all index files got infected

Portal Home > Knowledgebase > Articles Database > all index files got infected

Posted by assassin85, 06-12-2007, 01:43 PM
Hi after week when my server upgrade the cpanel automatic i got infected in all index files like index.html and index.php and index.asp and any index with any extinstion and this is the code in all files and when i delete this code it come again in all index files i am in really trouble with my clients and i want to know how can i fix this thing and never come back again thanks Last edited by gbjbaanb; 06-21-2007 at 06:00 PM. Reason: removed ip
Posted by tanfwc, 06-12-2007, 04:20 PM
Get someone to check your box and make sure that your box is protected against such attack.
Posted by k3oni, 06-12-2007, 04:38 PM
Check that Cpanel is updated correctly to the latest stable/release version. There was a issue some time ago regarding this iframe virus "hack" .
Posted by Sawa4, 06-12-2007, 04:56 PM
Iam in the same issus right now How to get rid of that villain from the server without recourse again?
Posted by Patrick, 06-12-2007, 07:01 PM
I know everyone hates to hear this, but hire a server management company that actually knows security. There are just too many variables to walk people through on a forum when it comes to figuring out how you got compromised, how to fix it and then how to prevent it from happening again.
Posted by ISPserver, 06-12-2007, 07:37 PM
Offender usually upload some perl script. It's backdoor. And after he can open it in browser and get access to files. To find a back door very difficultly. You can try find all file by date modofication. But it's do not 100%. If offender have ftp access. You can see at log and detect his ip. After it you can see in xferlog what file edited from this ip. "Pat H" the rights. It's not esy. Some people after carck. Just unpack backup of clean system.
Posted by Sawa4, 06-12-2007, 07:43 PM
We need the secure Way to delet this **** forever from our servers and not to came back again HOW!!!!!! some one can help ?
Posted by Patrick, 06-12-2007, 07:49 PM
I just told you how... hire a server management company.
Posted by Sawa4, 06-12-2007, 07:52 PM
Do you know server management company ? that you trust it ur self ? and how much USD they will ask ? thanks
Posted by pichoscosama, 06-14-2007, 05:26 PM
It cames from your computer. I think your computer has trojan or virus.
Posted by Patrick, 06-14-2007, 05:41 PM
How did you come to that conclusion?
Posted by tsj5j, 06-14-2007, 10:15 PM
I would assume he uses Windows. I would think that Windows virusses cannot cross platform and infect Linux. He may have been keylogged though. Just change passwords for all your servers on a different computer thats trusted. Theres a forum in here called Managed Hosting, which discusses about this.
Posted by brianoz, 06-16-2007, 05:25 AM
Just to back up PatH, if you're a newbie there is just no way we could talk you through this here. There's 100 ways they could get in and you're far better off just hiring someone to do it. Configserver have a great exploit removal and hardening service; they will remove the exploit, fix your index files, and make sure you will never have to worry about it again by security hardening your system. I've been using them for years and they're completely trustworthy; they can get busy and it may take a while for them to get back to you so I'd get in contact with them quickly.
Posted by pichoscosama, 06-18-2007, 12:02 PM
I didn't say that the virus is affecting Linux. The virus is infecting the windows pc. It does this with your ftp program.
Posted by Patrick, 06-18-2007, 12:15 PM
While that is possible, the most likely scenario is that the "infection" occurred on the server itself.
Posted by pichoscosama, 06-18-2007, 12:35 PM
The linux server can not be infected. If that happens all other sites will have that iframe.
Posted by Patrick, 06-18-2007, 01:04 PM
The OP said that all index files have been infected, it's safe to assume that the whole server was compromised. Even if it was just a single website, there are many ways the files could be changed (such as an exploitable script). Like I said, your suggestion is of course possible, but not very likely in this situation.
Posted by Sawa4, 06-20-2007, 08:23 AM
We are Still Didnot Got the way to Fix
Posted by Sawa4, 06-20-2007, 08:32 AM
the server have over 300+ Sites Only 5 - 10 sites got this problem , but evry day i get one or 2 more got also the problem is going to get all my sites
Posted by Ramprage, 06-20-2007, 08:51 AM
I believe it's due to cpanel 11 and rvskin, I've been seeing many boxes get hit with this setup.
