Virus warning from www.puppylinux.com/manuals.htm
- BarryK
- Puppy Master
- Posts: 9392
- Joined: Mon 09 May 2005, 09:23
- Location: Perth, Western Australia
- Contact:
Re: Servage
I got that too. I was getting the top-level index.html files in each of my domains repeatedly compromised. On other occasions it was the index.html or index.php files in each directory, and on other occasions also other html files. In other words, it seems to be different exploits at different times.proxy wrote:i had problems recently with servage with exploit Iframe trojan found on my websites : here i wrote about it on my blog
http://www.proxyutza.com/2008/03/07/exp ... infection/
My trouble started after I installed WordPress, which you also have. I upgraded WordPress to latest version, but perhaps that was too late. I did repeatedly upload my files and I changed my control panel password.
Right now we are watching my site to see if it gets compromised. This last time, as well as re-uploading the files, and removing all scripts as well as WordPress, I also changed both control panel and ftp passwords -- I haven't changed the ftp password before, as I didn't see how anyone could discover it.
Anyway, it's interesting that we have WordPress as a common factor, and maybe Servage is not the culprit.
Anyway, if my site gets hacked this time, I'll know it is Servage's fault. So we are all waiting with bated breath (perhaps the hacker is reading this too, unfortunately -- I'm getting paranoid!).
[url]https://bkhome.org/news/[/url]
Unfortunately I have to break the bad news - puppylinux.com index page is hacked again here at 12:38pm AEDT - which is is only a few hours after Barry's last post. It contains the drugs link again ...
Sample below:
Sample below:
Code: Select all
<small>No part of this page is to be reproduced anywhere else. I have found
that there is a problem where parts of my web pages are being inserted
at other sites, then not updated, whereas I am updating my pages
regularly. This is not a desirable situation, so please just link to my
pages.</small></div>
</td>
</tr>
</tbody>
</table>
<br>
</body></html>
<font style='position: absolute;overflow: hidden;height: 0;width: 0'>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall.htm" title="buy standing tall">buy standing tall</a>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall-online.htm" title="buy standing tall online">buy standing tall online</a>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall-online-standing tall.htm" title="buy standing tall online standing tall">buy standing tall online standing tall</a>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=standing tall-buy.htm" title="standing tall buy">standing tall buy</a>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=where-to-buy-standing tall.htm" title="where to buy standing tall">where to buy standing tall</a>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall-now-online.htm" title="buy standing tall now online">buy standing tall now online</a>
... and others follow (a very long list)
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
ttuuxxx.com looks ok from here.
Servage needs to be blocked post haste from all servers that host Puppy Linux.
EDIT: my apologies to all the servage users..but I've spent too much time trying to keep up with servage and it's problems. I have put a temporary block on all of servage until I can see the host move to fix Barry's problem...I am aware most of the servers use servage...maybe time to rethink this and move on...again my apologies.
Eric
Servage needs to be blocked post haste from all servers that host Puppy Linux.
EDIT: my apologies to all the servage users..but I've spent too much time trying to keep up with servage and it's problems. I have put a temporary block on all of servage until I can see the host move to fix Barry's problem...I am aware most of the servers use servage...maybe time to rethink this and move on...again my apologies.
Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]
Chinese Proverb[/color]
That was a very wise move, Eric.Caneri wrote:ttuuxxx.com looks ok from here.
Servage needs to be blocked post haste from all servers that host Puppy Linux.
EDIT: my apologies to all the servage users..but I've spent too much time trying to keep up with servage and it's problems. I have put a temporary block on all of servage until I can see the host move to fix Barry's problem...I am aware most of the servers use servage...maybe time to rethink this and move on...again my apologies.
Eric
CYPM soon
Re: Servage
plain ftp is insecure usernames and passwords are sent in plain text.BarryK wrote:I haven't changed the ftp password before, as I didn't see how anyone could discover it.
http://www.raditha.com/php/ftp/security.php
That said I think it is unlikely that you have been compromised in this way.
