Topic: build 43 / hacked again

[ip0li]

2 Shoplifter: what updater said? I mean all files were updated successfully?

After an update the scan is clear, but I have others saying they are getting safe browsing warnings on my sites. I can't see the warning with Chrome so I am not sure what is up.

Traffic is way down tho so something is wrong that I cannot see.

This is related to google U should contact them to remove it!

[ip0li]

I sent your info to kildoozer it should be fixed.... please be patient it takes time + we have 2 more clients with same issue....hopefully U are last 3

[donedeal]

That would be a no on that. I have 2 boxes with 50 sites infected. All with different log-ins

I was hoping for a new version that would address this. Its great your offering to clean out a server, but without a patched revision to
address the hole, cleaning out the box would only be a band-aid.

I can never get the ads to show myself, which almost gives me the impression the possiblity exists that he put my ip on a whitelist. Although the ads show when i visit my sites from my smartphone.
I also have my traders saying that google crome's advast gives malware warnings.

Has the hole been found? Is there a solution other than "cleaning it out?"

[ip0li]

Hole was never there, hole was our server at xxxhostit got hacked. COuple clients affected by that still have issues because hacker inserted on their system shell exec scripts. So with cleaning entire system and changing usernames/passes U are safe. But U need to clean system, change user passes + update tp to latest files(non infected) simultaneously.

Tricky part in entire story is find ALL shell exec scripts.

[allniche]

If the hacker can had root access then the safest thing to do (although it is time consuming and a pain) is to [on a dedicated server anyway] wipe out the entire drive, reinstall the OS and then restore from the latest known good backup.  It's always dangerous just to try to find all the backdoors and rootkits the crackers might have left because all it takes is one for them to get back in.  Then you'll be continually having to do this.  So sometimes it's easiest just to clean it the right and "old school" way in the first place.

If you can't do this for whatever reason I guess you take your chances and hope for the best.  I hope everything gets fixed.

[ip0li]

He did not have root access, via ftp...but he had chance to do it via shell scripts....either way we are close to eliminating this 500%!!! Whoever has problem info@scriptpulse.com email me with ftp info!!!

[donedeal]

I just want to thank Kildoozer for cleaning out my accounts and fixing me up. Great guy to step up to the plate like he did, thank you

[Shoplifter]

Four of my sites were hacked again, the scanner shows the wrong date and checksum for tp_in.php. Doing an upgrade seems to clear the tp_in.php scan error.

One of the sites is now blocked by Google safe browsing with the following message:

What happened when Google visited this site?
Of the 16 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-23, and the last time suspicious content was found on this site was on 2012-02-23.
Malicious software includes 5 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 3 domain(s), including simplenssentinel.de.gg/, smartjcchecker.de.gg/, simple-dtnetwork.it.cx/.

4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including ringostart.osa.pl/, safesoftcy.com/, simplenssentinel.de.gg/.

This site was hosted on 1 network(s) including AS30266 (A1COLO).

Arrrrgggghhhh....

[ip0li]

Kildoozer sent U email/icq message anyway we ened tp/ftp access - email to info@scriptpulse.com AND kildoozer@scriptpulse.com

Four of my sites were hacked again, the scanner shows the wrong date and checksum for tp_in.php. Doing an upgrade seems to clear the tp_in.php scan error.

One of the sites is now blocked by Google safe browsing with the following message:

What happened when Google visited this site?
Of the 16 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-23, and the last time suspicious content was found on this site was on 2012-02-23.
Malicious software includes 5 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 3 domain(s), including simplenssentinel.de.gg/, smartjcchecker.de.gg/, simple-dtnetwork.it.cx/.

4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including ringostart.osa.pl/, safesoftcy.com/, simplenssentinel.de.gg/.

This site was hosted on 1 network(s) including AS30266 (A1COLO).

Arrrrgggghhhh....

[donedeal]

Yup coming back on my sites as well, i had all my tp passess changed too, didnt seem to do a thing
Not good, not good at all.

[ip0li]

Yup coming back on my sites as well, i had all my tp passess changed too, didnt seem to do a thing
Not good, not good at all.

Hey, kildoozer will contact U soon. I sent him msg already to solve it asap!

[Shoplifter]

Kildoozer sent U email/icq message anyway we ened tp/ftp access - email to info@scriptpulse.com AND kildoozer@scriptpulse.com

Message sent to Killdozer. Thanks for the help!

[donedeal]

Still nothing.......

I would like some tips or some ideas how to rid of this thing and keep it off this time, really looking like i have to get a new server and reinstall from scratch everything now. But will it just come back again? Killdoozer cleaned it up but its back again.

The scanner shows nothing is wrong now but still get the popups etc (that are not my ads)

is this been found to hop out of the tp folder, or out of the public_html folder? is it jumping to the apache kernal or server files? in st? anything like this?

[Shawn]

I found malicious code outside of tp scattered in various domains that didn't even have tp.  So I'd check out everything if you can...

[donedeal]

Thanks for the heads up