Posted by Sawa4, 06-20-2007, 09:48 AM
I've contact cPanel about this issus , they said i have to let Data Center to take the server down for HDD SCAN and they donot know any thing about this issus and the cPanel are working 100% fine on my server Iam conecting thim again now or iam gonna call BBB for this issus with cPanel
Posted by Sawa4, 06-20-2007, 09:58 AM
cPanel SAID ============== Sorry to hear you are having issues. RVSKIN is a third party software managed by their own company we have no access to their code, the authority or permission to modify it. It there is any issues with rvskin you should contact their support and developers for best resolutions. If you could pinpoint me to any issues you are having on the cPanel side I will make sure they get resolved to the best of our abilities. Thank you so much for your business.
Posted by The3bl, 06-20-2007, 09:58 AM
And you have come to this conclusion how? You have logs or traces to show this?
Posted by The3bl, 06-20-2007, 10:05 AM
What is your OS? What kernel?
Posted by Sawa4, 06-20-2007, 10:24 AM
kernel 2.6.20.2 Os : FC5
Posted by Sawa4, 06-20-2007, 10:33 AM
Os : FC5 Kernel : 2.6.20.2 i find some thing els when iam contacting RVskins Support i see they hae the same problem i got look at this pic they have the same problem http://www.mixxat.com/imag/ypC49863.jpg pls advice
Posted by Ramprage, 06-20-2007, 10:48 AM
Yep, but cPanel said they couldn't reproduce the issue. Funny how I have logs of this and see it continue to happen. I'm still working with them on it.
Posted by Sawa4, 06-20-2007, 10:54 AM
Did you see ? RVskin Company Also Have The same Problem I contact them but no reply from them till now look at this pic pls http://www.mixxat.com/imag/ypC49863.jpg What do u think ?
Posted by Ramprage, 06-20-2007, 11:21 AM
yeah its definately an issue with Rvskin, and cpanel 11. I've found holes in their previous versions before so I'm not suprised.
Posted by Sawa4, 06-20-2007, 11:25 AM
Donot you think Rvskins Co . Can fix thier SYSTEM or what ? i can't imagen how they have awhole problem like that and they wont fix .. if i removed Rvskins will the problem got fixed ? thanks
Posted by Ramprage, 06-20-2007, 11:31 AM
I would definately say your system would be more immune to attacks if you took it off. I also bet if you uninstall it you won't get hit again. Try and see for a few days... at least until they can figure out how to properly program with security in mind.
Posted by Sawa4, 06-20-2007, 11:51 AM
i wont remove the rvskins from my clinets sites they will get back to me to replace it again , i contacted LT about that they said -------------- Hello, The error is not from RVSkins, but because of a virus on the system. The viruses are not caused from RVSkins as seen in the image provided. This is not something that RVSkins or cPanel can assist with because of the trojan viruses on the system. ========== evry **** says they can't assist , WHO CAN THEN ... How much time you will need to fix that on my server , ? and how much % you are sure from that ? thanks
Posted by rvskin, 06-20-2007, 01:04 PM
Please be careful posting information like this until you are sure on it. If you have more information on it please contact me privately so we can investigate. Last edited by rvskin; 06-20-2007 at 01:07 PM.
Posted by Sawa4, 06-20-2007, 01:08 PM
quote=rvskin;4564969] lol 1- reply my suppoer ticket 2- your index also is infected its from where ? hope to get areply
Posted by Sawa4, 06-20-2007, 01:15 PM
Why privately ? we also need to see so you will not say its not rvskin issus as you said on via email to me Kasper Sky catch the torjan from your site so you are in the same issus , why you are in the same , why not cPanel ? why not LT ? why not many servers ? pls chk your system very good and back to me b4 your repley anre reply for no thing Thanks
Posted by Sawa4, 06-20-2007, 01:36 PM
also i closed evry thing i only now working on WHT page & RVskin support look now at this 2 pics http://www.mixxat.com/imag/5zT60607.jpg http://www.mixxat.com/imag/oMX60935.jpg
Posted by rvskin, 06-20-2007, 01:41 PM
I mean Ramprage.
Posted by Ramprage, 06-20-2007, 01:48 PM
I did contact you. No reply yet. I contacted cpanel before but they're sure it's not an issue with their software but your addon.
Posted by rvskin, 06-20-2007, 01:54 PM
If you contact me in this month. I don't get it. Please submit the ticket at http://support.rvglobalsoft.com/.
