Server Help

Trash Talk - Maleware on shanky/server?
K' - Wed Apr 04, 2007 2:33 pm
Post subject: Maleware on shanky/server?
Looked at http://www.shanky.com/server/staff.html and was requested to approve an activeX element, half a second later ZoneAlarm jumps up with report of:
Exploit.Win32.IMG-ANI.h and Trojan-Dropper.Win32.Agent.bfd
Allegedly involved is 'file[1].jpg' and some obscure random file string.
Could be a false positive or from other source by some fashion, but who knows, might want to do a little in-house sweeping.
Bak - Wed Apr 04, 2007 2:50 pm
Post subject:
there is an image: http://86.39.128.144/download/167212/file.jpg on the page

and the ip address is registered to (http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=86.39.128.144&do_search=Search)

person: Steven Vandewalle
address: Aardenburgse Heerweg 5
address: 9910 Knesselare
address: Belguim

and yields the webhosting service: http://belgon.be/
Solo Ace - Wed Apr 04, 2007 3:00 pm
Post subject:
Yeah, I got it too, but now I don't anymore. I don't know, did I just infect my windows box?

Nah I didn't.

Why were you reading that page? Trying to bring old, forgotten times back? sa_tongue.gif



Ï think it's weird how it pops up, and then it doesn't. Maybe someone's messing with Apache's memory or what?
Solo Ace - Wed Apr 04, 2007 3:05 pm
Post subject:
I'll go to Knesselare and beat up whoever's responsible for the host. sa_tongue.gif

I'm still not sure about the sex of this ware, but I guess I don't even want to know if you consider it male.
Mine GO BOOM - Wed Apr 04, 2007 3:13 pm
Post subject:
Solo Ace wrote:
Maybe someone's messing with Apache's memory or what?

It is. I've been complaining to the host of that machine for a while that someone is affecting apache. It is nothing I can touch from my end there.

Thus the reason why I moved minegoboom/mineplowers over to my own virtual machine where I get full control over it. I have not heard of any type of memory hacking done with Xen 3 yet, and I doubt any would happen anytime soon when there are so many shared hosts people can just fuck up through apache injections.

I have no plans on moving shanky.com over, because there are lots of subdomains that are hosted, and I never got around to making the box secure enough that I'd grant access to everyone that is being hosted. It wouldn't be too difficult to just have shanky.com/server forwarded to minegoboom.com/server or something such as that. Would this be a good enough solution for you guys?
Confess - Wed Apr 04, 2007 5:43 pm
Post subject:
Ya, thats a lot better then having it mess up peoples comps.
Cerium - Wed Apr 04, 2007 7:05 pm
Post subject:
Speaking of malware, I noticed something rather odd when checking the Hybrid forums. Every now and then on the main page (hybrid.shanky.com), at the very top there's a link that says "Nothing here" and an image placeholder.

I don't recall adding that and as far as I know, you don't bother editing other people's sites. Moreover, it doesn't appear anywhere in the page source. Any idea what that is?
Mine GO BOOM - Wed Apr 04, 2007 7:27 pm
Post subject:
It is a javascript inserted into the output done by a virus on the machine that is infesting apache. Like I said, I've complained to the host numerous times. We even switched machines, which fixed the problem for a bit.

Shanky.com/server is now redirected to Minegoboom.com/server. You don't need to update any links anywhere, because at some point I'll just move shanky.com onto the mineplowers server, in which case it will just be shanky.com/server again.
Cyan~Fire - Thu Apr 05, 2007 2:20 pm
Post subject:
Can you get your brother to post more girls while you're at it? icon_biggrin.gif
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group