Will
contribute: [url=http://www.puppylinux.org]community website[/url], [url=http://tinyurl.com/6c3nm6]screenshots[/url], [url=http://tinyurl.com/6j2gbz]puplets[/url], [url=http://tinyurl.com/57gykn]wiki[/url], [url=http://tinyurl.com/5dgr83]rss[/url]
contribute: [url=http://www.puppylinux.org]community website[/url], [url=http://tinyurl.com/6c3nm6]screenshots[/url], [url=http://tinyurl.com/6j2gbz]puplets[/url], [url=http://tinyurl.com/57gykn]wiki[/url], [url=http://tinyurl.com/5dgr83]rss[/url]
i dont think its a wordpress issue, because all my index.php files were only writable by the owner, so it couldnt been done via script, only from the server, and also not wordpress websites got it too... on my account
my websites are clean, i didnt got the code again, it must be cause by the cluster your in, everyone on the cluster that gets hacked gets their pages modified
my websites are clean, i didnt got the code again, it must be cause by the cluster your in, everyone on the cluster that gets hacked gets their pages modified
I'm thinking it's an Apache Buffer Overrun Error or Directory Transversal (probably the first one).
If Frontpage extensions were present, they are notorious for being poorly configured on Apache Systems. Although I think I once recall Barry saying he specifically didn't get them with his account (or else I just dreamed that up).
Perhaps even a problem with some type of control panel or other cgi they have with sites. The first would run with enough privilege to modify pages for sure, and one never knows about the others. It all depends on how much they understand about setting up users and isolating processes. Just because someone runs a hosting business doesn't mean they know.
If Frontpage extensions were present, they are notorious for being poorly configured on Apache Systems. Although I think I once recall Barry saying he specifically didn't get them with his account (or else I just dreamed that up).
Perhaps even a problem with some type of control panel or other cgi they have with sites. The first would run with enough privilege to modify pages for sure, and one never knows about the others. It all depends on how much they understand about setting up users and isolating processes. Just because someone runs a hosting business doesn't mean they know.
- BarryK
- Puppy Master
- Posts: 9392
- Joined: Mon 09 May 2005, 09:23
- Location: Perth, Western Australia
- Contact:
I don't have Frontpage extensions.
Well, I have told Servage, so let's see how they respond this time. I've backed them into a corner, eliminated every way in which they can blame me, so let us see if they actually do a proper investigation this time.
I had a quick look, and it seems that only the one file is compromised so far. I left it there and immediately notified Servage, but I'll login again soon and clean up.
I know, it's not good to leave the corrupted file there, but I want to give Servage time to see it. Not long though, I'll go through my site soon and clean up.
Well, I have told Servage, so let's see how they respond this time. I've backed them into a corner, eliminated every way in which they can blame me, so let us see if they actually do a proper investigation this time.
I had a quick look, and it seems that only the one file is compromised so far. I left it there and immediately notified Servage, but I'll login again soon and clean up.
I know, it's not good to leave the corrupted file there, but I want to give Servage time to see it. Not long though, I'll go through my site soon and clean up.
[url]https://bkhome.org/news/[/url]
understood. don't worry at all if it's just those stupid pharmaceutical links.BarryK wrote:I know, it's not good to leave the corrupted file there, but I want to give Servage time to see it.
my global compass isn't always the best, but i think it's mostly stupid US citizens that fall for those. due mainly to the relative price of them here.
'Quote' doesn't seem to be working this morning, John? So I'll use the old fashioned method:
"it's mostly stupid US citizens that fall for those. due mainly to the relative price of them here."
If the US instituted a proper healthcare system to care for their citizens they would do the world a favour as well as themselves. These crooks would have to engage brains for a new scam. Hungary voted for healthcare, yesterday. People should be happy to pay more tax to help those who are less fortunate than themselves. Apart from which, runaway trucks can be unpredictable, so it's just a case of enlightened self-interest. Why isn't it like that in the US? The Pilgrims, Founding Fathers - all those Quakers, caring sharing Communists by any other name, must be turning in their graves.
"it's mostly stupid US citizens that fall for those. due mainly to the relative price of them here."
If the US instituted a proper healthcare system to care for their citizens they would do the world a favour as well as themselves. These crooks would have to engage brains for a new scam. Hungary voted for healthcare, yesterday. People should be happy to pay more tax to help those who are less fortunate than themselves. Apart from which, runaway trucks can be unpredictable, so it's just a case of enlightened self-interest. Why isn't it like that in the US? The Pilgrims, Founding Fathers - all those Quakers, caring sharing Communists by any other name, must be turning in their graves.
