1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Virus on my server

Discussion in 'BlackHat Lounge' started by carsonrathi, Jul 14, 2009.

  1. carsonrathi

    carsonrathi Senior Member

    Joined:
    Mar 12, 2008
    Messages:
    1,106
    Likes Received:
    759
    Hi,

    I have seen that my site is down and i highly suspect that someone from BHW did it.

    I see a iframe virus on my homepage from http://a5j.ru:8080

    That was some iframe virus, i have delete it but how to make sure that this is not in any other file?

    Please help. :(
     
  2. carsonrathi

    carsonrathi Senior Member

    Joined:
    Mar 12, 2008
    Messages:
    1,106
    Likes Received:
    759
    Here's the reverese IP lookup:

    -> domain: A5J.RU
    type: CORPORATE
    nserver: ns1.freedomainhostingisp.com.
    nserver: ns2.freedomainhostingisp.com.
    nserver: ns3.freedomainhostingisp.com.
    nserver: ns4.freedomainhostingisp.com.
    state: REGISTERED, DELEGATED
    person: Ekaterina A Kiseleva
    phone: +7 831 2200036
    e-mail: [email protected]
    registrar: REGRU-REG-RIPN
    created: 2009.06.04
    paid-till: 2010.06.04
    source: TC-RIPN


    Last updated on 2009.07.14 16:53:24 MSK/MSD


    I have only shared my launch date and other stuff in BHW, so it's someone from BHW.
     
  3. matsta

    matsta Power Member

    Joined:
    Oct 12, 2008
    Messages:
    555
    Likes Received:
    622
    Location:
    New Zealand
    No offense, but I doubt it was anyone from BHW.

    Even though you may never share your websites with anyone, your server is still vulnerable.

    Basically what the hacker does is scan port :20 to :22 (ssh and ftp) from 1.1.1.1 to 255.255.255.255 and they will usually do some basic checks and then once they find a easy target they will either brute force your server or something else nasty.

    I'm guessing you haven't locked the root user out and/or don't have a secure root password. Your root password should be so long and secure that even you can't remember it :p

    But really, you can't blame BHW. I had a server which I didn't even have a site on and it got hacked a week after I got it because the smtp server had some big security holes in it.

    No matter how hackers get into servers, their still gonna get root access one way or another and do the damage.

    So yea hopefully this enlightens the issue :)
     
  4. carsonrathi

    carsonrathi Senior Member

    Joined:
    Mar 12, 2008
    Messages:
    1,106
    Likes Received:
    759
    Hi,

    I am not blaming BHW my worry is about the virus, so what should i do now?
     
  5. Mr.Whitehat

    Mr.Whitehat Senior Member

    Joined:
    Apr 23, 2009
    Messages:
    857
    Likes Received:
    221
    Occupation:
    Wandering Around !
    Location:
    Dating Moolah Babe^
    install kaspersky server edition if its windows one. And do a scan.
     
  6. matsta

    matsta Power Member

    Joined:
    Oct 12, 2008
    Messages:
    555
    Likes Received:
    622
    Location:
    New Zealand
    Well what OS/Control panel are you using?

    I would suggest first you try to remove the html code from your server.

    If your server is linux, ask your Data Center to disable network access to your server. There's not really much you can do unless your linux savy. Does your data center have KVM over ip? If so you can access your server even if it's offline. So what I would do is type
    Code:
    ps -A
    from ssh and you should see the running processes (for Debian at least) or you can try
    Code:
    top
    as well.

    If you can identify the process best thing to do is to remove it which you would either do:
    Debian/Ubuntu
    Code:
    apt-get remove process
    For Redhat/CentOS/Fedora etc.
    Code:
    yum remove process
    Where process is the 'zombie' application.

    You can also try this guide if you want to install a virus checker on linux.
    Code:
    http://www.webhostgear.com/149.html
    If your using Windows, I'm not too sure what you can do. I guess you can install a desktop virus app like Hijackthis to see where the virus is.

    Hope this helps
     
    • Thanks Thanks x 1
    Last edited: Jul 14, 2009
  7. buck

    buck Regular Member

    Joined:
    Apr 8, 2007
    Messages:
    218
    Likes Received:
    66
  8. cliffdropper

    cliffdropper Registered Member Premium Member

    Joined:
    Feb 4, 2009
    Messages:
    77
    Likes Received:
    600
    carsonrathi- I am sorry for your server getting hacked although this is a great thread for the community because so many here use nulled scripts and and plugins that can be the reason for a hack.
    I got hacked about six months ago and it was because I was using a nulled social network script. Lucky for me I do daily backups and we were able to keep the database.