So the infection was possible because of the weak encryption of the TotalCommander-FTP-Feature?
If you google for "TotalCommander security" or "Totalcommander hack" you find a lot of links...
most of them show that OLD versions of that program are vulnerable
so once again the old lesson:
you should take care of security alerts PLUS you should update your software!
I would suggest to use another FTP program, but at least update!! update!!!
WARNING!!!WARNING!!!WARNING!!!
Re: WARNING!!!WARNING!!!WARNING!!!
|---
Connie Müller-Gödecke, http://www.webdeerns.de
Connie Müller-Gödecke, http://www.webdeerns.de
Re: WARNING!!!WARNING!!!WARNING!!!
Hello,
Thank you all for your your hints and tips but i don`t have a clue how this could be posible since i use fireftp and as of last night when i detected the hack filezilla, have never used total comander, have scaned my computer with different anti-viruses even online scanners and no infection found.
I`m totaly baffeled.
Gerepeer
Thank you all for your your hints and tips but i don`t have a clue how this could be posible since i use fireftp and as of last night when i detected the hack filezilla, have never used total comander, have scaned my computer with different anti-viruses even online scanners and no infection found.
I`m totaly baffeled.
Gerepeer
Re: WARNING!!!WARNING!!!WARNING!!!
Maybe this one is a more secure alternative: http://webscripts.softpedia.com/script/ ... 28455.html
It is command line oriented (i.e. runs in a DOS box if in Windows), but it is really powerful. And it does not store passwords which makes it less vulnerable.
Beate
It is command line oriented (i.e. runs in a DOS box if in Windows), but it is really powerful. And it does not store passwords which makes it less vulnerable.
Beate
Re: WARNING!!!WARNING!!!WARNING!!!
I have worked on this problem for the past 3 days, with only one account hacked on the server.
The problem has expanded to [A5H.ru] as well. Search your servers for anything :8080 inside all files.
Linux command :
find /home/ \( -name "*.cgi" -o -name "*.php" -o -name "*.html" \) -print0 | xargs -0 egrep -l 'ru:8080' >> /root/a5g_report &
will find anything placed into php,cgi and html files with this particular problem, looking for ru:8080. It will then place the filename of any infected files into /root/a5g_report.
Now is the time to keep effective backups of your website guys. Also do change the ftp password, but do not do it on a machine that may be infected, I change my users password and the gave it to the hackers again.
The problem has expanded to [A5H.ru] as well. Search your servers for anything :8080 inside all files.
Linux command :
find /home/ \( -name "*.cgi" -o -name "*.php" -o -name "*.html" \) -print0 | xargs -0 egrep -l 'ru:8080' >> /root/a5g_report &
will find anything placed into php,cgi and html files with this particular problem, looking for ru:8080. It will then place the filename of any infected files into /root/a5g_report.
Now is the time to keep effective backups of your website guys. Also do change the ftp password, but do not do it on a machine that may be infected, I change my users password and the gave it to the hackers again.
-
CMSimple-Styles.com
- Posts: 342
- Joined: Thu Jun 26, 2008 8:19 pm
- Location: Germany
- Contact:
Re: WARNING!!!WARNING!!!WARNING!!!
Hi Tata, sounds like "Fun", but how did the trojan get into your PC?
Re: WARNING!!!WARNING!!!WARNING!!!
This was miracle for me too. But now I know how. My PC crashed entirely when it was connected to the internet. I needed to restart it and then the ESET antivirus stopped working. So I reinstalled it and during its first update the infection went trough. In only a couple of minutes the tojans had infected over 5000!!! htm files incl all Windows help files etc. inserting this crazy IFRAME. Then when looking for some solution (openning the help and searching on internet) the disaster happened.CMSimple-Styles.com wrote:Hi Tata, sounds like "Fun", but how did the trojan get into your PC?
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: WARNING!!!WARNING!!!WARNING!!!
[OT]
You can use Offline-Update on new Installations with outdated setup CDs:
http://www.heise.de/software/download/c ... date/38170
[/OT]
Holger
You can use Offline-Update on new Installations with outdated setup CDs:
http://www.heise.de/software/download/c ... date/38170
[/OT]
Holger
Re: WARNING!!!WARNING!!!WARNING!!!
I did everything I had reccommended in previous post. And today I have found the infiltration mentioned by gerepeer.
What's bad now - the first infiltration only inserted the code on the end of the files. This new one insert the code a couple of lines before the end of almost any index.php (I have not found this code nowhere else) and deletes the rest of the file.
Gert had reccommended to me to change permissions for all these files to 444. I should have think about this before
Take care and BACKUP, BCAKUP, BCAKUP!!!
What's bad now - the first infiltration only inserted the code on the end of the files. This new one insert the code a couple of lines before the end of almost any index.php (I have not found this code nowhere else) and deletes the rest of the file.
Gert had reccommended to me to change permissions for all these files to 444. I should have think about this before
Take care and BACKUP, BCAKUP, BCAKUP!!!
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: WARNING!!!WARNING!!!WARNING!!!
Soltet ihr auch mit dem blöden Hacker eine Erfahrung haben, Ich habe wohl gefunden a Tool, das ermöglicht, was ich brauchte - CHMOD mehrere identisch genannte Dateien.
http://flashfxp-portable.softonic.com.br/
oder
http://www.flashfxp.com/
Funktioniert wirklich sehr schön. Jetzt (nachdem alle Dateien gesaubert wurden) habe ich (nach Gert's Vorschlag) alle index.php Detein mit 444 gesichert.
Should you also have an experience with the crazy hacker, I have found hopefully the tool, which make it possible to cover my needs - CHMOD multiple files of the same names at once.
http://flashfxp-portable.softonic.com.br/
or
http://www.flashfxp.com/
It works really very nice. Now (after cleaning all files from the hecker's code), I have (following Gert's hint) any index.php file to 444.
http://flashfxp-portable.softonic.com.br/
oder
http://www.flashfxp.com/
Funktioniert wirklich sehr schön. Jetzt (nachdem alle Dateien gesaubert wurden) habe ich (nach Gert's Vorschlag) alle index.php Detein mit 444 gesichert.
Should you also have an experience with the crazy hacker, I have found hopefully the tool, which make it possible to cover my needs - CHMOD multiple files of the same names at once.
http://flashfxp-portable.softonic.com.br/
or
http://www.flashfxp.com/
It works really very nice. Now (after cleaning all files from the hecker's code), I have (following Gert's hint) any index.php file to 444.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: WARNING!!!WARNING!!!WARNING!!!
There seems to be another virus (or a variant, or ?).
This time, you don't see the iFrame, even if you look at the sourcecode. But there's some JS.
I've looked at the website http://www.cowleyclub.org.uk/
In fact, the Decode() (you should look for this in your files) function add an iFrame...
This time, you don't see the iFrame, even if you look at the sourcecode. But there's some JS.
I've looked at the website http://www.cowleyclub.org.uk/
In fact, the Decode() (you should look for this in your files) function add an iFrame...