[Coco] CoCo3.com hijacked? -- WAS remtube demos - scaling, 3-D, SID player...

William Schaub wschaub at steubentech.com
Fri May 21 15:10:16 EDT 2010


Roger Taylor wrote:
> At 12:04 PM 5/21/2010, you wrote:
>> I'm not sure whether Roger is done with the repairs, but, today it 
>> appears a
>> different re-direct is happening. I'm getting a www1.cosmosave7.com 
>> redirect
>> today. This is on a machine that's never been to coco3.com. It tries 
>> to load
>> a fake scanning page showing your system is badly infected. I stopped it
>> before I got to the sales pitch that usually follows.
>>
>> If you disable JS on your browser for coco3.com, this does not happen.
>> WordPress are obviously the target this time around as several I 
>> frequent
>> have been attacked.
>
>
>
> The site is not redirecting any more, and another backup has been made.
>
> BlueHost should be ashamed, as should every other hosting company that 
> let these backdoor intruders waltz right into their servers and alter 
> thousands of blog sites.
>
> It's the cleanest but most persistent hacker job I've seen because the 
> rats didn't go trash the place and damage databases, but trying to fix 
> all the .php files by hand is impossible.  WordPress and all the 
> plug-ins is a massive file structure.
>
>
I could write a simple shell script to remove the matching code using 
nothing but cat and sed and perhaps a temporary file.

Won't do much good at all if they still have access to modify the php 
files again though.



More information about the Coco mailing list