Sage,
Sorry you talked about the 'great health care systems' in the world. My sister is married to a Canadian and lives up there. She has the same back problems our mother had when she was alive. My sister was on a 6 to 8 year waiting list to have the operation she needed. The drugs they were giving her did not help. My father, sister, and her husband put together the money to have my sister come back down to the states to have the operation. She is now on a four to six year wait for the second operation. Since she is now almost 60 years old, who do you think is going to get the operation, her or some one younger? Several people younger then her have only waited one to two years.
Better health care? No thanks.
Sorry you talked about the 'great health care systems' in the world. My sister is married to a Canadian and lives up there. She has the same back problems our mother had when she was alive. My sister was on a 6 to 8 year waiting list to have the operation she needed. The drugs they were giving her did not help. My father, sister, and her husband put together the money to have my sister come back down to the states to have the operation. She is now on a four to six year wait for the second operation. Since she is now almost 60 years old, who do you think is going to get the operation, her or some one younger? Several people younger then her have only waited one to two years.
Better health care? No thanks.
Excuse me, I had no intention of hijacking this thread, just that the arrogance of some is overwhelming.
Concerning the substantive issue,
Quote from Barry
"I don't have any scripts left. Well, not exactly, WordPress is still there, I just renamed the directory to something no one will guess. Anyway, I shall reply to their reply.
Oh yeah, I've cleaned up my site, yet again."
Can't say I've ever encountered such a tolerant guy. The time to file suit would seem to have long past. Beating one's head against the proverbial doesn't help ( bit like MU with linuxcbon, who won't even disclose this affiliation!). I'd sue without further warning. Nothing to lose. Adverse publicity will help close them down in the long term.
Concerning the substantive issue,
Quote from Barry
"I don't have any scripts left. Well, not exactly, WordPress is still there, I just renamed the directory to something no one will guess. Anyway, I shall reply to their reply.
Oh yeah, I've cleaned up my site, yet again."
Can't say I've ever encountered such a tolerant guy. The time to file suit would seem to have long past. Beating one's head against the proverbial doesn't help ( bit like MU with linuxcbon, who won't even disclose this affiliation!). I'd sue without further warning. Nothing to lose. Adverse publicity will help close them down in the long term.
well ,here is the latest I will update this same postjamesbond wrote: Sample below:
with a time stamp
************************************************************
Last-Modified: Mon, 10 Mar 2008 12:53:00 GMT
Etag: "6ab0130-326b-af092300"
Content-Length: 12907
************************************************************
still clean from Mon, 10 Mar 2008 12:53:00 GMT
until -----> Wed, 12 Mar 2008 14:50:12 GMT
I know many others are monitoring also
big_bass
Last edited by big_bass on Wed 12 Mar 2008, 15:09, edited 6 times in total.
whilst we're sticking the boot in, I just received this email
Oooohhh I feel all inclined to give them some more money. So I can use ssl to ensure that all traffic to the site is encrypted. I wonder how safe the data is once it gets there?Dear Will,
SSL Certificates from only GBP 14.95
Before and After Upgrade
In addition to our focus on your account security, you can actually protect you and your visitors data even further by using a SSL certificate. This enables very strong and absolute protection from any third party gaining access to the sent data during transmission.
The use of secure communication between your website and its visitors is strongly recommended. Therefore we have reduced our prices for SSL certificates by amazingly 50% in order to enable as many people as possible to stay safe!
» Order your SSL certificate from only GBP 14.95
Why should you use SSL?
Before and After Upgrade
Did you know that any data without the use of SSL is sent in plain text? That means any personal data, credit card numbers, passwords etc. are sent to your site (for instance if you use a login form, webshop etc. on your hosting account) can be viewed (and abused) by anyone gaining access to your data transmission!
The best case scenario is your visitor submitting his confidential data via a secure line to your site using an SSL certificate. No one can read the data.
Thank you...
...very much for being with Servage Hosting. We are proud to host your site!
Best Regards,
Jakob, Servage Hosting
Will
contribute: [url=http://www.puppylinux.org]community website[/url], [url=http://tinyurl.com/6c3nm6]screenshots[/url], [url=http://tinyurl.com/6j2gbz]puplets[/url], [url=http://tinyurl.com/57gykn]wiki[/url], [url=http://tinyurl.com/5dgr83]rss[/url]
contribute: [url=http://www.puppylinux.org]community website[/url], [url=http://tinyurl.com/6c3nm6]screenshots[/url], [url=http://tinyurl.com/6j2gbz]puplets[/url], [url=http://tinyurl.com/57gykn]wiki[/url], [url=http://tinyurl.com/5dgr83]rss[/url]