[Coco] CoCo3.com hijacked? -- WAS remtube demos - scaling, 3-D, SID player...
William Schaub
wschaub at steubentech.com
Fri May 21 15:10:16 EDT 2010
Roger Taylor wrote:
> At 12:04 PM 5/21/2010, you wrote:
>> I'm not sure whether Roger is done with the repairs, but, today it
>> appears a
>> different re-direct is happening. I'm getting a www1.cosmosave7.com
>> redirect
>> today. This is on a machine that's never been to coco3.com. It tries
>> to load
>> a fake scanning page showing your system is badly infected. I stopped it
>> before I got to the sales pitch that usually follows.
>>
>> If you disable JS on your browser for coco3.com, this does not happen.
>> WordPress are obviously the target this time around as several I
>> frequent
>> have been attacked.
>
>
>
> The site is not redirecting any more, and another backup has been made.
>
> BlueHost should be ashamed, as should every other hosting company that
> let these backdoor intruders waltz right into their servers and alter
> thousands of blog sites.
>
> It's the cleanest but most persistent hacker job I've seen because the
> rats didn't go trash the place and damage databases, but trying to fix
> all the .php files by hand is impossible. WordPress and all the
> plug-ins is a massive file structure.
>
>
I could write a simple shell script to remove the matching code using
nothing but cat and sed and perhaps a temporary file.
Won't do much good at all if they still have access to modify the php
files again though.
More information about the Coco
mailing list