adsttnmq1/sdioyslkjs2 attack
Dear All,
Has anyone ever come across this: http://www.esuli.it/index.php/2009/03/24/adsttnmq1sdioyslkjs2-attack/
We use a third party hosting provider to host our clients Web Sites. They run h-Sphere. They're claiming that the code injected into our sites was done by a Virus on one of our machines which harvested FTP details. There's nothing in their logs that shows any of our IP Addresses uploading the malicious scripts. They have admitted it came from an IP Address in China.
It's a shared hosting server and I was able to check other Web Sites on this server, that aren't on our account and in no way associated with us, and they all had the same malicious code on their page HTML source too.
I'm very interested as to whether this is a vulnerable Web Server or an outbreak like Gumblar.
Many thanks,
EE
Has anyone ever come across this: http://www.esuli.it/index.php/2009/03/24/adsttnmq1sdioyslkjs2-attack/
We use a third party hosting provider to host our clients Web Sites. They run h-Sphere. They're claiming that the code injected into our sites was done by a Virus on one of our machines which harvested FTP details. There's nothing in their logs that shows any of our IP Addresses uploading the malicious scripts. They have admitted it came from an IP Address in China.
It's a shared hosting server and I was able to check other Web Sites on this server, that aren't on our account and in no way associated with us, and they all had the same malicious code on their page HTML source too.
I'm very interested as to whether this is a vulnerable Web Server or an outbreak like Gumblar.
Many thanks,
EE
any advancements?
ASKER
I've had nothing concrete - Everything is pointing towards a flaw in Parellel's hSphere Control Panel, but of course, the hosting company won't accept that! Even the Incident Handler that reported the flaw to one of clients doesn't know any more about it.
yes, it seems like when this kind of event occurs, the hosting company takes a hands off approach to taking responsibility for configuration mistakes.
Also, they wouldn't publicly admit mistakes, because it loses confidence with customers
Jfer
Also, they wouldn't publicly admit mistakes, because it loses confidence with customers
Jfer
This seems to be happening a lot these months. I just found the same stuff on my server. It doesn't use hSphere, but CPanel. Seems to be related to a variety of outdated software:
http://forums.whirlpool.net.au/forum-replies.cfm?t=1234330
http://forums.whirlpool.net.au/forum-replies.cfm?t=1234330
Indeed
Is there anything else I can help you with?
Jfer
Is there anything else I can help you with?
Jfer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This happened to my site a few years back, where my FTP credentials where stolen after my provider had been hacked, and my site had code injected that infected viewers
The hosting company, will not admit fault, no matter what
the site you mentioned has been mentioned elsewhere
http://www.mikhaela.net/2009/04/google-says-ive-been-hacked-and-theyre.html
http://www.phpfreaks.com/forums/index.php?action=profile;area=showposts;u=81834
Weak FTP passwords have affected h-sphere users no doubt, but it remains a scripted attack, not necessarily directed against your site personally
Just improve passwords for your site, and management and continue business as usual, when this kind of attack occurs, you will receive little or no support from the hosting company
Jfer