Comments on: My Sites Are Hacked – Here’s How I Fixed It http://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/ Online Entrepreneurship. Blogging. Life. Mon, 25 Oct 2010 22:20:36 +0000 hourly 1 http://wordpress.org/?v=3.2 By: Zoranhttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1410 Zoran Mon, 25 Oct 2010 22:20:36 +0000 http://www.abelcheng.com/?p=37#comment-1410 The virus can get into your computer by visiting some bad site and it targets especially the FileZilla directory in the AppData folder where FileZilla keeps username/password pairs from all of your websites in plain text, then the virus connects to ftp and starts writing javascript code to your files, but not all, only index.php in the root, then it searches for index.html (because js will execute in index.html file) and these files are seen as virus from any decent antivirus software. Once the damage is done, first step is to change the access to ftp, access to cpanel if you have one and also check in the CPANEL for unusual FTP user, cause the virus will create new FTP user if it has credentials for it. That's why always keep a backup of all files and websites you have, if you don't then start cleaning your files one by one, usually the infected files will have similar date of last edit. At the end, stop using FileZilla, (i got nothing against it, it's the best ftp software i ever used), cause of the password thing, or just don't keep your passwords saved. The virus can get into your computer by visiting some bad site and it targets especially the FileZilla directory in the AppData folder where FileZilla keeps username/password pairs from all of your websites in plain text, then the virus connects to ftp and starts writing javascript code to your files, but not all, only index.php in the root, then it searches for index.html (because js will execute in index.html file) and these files are seen as virus from any decent antivirus software. Once the damage is done, first step is to change the access to ftp, access to cpanel if you have one and also check in the CPANEL for unusual FTP user, cause the virus will create new FTP user if it has credentials for it. That’s why always keep a backup of all files and websites you have, if you don’t then start cleaning your files one by one, usually the infected files will have similar date of last edit.
At the end, stop using FileZilla, (i got nothing against it, it’s the best ftp software i ever used), cause of the password thing, or just don’t keep your passwords saved.

]]> By: Euraniahttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1372 Eurania Sun, 13 Dec 2009 14:53:20 +0000 http://www.abelcheng.com/?p=37#comment-1372 I think this guy can help with that problem you havehttp://www.eduardobaret.com/2009/12/07/my-site-was-hacked-and-my-files-were-changed-reported-attack-site/ I think this guy can help with that problem you have

http://www.eduardobaret.com/2009/12/07/my-site-was-hacked-and-my-files-were-changed-reported-attack-site/

]]> By: Brianhttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1351 Brian Wed, 08 Jul 2009 16:36:55 +0000 http://www.abelcheng.com/?p=37#comment-1351 hi, i had a keylogger trojan on my home pc they caputured my username and password of ftp, then attack it using the iframe attack i pulled the whole site down, what a nightmare, you need to download keyscrambler straight away, this plugin will scramble letters your typing into the browser. Do not login to your ftp or website from anyones elses computer or internet cafe etc, incase the trojan is present, if it happens change your email passwords too, store username and password on a piece of paper, do a weekly scan of computer with super anti spyware, trust me you will pull you head off if happens. hi, i had a keylogger trojan on my home pc they caputured my username and password of ftp, then attack it using the iframe attack i pulled the whole site down, what a nightmare, you need to download keyscrambler straight away, this plugin will scramble letters your typing into the browser. Do not login to your ftp or website from anyones elses computer or internet cafe etc, incase the trojan is present, if it happens change your email passwords too, store username and password on a piece of paper, do a weekly scan of computer with super anti spyware, trust me you will pull you head off if happens.

]]> By: Mikehttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1350 Mike Mon, 08 Jun 2009 21:20:55 +0000 http://www.abelcheng.com/?p=37#comment-1350 My sites are being hacked.I'm using FileZilla. I've searched and found out that most of the hacked sites were suing FileZilla AND an older version of Adobe Reader 8.Is everybody using Adobe Reader 8 when their sites were hacked?http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/thanks, Mike My sites are being hacked.

I’m using FileZilla. I’ve searched and found out that most of the hacked sites were suing FileZilla AND an older version of Adobe Reader 8.

Is everybody using Adobe Reader 8 when their sites were hacked?

http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

thanks,
Mike

]]> By: HyperXR | Advanced Hypertext Tool » Blog Archive » Gumblar .cn Exploit - 12 Facts About This Injected Scripthttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1348 HyperXR | Advanced Hypertext Tool » Blog Archive » Gumblar .cn Exploit - 12 Facts About This Injected Script Mon, 01 Jun 2009 02:05:46 +0000 http://www.abelcheng.com/?p=37#comment-1348 [...] by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with [...] [...] by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with [...]

