We help IT Professionals succeed at work.

adsttnmq1/sdioyslkjs2 attack

682 Views
Last Modified: 2013-11-16
Dear All,

Has anyone ever come across this: http://www.esuli.it/index.php/2009/03/24/adsttnmq1sdioyslkjs2-attack/

We use a third party hosting provider to host our clients Web Sites. They run h-Sphere. They're claiming that the code injected into our sites was done by a Virus on one of our machines which harvested FTP details. There's nothing in their logs that shows any of our IP Addresses uploading the malicious scripts. They have admitted it came from an IP Address in China.

It's a shared hosting server and I was able to check other Web Sites on this server, that aren't on our account and in no way associated with us, and they all had the same malicious code on their page HTML source too.

I'm very interested as to whether this is a vulnerable Web Server or an outbreak like Gumblar.

Many thanks,

EE
Comment
Watch Question

Commented:
Hello,

This happened to my site a few years back, where my FTP credentials where stolen after my provider had been hacked, and my site had code injected that infected viewers

The hosting company, will not admit fault, no matter what

the site you mentioned  has been mentioned elsewhere

http://www.mikhaela.net/2009/04/google-says-ive-been-hacked-and-theyre.html

http://www.phpfreaks.com/forums/index.php?action=profile;area=showposts;u=81834

Weak FTP passwords have affected h-sphere users no doubt, but it remains a scripted attack, not necessarily directed against your site personally

Just improve passwords for your site, and management and continue business as usual, when this kind of attack occurs, you will receive little or no support from the hosting company

Jfer

Commented:
any advancements?
I've had nothing concrete - Everything is pointing towards a flaw in Parellel's hSphere Control Panel, but of course, the hosting company won't accept that! Even the Incident Handler that reported the flaw to one of clients doesn't know any more about it.

Commented:
yes, it seems like when this kind of event occurs, the hosting company takes a hands off approach to taking responsibility for configuration mistakes.

Also, they wouldn't publicly admit mistakes, because it loses confidence with customers

Jfer  
This seems to be happening a lot these months. I just found the same stuff on my server. It doesn't use hSphere, but CPanel. Seems to be related to a variety of outdated software:

http://forums.whirlpool.net.au/forum-replies.cfm?t=1234330

Commented:
Indeed

Is there anything else I can help you with?

Jfer
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.