Comments on: http://a3l.ru:8080/ts/in.cgi?pepsi85

By: admin

admin — Wed, 05 Aug 2009 12:57:08 +0000

I found a Trojan on my work laptop which I believe was responsible as well. You need to clean the machine(s) you have the FTP passwords saved on before changing the passwords.

By: Les

Les — Sat, 01 Aug 2009 09:08:16 +0000

Hi,

We just had 20 sites Edit with http://x9y.ru:8080/ts/in.cgi?pepsi120 within 5 mintues, and on 8 diffrent servers. We tracked it down to a infected laptop in the office and it used cute FTP. We removed the laptop and fixed all the sites and changes the password on 19 sites left one test site with the same password, plug the laptop back in and within 2 mins of opening cute ftp the site was edited with the code.

The good news was we found the problem the bad news was it spread to to other computers on the network.

By: admin

admin — Thu, 30 Jul 2009 06:19:26 +0000

Also, it is NOT a brute force attack as FTP logs show they got the password right first time. Probably a good idea to scan for trojan horses on your own machine.

By: admin

admin — Thu, 30 Jul 2009 06:13:54 +0000

I was told that it was probably the FTP which had been compromised and that all passwords should be changed. This fits as the sites with different FTP passwords were not affected.

By: Gsp

Gsp — Mon, 27 Jul 2009 12:34:50 +0000

I had the same problem yesterday with some sites, The easy solution is to delete the iframe lines, but the pages can be infected again, someone know how to close the backdoor?

thanks

By: Ayolt Talen

Ayolt Talen — Mon, 13 Jul 2009 11:59:12 +0000

Dear Vincent, we’re having the same at this moment. Since friday, 4 of our servers have been attacked. The content of the page that is called in the iframe appears to contain a virus, so be carefull!

In our case, I could just search in windows for all files named ‘index.’ and ‘default.’ that had been changed in the past few days. In there, I found that they append the iframe-code right after the BODY-tag or at the end of the file if there is no bodytag.

I have been trying to find what is the vulnerability that let’s them in. Do you have any idea? We had the problem on a windows2000 machine with IIS and ColdFusion 5.0, MS SQL server 7. But we also had it on a newer machine with windows2003×64 with IIS and Coldfusion 7MX and SQL server 2005.

Did you find anything so far? Please let me know what type of machine you’re using.

Best regards and thanks,
Ayolt

By: admin

admin — Fri, 10 Jul 2009 09:42:32 +0000

I believe it is all ‘index’ and ‘default’ pages affected. Look for ALL of these pages on your site. So if any files are called index and default re-upload them.

By: Vincent Huybrechts

Vincent Huybrechts — Thu, 02 Jul 2009 22:13:55 +0000

Hi,

Today I noticed the same code is appearing at the bottom of my wordpress powered site too. I re-uploaded all the wordpress files, including my theme. But the iframe is still there. And I really can’t find anything wrong in a file.

My site: http://www.startgrid.be (there’s a space between the bottom of the content and the bottom of the browserwindow wich isn’t supposed to be there.)

You say you deleted the affected files, can you tell me which files that were in your case ?

Thanks,
Vincent