intermittent 404 and index repalced with tbh.jp site & virus.

TerroX

Registered
Aug 2, 2005
3
0
151
intermittent 404 and index replaced with tbh.jp site & virus.

I've seen a few of these happening on (apparently) CPanel10 hosts.

All sites get DNS problems, all files 404 as the whole site is redirected to tbh.jp/index.php - which is a site with a 0x0 iframe that tries to load an activeX virus to you (only if you have Internet Explorer, I use Firefox Browser so I never got the virus).

on that tbh.jp site is this text
PUT SOMETHING HERE IF YOU'D LIKE TO EHEH !!!

Also refer to this post http://forums.cpanel.net/showthread.php?t=42129 (no info and off topic I guess).

A site with users seeing the problem http://forums.ecphosting.net/printthread.php?t=641 (not the host I am with, but all of us are getting it too)

Defacement alert
http://www.zone-h.org/en/defacements/view/id=996147

flame.so file information. Via a GET request, gotta restart apache or something.
http://www.webhostingtalk.com/showthread.php?s=&threadid=429922&highlight=tbh

http://www.buzzgrinder.com/?p=2554
 
Last edited:

TerroX

Registered
Aug 2, 2005
3
0
151
Okay I found the site with the actual file - it is just some script kiddie exploit. Easy to fix.

April 14, 2005
Neat little tool: Flame.so

another script found on a shared server... this one actually had me stumped for about a day or so. it's pretty neat it actually exploits php's ability to load dynamic extensions. Almost every webserver has this featured enabled so it'll probably work...

Basically whenever the flame.php script is invoked.. through a browser access etc. It serves every request recieved by the webserver (regardless of what virtualhost it's coming from or where the script is being accessed) the iframe urls that are in the index.html file.

This was uploaded to a server with over 1000 virtual hosts/users and all the websites were sending the visitors to the urls contained in the index.html... which contained tons of win32 viruses.

What's worse is that this script exploits one of the great legitimate features of PHP. As far as I know the only way to prevent / stop this is disabling the dl() function in your php.ini