Posted by rvskin, 06-20-2007, 03:24 PM
It turns out that you submit the iframe to download trojan on the ticket system. But the ticket system doesn't escape iframe tag properly. The trojan you found is what you submitted. Your problem is nothing related to us.
Posted by Sawa4, 06-20-2007, 04:12 PM
i posted the code on WHT in this Thread dose that mean they have the same issus i faceing ? lol pls be sure you are talking to some one who is the bigest company in Egypt ask about Sawa4 in Google serch you donot need to say some thing mean no thing fix your problems or i will shut the Rvskin down from over 40 servers Via Layeredtech thanks
Posted by Sawa4, 06-20-2007, 04:22 PM
i will open atickets with Datacenter to down grade this RVskin service from my all servrs and no more use any time on our Sawa4 systems
Posted by arche, 06-20-2007, 04:52 PM
Have you tried to google the IP address shown, from what I can see there is quite a few php projects out there infected with this IP. To discontinue RVskin is your right, but to blame them I could not agree. I will not mention the other php apps out there infected, but from what I have read this is a trojan on the server infecting anything that is php it looks like. I would try looking deeper, I can't explain why rvskins website is showning it. But I would say it is not from there app. If you think about it, the screenshots you are showing is not even from there app just there site. Do a search for that IP and you will see the other problems out there. JMHO arche
Posted by Sawa4, 06-20-2007, 05:08 PM
Dear , iam not blame them , but they was have the same problem .. they fixe it there , and they wont tell us about that .. also , some one here said he fixed it b4 on another servers and it was BUG on Rvskin scripts , they wont be bad service , but if iam wrong iam gonna say that , but they wont they have only to chk the system and change it if they have aproblem how the other guy said that and he emailed them for the same problem they wont repley him till i came here to WHT what ever ... do you know how to fix ? do you know how did i got infected ? do you know why evry time i rebuld the pages " index " and delet the code , why came back again ?? thanks
Posted by arche, 06-20-2007, 05:23 PM
My point is that you have no proof it was them, you are taking the word of another person which you have not seen there logs and not seen there server. I have not seen your server, security, nor your logs to prove or disprove any of this. But going off another person is not going anywhere. If they fixed it on there server, then that is them managing there server. If they want to tell you how they fixed it, that is there right. I wish I could help you fix the problem, but I have no access to your server and have no way of knowing what it is as you have given people here very little info as far as your server, no logs, no setup (expect your kernel and OS). There is alot more involved in trouble shooting the problem of a virus or a maybe security hole without knowing alot more info. I have no doubt you have an issue with a trojan, but blaming two companies (that most of the time are very open about issues) is wrong. If this was a program issue from an update, there would be wide spread panic and posts everwhere. So far I have seen only 2 members say there was an issue and nobody else can seem to duplicate it. I am not trying to give you a hard time, just dig deeper into the issue and I think you will find it is in fact not RVskin or Cpanel. I can't speek for them on how they respond to problems, that is there business. If you want help you have to explain alot more about the server then you have on here. As I stated before, there are more than enough people here to help you, but you have to help us help you. More info needed, just showing screenshots of another companies website and saying there is a trojan on your machine does not give enough info... arche
Posted by Sawa4, 06-20-2007, 05:41 PM
Dear sir , arche the one who said he did fix it b4 and he know how to fix , he said its for 100 $ not for free , thats why iam still not done that with him , also no one asked for more info to give let me what unfo you wanna know iam ready get helped for sure but i need only you to feel how iam feeling more than 16 days ago till now , evry one says not me go to cpanel , i go to cPanel it syas go to Rvskin after 2 days they will tell me go to he-ll and its more better thanks for your updates arche[/quote]
Posted by arche, 06-20-2007, 05:58 PM
ok, start off here. Where are you seeing the problems yet, we still have not seen a screenshot or a link to a page with the error. Lets start there.... arche
Posted by Sawa4, 06-20-2007, 06:06 PM
at this time i rebuild all index and pages who alwes get the code with the trojan , but it cames back again with in time the code i past on the Thread the 1st post thats with the ip when ever i delet or remove , it cames back only for index.htm , index.html , index.php any thing called index it got this sh* when ever it came back , the programs like nrton or kaspersky , catch the trajon when ever you open the site , so the clinets wont stop emailing us to fix , i run the clamv rootkit no thing fixed i emailed the DataCnter , they said i will need to Reload the Os system , But .. if i did i will got 12 hs down time , also i will need to restore 300+ sites who may have the code in the backups also so the virus not gonna be dead coz it gonna be in the backups also ,,, i called cPanel , they said they can't help Go to RVskin its from there , i gone .. then i find they have the samme code and kasperskay got it also , i told them about my problem , and also they have the problem they said no we donot i tryed it on another laptop and another Pc's and even another network and the problem still there after i told them , no reply i told them gonna past that on WHT , then they repleyed they donot have and some stuff then .. you came and see evry thing pls ADVICE
Posted by Patrick, 06-20-2007, 06:22 PM
Can you give us a website address where this virus / trojan is? ... just to confirm that it is on the server.
