Skip to:
Content
Pages
Categories
Search
Top
Bottom

x-victory.ru exploit?

  • When I browse to ourshire.net/forum, the status bar indicates something downloading from x-victory.ru. I’ve tried improved security via .htaccess, changing database password etc, but it goes on. Google lists this as possible “Badware” site.

    Has anyone had this problem, or have any idea what I could try to prevent? No sign of damage (yet).

Viewing 12 replies - 1 through 12 (of 12 total)
  • http://www.blockacountry.com is what some do when they find they have no other options.

    ~ Jared Ritchey

    At the end of your pages, after the closing HTML tag there is an additional script and an iframe.

    This code is not in the download tarballs, so it seems the code has been injected on your site only. You should contact your web host for assistance as your service may have been compromised.

    Thanks – yes, I found this in header.php:

    <script type=”text/javascript” src=”http://onvertigo.com/anarchy_media/anarchy.js”></script&gt;

    I’ll try deleting it and see if it stays deleted. Apparently onvertico.com belongs to Trent Adams, a bbPress enthusiast – hmm.

    No, the script is still being inserted at the bottom. When I replace the eval in the script with document.write and put the script in a html page, it produces a rectangle -strange. Is this really coming from Trent, the moderator? It has wasted a lot of my time.

    I didn’t say anything about the script at the top. I assume that’s from a plugin you’ve installed.

    Remove the script and iFrame from the bottom.

    Look in footer.php

    Where did you download your files from?

    The header.php file is from the bbpress-forum template supplied by Trent at http://trentadams.com/2007/02/10/theme-release-onvertigo/#comment-347

    I reinstalled everything, including the bbpress-forum theme, but with the anarchy.js line deleted. Now everything is fine. I think you might need to have a word with Trent about the purpose of the onvertigo.com/anarchy_media/anarchy.js

    Anthony

    The file you mentioned is harmless.

    Your problem was with an iframe that was inserted at the end of the page.

    Your site still contains some obfuscated javascript at the end of the page.

    I suggest you move to other hosting providers.

    I checked few sites on your hosting server (using http://www.myipneighbors.com/ to find out), they are inserted the same code.

    Hope you can get refund!

    I wrote about this in the wordpress.org forums as well and the only thing was that anarchy-media javascript in there left over after I re-uploaded the file after a server crash from my own modifications to the original theme.

    I have taken that up and reloaded the theme to the server, but I don’t see anything in footer.php that would even cause a problem that you are seeing.

    https://wordpress.org/support/topic/143571?replies=3#post-648853

    Trent

    As well, afdenahy you can always contact me by my about page on my site with the contact form. As well, the “modlook” tag would also draw me in faster even though that is not really the intended purpose of that tag to this thread!

    Trent

    Thanks Trent et al. 3ix have fixed the problem. This is their response:

    We have investigated the root cause of the issue and it is a type of iframe hacking from an Serbian IP which got into one of the customised php scripts of one of the clients and then got FTP access of domains and modified the pages.

    We have removed that script and the banned the IP and process of removing that hacked script . Your account has been cleaned.

    Now I’m changing lots of passwords. Sorry about jumping to conclusions about that script line in your header.php Trent.

    Anthony

    Something like this seems to be rather common problem with cheap/big hosting providers and their shared accounts. People are installing all sorts of unpatched/insecure scripts and it may take just one of those for all hosted on the server neighborhood to become “hackable”.

    I’ve had that experience in the past and found that providers offering DDoS protected hosting are a lot more security cautious than regular ones.

    I happen to come across DDoSwiz.com and am staying there, but there are of course others. Pricy solutions though..

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.
Skip to toolbar