this is their “automatic install”, but I did a number of customizations to it. Well, backups are made, stay tuned

By: konstantin

konstantin — Thu, 18 Jun 2009 07:42:23 +0000

@Thomas, thank you. I think I’ve cleaned up the malicious code now, and it’s true that during some time period this site was spreading the scam! Digging the logs now…

By: konstantin

konstantin — Wed, 17 Jun 2009 20:26:22 +0000

illness goes first, the cure – later
Or even better: prevention is easier than cure

By: Kirill Evstigneev

Kirill Evstigneev — Wed, 17 Jun 2009 11:48:01 +0000

Strictly speaking NoScript is absolutely The Must for the Web surfing. Some time ago my browser (both IE and Firefox) cache contained at least several pieces of a dangerous junk – trojans, rootkits, etc. Everything is clear after NoScript was installed. Yes, it imposes some inconvenience. But just a little and almost incomparable with a possible harm.
One could say – antivirus is the solution. Well, but remember – illness goes first, the cure – later. And there is a time leap when your infection won’t be known and detected.

By: Thomas J. Raef

Thomas J. Raef — Tue, 16 Jun 2009 20:07:17 +0000

I got new for you!

Your site is still trying to infect visitors.

It’s trying to deliver a malicious Adobe Acrobat file. Luckily I had javascript turned off in Acrobat.

Many of these infections have been the result of a virus/trojan on the PC used to update the website. We’ve had the best luck in finding and eradicating these PC infections with a combination of AVG and Malwarebytes.

According to our scanners, blog/index.html is also infected.

Do you have the log files for your site? Do you seen any FTP activity that is not yours?

In the log files do you see any POSTs with strange query strings?

If you get nowhere with your hosting provider, please contact me off-list and we’ll help you. We help out a lot on http://www.badwarebusters.org

Good luck!

By: vitaly repin

vitaly repin — Tue, 16 Jun 2009 17:08:56 +0000

wget -O infected-script ‘http://www.konstantin.shemyak.com/dnevnik/wp-admin/load-scripts.php?c=0&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4‘

Hm. But the key question is how this script was infected? How the attacker was able to add his stuff into the page which is hosted by your server?