I wanna fry me a damn Turkey! Hacker that is!

[Ablaze]

I have a client on a Unix server that keeps getting Hacked over and over again.

It has happened to more than one of his domains on his account.

It has happened to one site in particular three times in the last 6 months.

I Searched the forum and only found information about the mentality of the hackers but not a way to stop them.

Some of the sites were created with Sitestudio...
OsCommerce is one of the sites as well...
Any known vulnerabilites on either of them that you know of???

Any suggestions on what script I should look for that is allowing this Turkish fellow from hacking his site and deleting all his files?

Anybody else had this problem recently?

Any help would be very much appreciated!

Thanks,

B-

[Brangwyn]

is it being injected with the old b.js script or similar ? having a few of them crop up recently myself too but then there is a pretty big wave of hacks going on currently too.

Out of interest what server is this client on? (mine I think is on NT5)

[Ablaze]

Quote:

Originally Posted by Brangwyn

is it being injected with the old b.js script or similar ? having a few of them crop up recently myself too but then there is a pretty big wave of hacks going on currently too.

Out of interest what server is this client on? (mine I think is on NT5)

Unix16...

So is b.js or similar script something that is used by site studio and/or oscommerce?

Is there any hope in removing the vulnerability so that it does not continue to happen? Luckily this particular client uses Site studio quite a bit so he is able to just log in and re-publish.

I appreciate your quick response time Brangwyn...

[Brangwyn]

Do a google for ASPROX which is probably the most prolifient Trojan at the moment that's doing botnetted attacks like this.

I'm not really sure at this stage how it would be effecting sites that aren't using SQL Somewhere but I've one customer that I mentioned above who's had similar and he seems to have just a few HTML pages with Flash imbedded

http://www.secureworks.com/research/...t=danmecasprox

[dpyers]

If all files have been removed from multiple web sites running different software a couple of times and you've changed the account password, There's a good chance that a Trojan on the clients machine is the bad guy.

[Ablaze]

I appreciate your help gentleman!

Here is a copy of an email that I sent to my client...

Quote:

Jeremy - check an see if these values are in your registry of all the computers that you use:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\aspimgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft

Also

Check in your services and see if you have a service called: msscntr32.exe

I have been told that there is a good chance that the attacks to your site are coming from your computer. The reason they told me that is because you have changed your ftp passwords multiple times on your sites and they keep getting hacked.

Read this: http://www.secureworks.com/research/...t=danmecasprox
Do a search for ASPROX in google for additional info.

Let me know if any of the above keys and/or files are running on your systems so that I may start looking for directions on how to remove them.

Any additional suggestions would be appreciated. I will report back to you all if he finds any of the above suggested registry keys and/or services.

Thanks!

[dpyers]

Let us know how it turns out.

[Ablaze]

Will do...

[Silverbug]

I have a site I'm getting a lot of attempted sql injections.

hehe just for fun we decoded the attack and re-wrote it and re-encoded it to create a sql injection fix

[Danl]

Haha, glad to hear we finally have some people that are combating these idiots who think it's okay to ruin other people's hard work, Silverbug, if you have any suggestions please let us know so we can tell some of our clients that aren't using the forum's.

[Brangwyn]

I would like to make one simple suggestion to Vortech actually, please consider installing the latest URLScan 3 beta and put a couple of simple deny rules in there to stop the attacks from even hitting our sites

[Danl]

I'll bring that up on Monday after the 4th of July weekend, thanks as always Brangwyn

[Brangwyn]

I have a ruleset which seems to block the current wave of SQL Injection attacks quite nicely too if you're interested

[Ablaze]

Danl,

What were the results of your Monday morning meeting in regards to Brangwyn's suggestion?

Thanks,

B-

[Danl]

Wow, I completely forgot about that apparently. I'll bring this up to everybody whenever they let me come back to work (been sick and outta work for a week). Thanks for bringing it back up to me Ablaze