Posted by arche, 06-20-2007, 06:25 PM
What is the output after the scans say? arche
Posted by Sawa4, 06-20-2007, 06:28 PM
after i finish the scan it give no thing yet just some programs the clinets used on the sites and i deleted it . but no any viruses found , coz the " code " came only on the index files , they can't catch it Note : if you need to login into my server i donot mind but if " PAT H " can can agree on it for the secure and safe resone Last edited by Sawa4; 06-20-2007 at 06:30 PM. Reason: Add some words
Posted by Patrick, 06-20-2007, 06:32 PM
I just need to know the website address. The website address where you are seeing the iframe and the malicious code in the index file.
Posted by Sawa4, 06-20-2007, 06:33 PM
at this time i rebulid the pages as i said b4 so you will not see it right now but it will be back it self , once it get back i'll past it for you
Posted by Sawa4, 06-20-2007, 06:36 PM
you can see it on the support link where we do support to our clinets http://www.sawa4.com/support ================== and this site 4 aclinet http://www.pc4up.com http://www.pc4arb.com BUT NOTE : right now i recrate the pages so you will not see it at this time thanks
Posted by arche, 06-20-2007, 06:37 PM
Have you tried this http://www.chkrootkit.org/ The problem is you telling us what it said and letting us actually see the log might be different. It would be alot easier if you could copy and paste the output of the scan. If you want to give someone access to your server, I would rather you hired someone, I don't want to be responsible for someone else's live server. arche
Posted by Sawa4, 06-20-2007, 06:40 PM
the logs donot show any thing for this issus i tryed rootkit , and calamv it didnot got any thing
Posted by arche, 06-20-2007, 06:48 PM
Did you try rkhunter (rootkit) or chkrootkit? I have heard two different outputs can happen with both of these, and could have two different effects. arche
Posted by Sawa4, 06-20-2007, 06:51 PM
Messenger Plus! بداية الجلسة: Wednesday, June 20, 2007
S.A.M (support@sawa4.com)Ramprage - ServerProgress.com (ramprage@hotmail.com)(3:42 PM) توقع ايقاف الخدم:Hello , how can i help you ?(3:42 PM) S.A.M:!!(3:42 PM) Ramprage - Serve:hi, I read your post on wht about the iframe injections. I just sent you a PM - this is ramprage(3:42 PM) Ramprage - Serve:I run serverprogress.com, a server admin and security company(3:42 PM) S.A.M:Ah your welcome(3:43 PM) Ramprage - Servene moment please brb(3:43 PM) S.A.Mo you know how to fix this problem ?(3:43 PM) S.A.M:TYt(3:46 PM) Ramprage - Serve:what version of cpanel are you using? how many servers is this for?(3:46 PM) S.A.M:cPanel 11(3:46 PM) S.A.M:Only one server got this problem , the server have over 300 sites(3:46 PM) S.A.M:but only 10-15 sites got this problem (3:48 PM) Ramprage - Servenly 10-15 sites had their pages changed?(3:48 PM) S.A.M:yea(3:48 PM) S.A.M:i am deleting the code daily(3:49 PM) S.A.M:but it get back again(3:49 PM) Ramprage - Serve:does the server have rvskin installed?(3:49 PM) S.A.M:Yes (3:50 PM) Ramprage - Serve:that may be why. (3:50 PM) S.A.M:Why ? Rvskin inastalled over 8 monthes ago(3:50 PM) Ramprage - Serve:new exploit out(3:51 PM) S.A.M:Umm(3:51 PM) S.A.Mo you have the way to fix that ?