]]> By: Jimihttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1345 Jimi Tue, 19 May 2009 02:26:43 +0000 http://www.abelcheng.com/?p=37#comment-1345 I suppose to reason he was asking question 2 was: if the passwords were saved then the script could have just been able to locate them once it was on your computer, thus identifying how the script works. I suppose to reason he was asking question 2 was: if the passwords were saved then the script could have just been able to locate them once it was on your computer, thus identifying how the script works.

]]> By: Adminhttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1344 Admin Mon, 11 May 2009 05:27:25 +0000 http://www.abelcheng.com/?p=37#comment-1344 @ Dennis: Answers to your questions:1. I used FTP mode only but I changed to SFTP after this incident.2. It doesn't matter, I think. Either way is vulnerable as the login details are leaked via FTP connection.3. No, I don't. But later I noticed Malwarebytes overlooked this spyware. I manually removed this culprit from the registry after I found out the exact spyware. I shoud have updated this post with the latest findings but didn't get the time to do it. @ Dennis: Answers to your questions:

1. I used FTP mode only but I changed to SFTP after this incident.

2. It doesn’t matter, I think. Either way is vulnerable as the login details are leaked via FTP connection.

3. No, I don’t. But later I noticed Malwarebytes overlooked this spyware. I manually removed this culprit from the registry after I found out the exact spyware. I shoud have updated this post with the latest findings but didn’t get the time to do it.

]]> By: Namehttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1343 Name Sun, 10 May 2009 07:57:33 +0000 http://www.abelcheng.com/?p=37#comment-1343 Never mind, they work if I enter email and website.. Here is original comment I was trying to post:First I didn't use my F-Secure anti-virus at all as it did slowdown my PC too much and I got wpv[NUMBERS].exe virus from my very own website, I immidently deleted it and 20 minutes later my computer crashed and didn't boot anymore. I fully reinstalled Windows and noticed 2 of my website had been infected by the virus. I removed the code from PHP and HTML files, it got hacked again and again! Its not keylogger as I fixed the website with FULLY clean Windows installion. (though I visited the website and noticed F-Secure block a virus) Im not using any CMS/Forum system, I just have infosniper IP query script and PJIRC, nothing else. I tried setting permissions to all my files to 555 but after it got hacked the permission were 755 again..I also contacted my host, NO ONE has logged into cPanel or FTP with my logins! According to them its done remotetly via internet browser using glitch in PHP scripting, blaims my PHP scripts. Since no one logged in using my logins I though there were no use to change my passwords but now after getting hacked 3th time I finally changed myself and will see if it helps at all..There is "solution" on cPanel forums which is similar to yours. http://forums.cpanel.net/showthread.php?t=78595This post of yours or the one on cPanel didn't help me.. :( Never mind, they work if I enter email and website.. Here is original comment I was trying to post:

First I didn’t use my F-Secure anti-virus at all as it did slowdown my PC too much and I got wpv[NUMBERS].exe virus from my very own website, I immidently deleted it and 20 minutes later my computer crashed and didn’t boot anymore.
I fully reinstalled Windows and noticed 2 of my website had been infected by the virus. I removed the code from PHP and HTML files, it got hacked again and again!
Its not keylogger as I fixed the website with FULLY clean Windows installion. (though I visited the website and noticed F-Secure block a virus)
Im not using any CMS/Forum system, I just have infosniper IP query script and PJIRC, nothing else.
I tried setting permissions to all my files to 555 but after it got hacked the permission were 755 again..

I also contacted my host, NO ONE has logged into cPanel or FTP with my logins!
According to them its done remotetly via internet browser using glitch in PHP scripting, blaims my PHP scripts.
Since no one logged in using my logins I though there were no use to change my passwords but now after getting hacked 3th time I finally changed myself and will see if it helps at all..

There is “solution” on cPanel forums which is similar to yours.
http://forums.cpanel.net/showthread.php?t=78595

This post of yours or the one on cPanel didn’t help me.. :(

]]> By: Namehttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1342 Name Sun, 10 May 2009 07:57:01 +0000 http://www.abelcheng.com/?p=37#comment-1342 Comments not working! Comments not working!

]]> By: UnderForge of Lack » Blog Archive » JUNIK.LV host malicious site instead of gumblar.cnhttp://www.abelcheng.com/my-sites-are-hacked-%e2%80%93-heres-how-i-fixed-it/comment-page-1/#comment-1341 UnderForge of Lack » Blog Archive » JUNIK.LV host malicious site instead of gumblar.cn Fri, 08 May 2009 08:20:47 +0000 http://www.abelcheng.com/?p=37#comment-1341 [...] 04.30.2009) * dotcomnameshop .cn (added: 05.02.2009) orz... ??????????? My Sites Are Hacked – Here’s How I Fixed It ????MalwareByte ??????? [...] [...] 04.30.2009) * dotcomnameshop .cn (added: 05.02.2009) orz… ??????????? My Sites Are Hacked – Here’s How I Fixed It ????MalwareByte ??????? [...]

]]>