Jump to content


Photo

phantom.cncguild.net security issues


  • Please log in to reply
5 replies to this topic

#1 Starkku

Starkku

    Putting the Pro' in 'Procrastination'

  • Hosted
  • 431 posts
  • Location:Finland
  • Projects:Project Phantom
  •  C&C YR modder & Project Phantom mod leader.

Posted 19 July 2012 - 10:57 PM

Basically found couple of random HTML files in root and www directories, deleted them. Also the frontpage had code for hidden iframe that had src attribute with a value of 'androidczad.info' or something like that. It didn't load the iframe for me, however. Probably because it was between xml and doctype declarations (which is how I noticed it in first place - validator didn't like that). Unfortunately it didn't really occur to me to check the contents of index.php file in the www directory before I re-uploaded said file, after which the frontpage appeared clean.

Either way, I have changed the password for the FTP account by now. However, I am not exactly a security expert so I have no idea if it's some vulnerability or other issue in my website code, compromised account or something else that let this happen. Any sort of help would be very much appreciated.

Thanks in advance.

Edited by Starkku, 19 July 2012 - 11:11 PM.

ppsign.gif

#2 Banshee

Banshee

    One Vision, One Purpose!

  • Network Admins
  • 8,997 posts
  • Location:Rio De Janeiro, RJ, Brazil.
  • Projects:PPM, PPM: Final Dawn, OS SHP Builder, OS Palette Editor, OS W3D Viewer, VXLSE III, etc...
  •  Retired Network Leader
  • Division:Revora
  • Job:Maintenance Admin

Posted 20 July 2012 - 03:50 AM

As far as I could analyse your site, its code is not vulnerable or I couldn't find any vulnerability. That code was probably added because someone's computer was infected with a trojan. I've seen this kind of thing happening with some PPM hostees. Changing the FTP password is a good step to stop it. Another step is cleaning all pcs that your team uses to upload files to the FTP before using the new password on them.
Project Perfect Mod

Command & Conquer Mods, Mods Support, Public Researchs, Map Archives, Tutorials, Tools, A Friendly Community and much more. Check it out now!

Posted Image

#3 Plokite_Wolf

Plokite_Wolf

    File hoarder

  • Members
  • 2,294 posts
  • Location:Split, Croatia
  •  Parce mihi, Domine, quia Dalmata sum.

Posted 20 July 2012 - 04:24 PM

According to Google, this is quite a new occurance. I'm not sure anyone knows how to deal with it. It affects Wordpress sites.

Edited by Plokite_Wolf, 20 July 2012 - 04:24 PM.

Administrator of CNCNZ.com and EVA Database, the C&C Wiki

You are also welcome to make use of my archives of official files:

C&C File Archive | BFME File Archive | Dune File Archive


#4 Banshee

Banshee

    One Vision, One Purpose!

  • Network Admins
  • 8,997 posts
  • Location:Rio De Janeiro, RJ, Brazil.
  • Projects:PPM, PPM: Final Dawn, OS SHP Builder, OS Palette Editor, OS W3D Viewer, VXLSE III, etc...
  •  Retired Network Leader
  • Division:Revora
  • Job:Maintenance Admin

Posted 20 July 2012 - 05:37 PM

This is not a wordpress site and this kind of trojan using zombie hostee pcs to hack their sites has been happening for at least 2 years.
Project Perfect Mod

Command & Conquer Mods, Mods Support, Public Researchs, Map Archives, Tutorials, Tools, A Friendly Community and much more. Check it out now!

Posted Image

#5 Starkku

Starkku

    Putting the Pro' in 'Procrastination'

  • Hosted
  • 431 posts
  • Location:Finland
  • Projects:Project Phantom
  •  C&C YR modder & Project Phantom mod leader.

Posted 23 July 2012 - 04:14 PM

I am the only one using the FTP account and couldn't find any sort of malware on my system after full scans with couple of different software. So far it hasn't occured again, and I suppose I can just hope that it does not do so either.
ppsign.gif

#6 Banshee

Banshee

    One Vision, One Purpose!

  • Network Admins
  • 8,997 posts
  • Location:Rio De Janeiro, RJ, Brazil.
  • Projects:PPM, PPM: Final Dawn, OS SHP Builder, OS Palette Editor, OS W3D Viewer, VXLSE III, etc...
  •  Retired Network Leader
  • Division:Revora
  • Job:Maintenance Admin

Posted 23 July 2012 - 08:48 PM

Hmmm... ok. Guess it could have some vulnerability and I couldn't find it.
Project Perfect Mod

Command & Conquer Mods, Mods Support, Public Researchs, Map Archives, Tutorials, Tools, A Friendly Community and much more. Check it out now!

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users