(3:51 PM) Ramprage - Serve:at this time I have a temporary solution.(3:52 PM) Ramprage - Serve:it could be something else as well, are you using phpsuexec?(3:52 PM) S.A.M:Yes i use phpsuexec(3:53 PM) S.A.M:i run clamav and it didn't get this files infected and i don't know why?(3:53 PM) Ramprage - Serve:because it's just normal html, there's not virus in the html file on the server. The virus is in an external link outside of the server that loads in.(3:54 PM) S.A.M:ah yes(3:54 PM) Ramprage - Serve:I can review your machine, do the temp. fix on rvskin, and apply my security plan for $100. This should get you fixed up.(3:55 PM) S.A.M:what if not fixed ?(3:56 PM) Ramprage - Serve:I cannot provide a guarantee, since there are always new attacks coming up. But if it happens again after my fixes I'll review the machien a second time at no charge.(3:57 PM) Ramprage - Serve:no one will guarantee anything, you can't in this business.(3:57 PM) S.A.M:i can accept your deal , but if your sure will et fixed(3:58 PM) Ramprage - Serve:yep it should be fine after I'm done.(3:59 PM) Ramprage - Serve:http://www.serverprogress.com/security_enhancements.php(3:59 PM) Ramprage - Serve:that's part of what I'll be doing(3:59 PM) S.A.M:Hold on (4:08 PM) S.A.Mo you accept E-gold ?(4:08 PM) Ramprage - Serve:paypal(4:09 PM) S.A.Maypal didnot support my Contry " Egypt " (4:10 PM) S.A.Mo you know rack911 ?(4:12 PM) Ramprage - Serve:hmm that's not good(4:12 PM) S.A.M:i tryed him many times last 6 monthes with some problems but was cool with me (4:12 PM) S.A.M:but when i emailed him about this issus i didn't got reply from him yet(4:15 PM) Ramprage - Serveo you have a regular credit card?(4:16 PM) S.A.M:i have Master card , But it needs to be funded 1st so i can pay (4:16 PM) S.A.M:it may take up to 24 hrs (4:16 PM) Ramprage - Serve:well if you put the order in with me, I will have to wait until the payment clears. Which can take up to 24 hours(4:17 PM) S.A.M:i know , thats why i aske if you accept e-gold so we can start fast(4:17 PM) Ramprage - Serve:no sorry I do not(4:18 PM) S.A.M:It's ok بداية الجلسة: Wednesday, June 20, 2007
S.A.M (support@sawa4.com)Ramprage - ServerProgress.com (ramprage@hotmail.com)(6:01 PM) S.A.M:look(6:01 PM) S.A.M:http://www.mixxat.com/imag/ypC49863.jpg(6:01 PM) S.A.M:Rvskin system have the same problem(6:04 PM) Ramprage - Serve:heh (6:04 PM) S.A.M:how do they w8 on this **** ?(6:04 PM) S.A.M:if they are can't fix thier system , they will fix mine ?(6:04 PM) S.A.Monot think so ,lol
Posted by Sawa4, 06-20-2007, 06:53 PM
i tryed , rkhunter and its the same i think cos there is no one said different
Posted by arche, 06-20-2007, 06:56 PM
Your missing what I am asking, which one are you using rkhunter (rootkit) or chkrootkit? arche
Posted by brianoz, 06-20-2007, 07:05 PM
Why did you post a private discussion message log? I hope you had permission for that; it's considered bad manners to post such logs without asking first. I'm glad you're considering using an expert - I'm confident he will solve your problem for you. There's no magic "once for all" cure but if your server is hardened there's a good chance you'll never see this problem again.
