A website I've recently been entrusted with was cracked into via brute force ftp earlier this week. Apparently the bad guys ran a script that added iframe links to every page named index.html. The iframe linked to 3 sites that prompted malware downloads.
I think I've found and removed all the affected code, however I'm looking for an online website scanner that will drill down through all the links on a given site and search the code for similar problems.
I've only found a couple of these so far and they don't seem to fit the bill; was wondering if anyone here had recommendations or experience with similar tools...
Can this be interpreted as a malware (procede the following steps with caution).
After visiting miniclip.com/games/super-gerball/en/ without me clickiing on anything and confirming that I want to Install a game, a new folder is created in my Windows Start Menu and in a Documents and Settings folder.
Although I believe no harm is actually done with this installation, can attacker use this method to install a malware? How can I prevent this, what options should I change in my Firefox browser?
A Wordpress install on one of my domains was compromised a few months ago, and there was a 4-hour window in which the site contained an iframe injection that lead to a malware site.
The problem was corrected, and Google stopped flagging the site as malicious within a few hours after the fix. However, every once in a while I still hear of people having problems accessing the site, all of them I think from within large corporate networks.
Are there a few common list providers that these corporate networks are likely to be subscribing to? Is there a way I can submit the domain for reevaluation? If not, how long would you think a domain would have to be clean in order to repair its reputation on these lists?
I found several requests in my error log which looks like someone was scanning my site for phpMyAdmin. This was a newly created subdomain. So I checked my main site and another subdomain and they also contained similar entries. Should I do something?
[Fri Jul 03 03:23:16 2009] [error] [client 18.104.22.168] File does not exist: /var/www/vhosts/mydomain.com/subdomains/mysubdomain/httpdocs/phpMyAdmin [Fri Jul 03 03:23:16 2009] [error] [client 22.214.171.124] File does not exist: /var/www/vhosts/mydomain.com/subdomains/mysubdomain/httpdocs/phpmyadmin [Fri Jul 03 03:23:16 2009] [error] [client 126.96.36.199] File does not exist: /var/www/vhosts/mydomain.com/subdomains/mysubdomain/httpdocs/pma ...
Does anyone have experience of PCI DSS scanning on a shared server? Our current hosting company have told us that it's unlikely to pass on a shared server, and that we should move to a Virtual Managed Server for them to make the necessary changes to pass a PCI scan.
In particular, we're talking PCI compliance to use PayPal website payments pro UK.
From Googling there seems to be a lot of debate on this issue - varying from 'all you need for PCI compliance is a SSL certificate' (this seems to be paypals attitude), to 'PCI scans can be passed on a shared server if your host is willing to help' to 'you need separate dedicated servers for the database and site etc'.
Does anyone use website payments pro UK, have a shared server, and regularly pass quarterly PCI scans? Also, we would much prefer a host based in the UK - we seem to get much better performance from our UK host than we did when the site was hosted in the US (our customers are almost completely UK based).
I get a lot of messages from CSF about Port Scanning and Bruteforce detection.. Is there a way to avoid all of these attacks ? Because it tries to figure out my clients ftp or pop3 user with several usernames, i.e. administrator, postgres, mysql, httpd, and many more..
I know a little about internet security.. Is it possible to make my public IP of shared hosting untraceable ? Like this one..
Just do a ping to ebay.com or paypal.com and then you will receive RTO message or Destination host unreachable, but actually the site is running well..
My main goal was stopping incomingo spam.. and MailScanner is doing a great work on that.. but, it is taking too much time extracting and scanning attachments... does anyone know how to disable scanning the attachments ?
I was trying to install mailscanner on a cpanel box using chirpy's script [url], followed every step, until this:
Code: [firstname.lastname@example.org:~]perl mscpanel.pl -i Unable to open spam.scanning.rules for reading: file or directory doesnt exist at mscpanel.pl line 115. On the 115 line i found this:
Code: open (IN, "</usr/mailscanner/etc/rules/spam.scanning.rules") or die "Unable to open spam.scanning.rules for reading: $!"; The file /usr/mailscanner/etc/rules/spam.scanning.rules just doesnt exists... maybe chirpy's script is not working well installing everything its needed..
I'm running CentOS with Paralells Plesk bundled Paralellls Premium Antivirus (Dr Web). After the latest yum updates DrWeb continously seems to crash and be restarted by the Parallells watchdog. By default there were no logs for DrWeb, but when I enable logging to a file it gets spammed continously with the following error:
Cannot create pipe for communication with scanning childs (Too many open files)and the Drweb process runs at 99% CPU for long periods. This totally fills the disk with logs and I've now disabled logging again and Drweb is back to continously being restarted by the watchdog.
Avast started giving out warnings when people viewed my site saying a trojan horse was detected called "JS:Bulered".
I looked through the page and noticed a chunk of code added at the end of the page:
I cleared it then noticed it was also added to random files on my Invision Power Board forum and Coppermine gallery so I cleared it from there as well (just replaced the files from a backup I had).
I'm currently on a dedicated server with SoftLayer and I have a few other sites and when checking them I noticed the code was added to pages on those sites as well!
Right now I'm just concentrating on my main site I've cleared all the code, changed the password, ftp password, root password for the server. But after several hours the code was added again..
I read somewhere that it could be an infection on my computer that is using the ftp connection I make to inject the code to my site so I've changed the ftp password again and I've stopped using ftp. It's been a couple of hours and the code hasn't been added back yet but there's a good chance it'll be back soon.
If I type google.com in my address bar, it forwards me to www.google.com. This is not happening for my website right now. I think its a good idea to do this, since then search engines will have only 1 main URL for the website to index.
My question is:
How do I implement this? I think this may involve mucking with CNAME settings...
I use Ian Lloyd's book and that's where I found out about this forum. Looks like a great forum.
I downloaded Fliezilla FTP and I'm trying to transfers files from my computer onto an angelfire web site.
Filezilla asks for a server address and I put in the URL address that I registered with angelfire. It then asks me for an administration password, and I put in my password to the angelfire site. I keep getting: Error: Connection to server lost...
Does anyone know what I'm doing wrong here? I would like to use Filezilla to upload my files (web pages) to the angelfire site.
I have a website which is currently hosted with streamline.net on their shared msql 11 server.
We have had several issues with them over the last few weeks where someone is using most of the server and slowing everyone elses sites down so much so they crash. This week and weekend are my busiest time of the year (I sell fancy dress) and my site it totally unuseable.
We have phoned them and they have done nothing except ask us for a log which we have provided for short periods of time.
The down time has now got so bad that I have had only 2 sales today. I estimate I am losing approx 400 per day at the moment due to this problem.
Is there anything that I can do urgently to prevent my business from being killed by someone else.
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./
When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)