Posted by Sawa4, 06-20-2007, 07:14 PM
i said i used rootkit chk many repleys will find that i asaid rootkit
Posted by Sawa4, 06-20-2007, 07:19 PM
i post it to show that the guy was very sure it RVskins problem , the 1st thing he asked dose rvskins instaled on this server , i said yes , he said thats why and he said he will fix the rvskin so iam proofe that the problem with the rvskins also when i was tickeing them i saw they have the same problems and they keeping close my ticke evry time thanks
Posted by arche, 06-20-2007, 07:22 PM
ok lets try this again, do you use: rkhunter http://www.rootkit.nl/ rkhunter wiki http://en.wikipedia.org/wiki/Rkhunter or chkrootkit http://www.chkrootkit.org chkrootkit wiki http://en.wikipedia.org/wiki/Chkrootkit I am trying to find out which one of these apps you use, I know you use a rootkit scanner but which one. Both referred to as rootkit scanners. Hope this helps.... arche
Posted by Sawa4, 06-20-2007, 07:24 PM
this one rkhunter http://www.rootkit.nl/
Posted by arche, 06-20-2007, 07:25 PM
What proof does he have that he knows it is a hole in RVskin, this is kinda of slander of RVskin without the proof. The ticketing system you where using is not there app, so why not blame the company that made the support app? Sounds like a sales pitch to me... arche
Posted by arche, 06-20-2007, 07:26 PM
ok, as I stated before. Try the other scanner as sometimes it has a different out come.. arche
Posted by Sawa4, 06-20-2007, 07:37 PM
ok by the way iam thanking you coz you took care alot of ur time on my issus
Posted by Ramprage, 06-20-2007, 07:37 PM
rkhunter and chkrootkit scan for rootkits.. this it not a root trojan. So it will not find anything. ClamAV and other server side virus scanners won't find anything either. Since the code is an HTML iframe.... Scan the server all day if you like, it won't find anything. The best way to check would be to scan users pages, with a custom shell or perl type script, for the exact iframe injection string and remove it from the affected pages. I've used this method before, works pretty well. I also use a shellkit scanner to go through all user accounts to see if any sneaky files are there like c99 shells or anything else. I don't mind you posting the chat session, asking first would have been appreciated though. I would have told anyone else the same thing if they came to me with that issue.
Posted by Sawa4, 06-20-2007, 07:58 PM
Dear Friend , iam really so sorry for that , but they wont understand that the SCAN will not help , and i did b4 with no thing yet changed i have tryed this command as i do alwes egrep"r0nin|m0rtix|void\.ru|phpremoteview|webadmin|r57shell|cgitelnet|c99shell|noexecshell|/etc/passwd|revengans" /home/*/public_html -R | cut -d: -f1 | uniq > /root/Sawa.txt & i also tryed it with the IP , and i deleted the iframe but it get back again , i also blocked this ip ... evry thing is no thing with this issus Again . iam so sory man Last edited by Sawa4; 06-20-2007 at 08:03 PM. Reason: CODE
Posted by Ramprage, 06-20-2007, 08:04 PM
Contact me, I'll take a look at no charge to try to help you.
Posted by Sawa4, 06-20-2007, 08:06 PM
Iam gonna contact you now , But i will give you the money as we said after i fund my CC within 24 hrs
Posted by rvskin, 06-20-2007, 08:24 PM
So how it is related to RVSkin. If you can proof it with us, I can pay for that information.
Posted by Sawa4, 06-20-2007, 08:31 PM
Dude you fixed yours when i talked to you and u sure from what iam saying iam just asking MY GOD for HELP Not asking you any more , by the way your gonna loss your service with over 40 server when i finished my problem i wont your service any more , behind you took 7 hrs to repley my support ticket , and you didnot till i said in the ticket iam gonna past on WHT , then you repley ME if i didnot said iam gonna past on WHT , you may be will not repley " THATS HOW TO GIVE 100% SUPPORT " have agreat day
Posted by Ramprage, 06-20-2007, 09:28 PM
This isn't blackmail, just PM me with your email address and I'll gladly share my logs so hopefully it will get resolved.
Posted by Ramprage, 06-20-2007, 10:21 PM
Just an update on this issue, he's using an ancient version of Rvskin. There were also some other security issues found so it's unclear at this point what the cause is exactly. Your current RVSkin version 7.19 Your current Cpanel version 11.4.19-RELEASE-14378 (Cpanel Pro 1.0 (RC1) ) Latest version 7.91 for Cpanel 11.10xxx-1 above
Posted by rvskin, 06-21-2007, 12:57 AM
You don't get what I tried to tell you. You submitted the iframe link to download trojan on our support ticket. But the ticket system doesn't properly escape it. Then you back to the ticket again after my reply and got the trojan from your previously submitted. The issue arise here is nothing related to RVSkin at all. What I did is removing the iframe you have submitted on the ticket system. Your first request is on Jun 20 '07 - 9:19pm (GMT+7). And I replied you on Posted On: Jun 20 '07 - 11:32pm (GMT+7). It is only 3 hours later, not 7 hours. Surely, we provide 100% support for our products. There are a lot users can be witness. 7.19 is also safe for a known exploit. Sorry, I don't mean it. Just want to get as fast as information possible if it is really be the problem on our side. I got your email. Your DC forward it to me. Next time please log in the ticket as I check it more frequently than email box. You run cPanel11. According to your cPanel log, it seems your server got brute force attack. And someone got access to 'xxxxx' account and then upload file 'darkworm.php' to his own account. You stated that it is possible to upload file to another user. I tested it several different way and cannot upload file to another user as you claim. And if it is the case, it is definitely cPanel11 bug. As the AJAX filemanager run on rvskin is actually cPanel11 X3 AJAX filemanager. Once darkworm.php is on the server, attacker access to it and do the bad thing on your server. The conclusion on this problem is not RVSkin problem but your users run weak password, and your web server have a weak security. My suggestion on this issue. 1. Update cPanel to latest version. As I mention, I cannot upload file from one user to another user. I run latest cPanel, so I don't know if it used to have problem before or not. 2. Go to WHM/Security Center/cPHulk Brute Force Protection and enable it. 3. Increase web server security. I know this is a hard part but it is the way to go. Again, if you insist it is RVSkin bug, please submit ticket at http://support.rvglobalsoft.com. I also PM you the email as you wish.
Posted by Sawa4, 06-21-2007, 01:13 AM
i know what do you mean 1- but if your right , why LT support system didnot got the same problem when ever i post the same iframe link to download trojan on thier support ticket ? 2- the time , you may be right .. but do you think 3 hrs is not long time for aproblem like that ? . 3- why didnot you replyed me till i said iam gonna past on WHT ? 4- why WHT forums didnot got the same problem when ever i post the same iframe link to download trojan on the page number one in the same Thread ? 5- i did the upgrade for cPanel & rvskin both auto , it have to be done it self !! 6 - right now i can't say it only your issus till i hear from " Ramprage " after he finish work on my server 7- if he said the peroblem is away from you , iam gonna be soory for you on anew THread on WHT to tell evry one iam sorry for Rvskin if he said the problem was rvskin issus ? what you gonna do ? will pay for all the problems i faceing ? coz of that ? cPanel replyed also said GO TO RVSKIN SUPPORT <<<<< why did they tell em to came to you ? didnot they know its Rvskins issus << ?? thanks any way Last edited by gbjbaanb; 06-21-2007 at 06:11 PM. Reason: fixed quote tags
Posted by k3oni, 06-21-2007, 02:07 PM
Do you still have those iframes in the files, were you unable to find someone to solve that for you? Anyway, if the answer is yes, send me a PM and will try to send you a script to remove those...
Posted by brianoz, 06-22-2007, 09:03 AM
Just an important point here. Rvskin has been around for a long time and the author Pairote is well known and has a reputation of being highly competent. I'd be very surprised if it's a problem in Rvskin and I'd want to see some clear proof before I beleive that. While sawa4 has a problem, much of that problem is clearly that he is a very inexperienced admin; let's wait till we hear something comprehensive from someone with more experience.
Posted by FULLAMHRD, 06-25-2007, 09:29 PM
Anybody get this issue fixed yet? I really do not believe it is rvskin. I do not have RVSkin on my server and I have been getting that same code inserted into my pages for months now.
Posted by FULLAMHRD, 06-25-2007, 10:40 PM
This is such a strange problem, I had my server admin look over my box and they found no issues at all this is their suggestion, I have been monitoring my root account every time I log in I am sure it has not been hacked. The only thing strange I could find is inside my home directory there is a folder called virtfs. Looks to be a remote admin tool is this normal to be installed on a centos server? http://www.prongs.org/virtfs/
Posted by Patrick, 06-25-2007, 10:58 PM
Do you have any websites that are compromised right now?
Posted by FULLAMHRD, 06-25-2007, 11:20 PM
Yes I do, some last week and as a matter of a fact one that was hacked today
Posted by FULLAMHRD, 06-25-2007, 11:26 PM
I have also looked through the apache logs of today, so doesnt look like they are getting through the webserver. I have had this problem the last 3 months or so, it started off being the code used in this original thread, the newest one seems to be !-- ~ --> search for the code above in google for other websites that seem to be effected by this eg http://www.google.com/search?q=v465a...LJ:en&filter=0 Last edited by FULLAMHRD; 06-25-2007 at 11:31 PM.
Posted by FULLAMHRD, 06-25-2007, 11:55 PM
Could somebody please show a ssh command that can locate which files inside the /home/* directory contain this code? "" Looks like I have hundreds of files infected with this crap, going to take me a while to delete them all! Thanks
Posted by xserverx, 06-26-2007, 01:08 AM
after finiched scan you can edit /root/result.txt for watch infected files
Posted by FULLAMHRD, 06-26-2007, 02:30 AM
Cheers for the command, however I am getting this error when I run it Last edited by FULLAMHRD; 06-26-2007 at 02:34 AM.
Posted by Website Rob, 06-26-2007, 06:25 AM
This might work better. Adjust 'home' path as required. find /home/*/public_html/ -type f -name '*.*' -exec grep '' {} \; >> iframe_results.txt Having read through this thread I would suspect that no one script is the problem. Seems to be that no is sure if this is an XSS or mySQL Injection attack. Once that is known it will help to determine what needs to be done. Out of curiosity, would these hacked accounts being using Joomla or Mambo?
Posted by Website Rob, 06-26-2007, 07:20 AM
That is a dir. specific to WHM for accounts you have given Shell access to. Do Not Mess With It!! You can 'look' but don't touch, any dir. or files located in: /home/virtfs/. You could end having to do an OS reload if anything within that dir. is manually altered.
Posted by alanK, 06-26-2007, 08:58 AM
It sounds like an XSS attack to me. You might wanna have a look at: http://secunia.com/advisories/25722/
Posted by FULLAMHRD, 06-26-2007, 09:15 AM
I am not too sure if it does have anything to do with an xss attack. I was hacked today and looked at every single line of the apache log today. Also I have an updated version of Cpanel which is ment to be fixed according to that advisory. WHM 11.1.0 cPanel 11.4.19-R14379 CENTOS Enterprise 3.8 i686 - WHM X v3.1.0
Posted by Patrick, 06-26-2007, 01:16 PM
I said earlier in this thread to another poster, that I doubt this issue was related to their computer... but now I'm not sure. Next time you notice a website with the iframe, do not change it back. Post the URL here and have one of us confirm that the iframe is or isn't present.
Posted by FULLAMHRD, 06-26-2007, 06:10 PM
I still have an unchanged website I will post to only you pat, not for public. I do not believe it has anything to do with My computer or a clients computer. For example, only 6 or so websites are affected. Some are clients which I do not access their control panel. 1 is another client which I designed the website and they do not have access to their controlpanel/ftp and I have never logged into their control panel for years.
Posted by FULLAMHRD, 06-26-2007, 06:31 PM
Another thing to note is that some of the affected webpages are not even accessible to the web, eg files that are in the /home/user directory not the /home/user/public_html
Posted by CoolMike, 06-27-2007, 02:05 AM
I had a customer with exactly the same problem. All his accounts where infected, but no other customer accounts on the server. The reason was a virus/trojan on the customer computer. It took the passwords from this ftp client and replaced the files all the time when he was online. Michael
Posted by FULLAMHRD, 06-27-2007, 07:59 AM
But this does not explain why my client who does not have the password to his ftp, and I have not used his account, has been hacked on 2 seperate occasions.
Posted by Sawa4, 07-15-2007, 05:53 PM
Hello , Again To : RVSKINS COMPANY ... Iam very sorry You can ask me to say sorry where ever you need iam ready =============== Thanks !
Posted by Sawa4, 07-15-2007, 05:54 PM
Thak You for Trying To help me and fix this problem .. but its not fixed yet Thanks you !
Posted by Sawa4, 07-15-2007, 05:57 PM
PAT H , i have PM you with the URL 2 days ago .. didnot got arepley ... so i changed it again back about 7 hrs ago . ======= Problem not from FTP, cPanel,RVSKIN, Or even Hacking Stuff . Its some thing like ahell Comeing for the servers
Posted by Sawa4, 07-15-2007, 05:59 PM
Hello Forget this way ,, donot lose time for no thing Look on another way to fix .. iam still looking , i laos reported that to BBC Today
Posted by rvskin, 07-15-2007, 10:54 PM
Thank you. You have done here. There are rumor that the problem cause by the warm/trojan on user PC which remember the FTP password and also dynamically update itself whenever user change FTP password. I don't have more information on this as still no one be able to identify it.