Bob`s Tech Blog

Link: http://kansaslife.net

Well i switched again. I really love the asp content management system
Garb hooked me up with. Its pretty sweet. The only downfall is that i need to keep a windows based server running with IIS from my home, bypassing the huge web hosting plan that i have. But i found PHP Fusion which is a similar CMS but php based, and though i can not really say its more customizable per say, it does a few things that the other one doesn't do like IP and host logging. At any rate, im still in the testing phase but i like what i see so far.

Well i have finally completed the first phase of my changer over of our indoor cams to cms. Why did I move the indoor cams to a cms? Here`s the deal. With a popular family web cam site comes lots of attention from both great people, and people who are sick. The sicks ones have shown themselves over the last 10 years or so and iv done my best to get rid of them by banning at the server level with .htaccess. However, some of these blocked people come back using googles cached pages which basically gives them access to the frames where my video streams are located. Then i have to ban them at the video server level. So you would think that would be enough right? Nope. They then come back using one of the many free proxy servers located around the world, then they have full access to my web site and cam streams once again.

So, iv been toying around with the idea of using a cms platform over the last few months, trying several different cms packages (8 to be exact) until i found this one. Its far from perfect but what it does is allow access to our indoor cams by user account. This has several advantages. Now all our cam stream pages are protected from anonymous viewers plus Google cant cache their direct URL`s or pages, and if it did it wouldn't matter because you have to be logged in to the system to access them.

I don't like the look (at all) but hopefully ill learn how to customize it more in the future.

Bottom line, knowing that pedophiles and people that want to follow my wife around the house all day are stopped in their tracks (or i can stop someone if they become a problem) is worth the switch to, and look of the cms platform.

I want to be sure to add that everyone is still welcome to view our cams. Just register for a free account which the activation is instant much of the time, but at the most the system could take a couple hours to get your activation email sent (depending how clogged opentransfer is at that time). We wont spam you, or even email you for that matter nor can anyone even access your email address or other info.

-Bob

Link: http://vbadvice.blogspot.com/2008/12/yahoo-counter-starts-trojan.html

I found this excellent advice for the removal of the Yahoo! Counter starts' trojan from your database. This was a VBulletin user.

I found a relatively simple fix for the 'Yahoo! Counter starts' trojan that affects VBulletin and other forum software. Here's what I did:

I did a backup of the SQL database in VBulletin:
I went into the Admin Panel; clicked Maintenance, database backup.
At the bottom of that page, I went to the section that says
Backup database to a file on the server. Then I did the following:

1. made new directory within the /forum/ folder called /backup
2. made new directory worldwritable
chmod 777 backup
3. entered location for backupfile in Admin panel:
./backup/forumbackup-year-month-day.sql
4. Clicked save

Then I went into site by FTP and downloaded the SQL backup file,
and deleted the file from the site, and deleted the folder.

Then I searched the backed up SQL file for 'Yahoo! Counter' and found
two sections of code that had been inserted into the database by the trojan.

I found the code by doing a backup of the entire database with vBulletin,
then searching the SQL file generated by that back up.
Both sections of code have 'Yahoo! Counter' in them.

Then I logged into my website hosting company's control panel, and used
PHPmyadmin to go into the mySQL database (I have IXwebhosting), and
I edited the affected tables (the names of the tables were found from the
previous search of the backed up SQL file).

datastore options
[datastore is the name of a table in the database,
and options is a section within that table]

and likewise with:

setting description

The section of bad code in datastore begins with:

1108:\"\" />

and then continues on to include:

Yahoo! Counter starts

and then continues on to end with:

name=\"yahoo\" content=\"count\"

and the repaired code in 'datastore options' should include:

;s:11:\"description\";s:0:\"\";s:12:\"useforumjump\";i:1

The bad code had changed
;s:0:
to
;s:1108:
and then added the malicious code after the 1108. So after deleting the bad section of code, I made sure the repaired code had the zero and not the 1108

The section of bad code in 'setting description' was easier to fix.
This good code:

INSERT INTO setting VALUES('description', 'general', '',
'This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .',
'', '20', '0', '1', 'free', 'vbulletin', '', '0');

had been replaced by a long section of code that included the text:
Yahoo! Counter starts

I replaced that long section of code with the text:

This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .

This worked for me. I don't know if it will work for anyone else.
Proceed similarly at your own risk.
Good luck!
Posted by JT at 6:08 PM

Well first.. happy new year people. I just did a check up of my web sites, and all are still clean. Again, they have been clean since i started over with a new mysql database, a new set of files (all files, php and HTML)and changed my FTP passwords. If your reading this for the first time, check my earlier posts for info on how to clean up existing databases, and some other useful info. If i find out for sure how this junk got on our web servers in the first place ill pass that info on to you.

I did something very interesting the other day and forgot to mention it. I did a google search for key words "yahoo counter starts" and found about a bazillion results of web sites that actually had the code injected in their pages still.

I did a WHOIS on 50 of them, and 47 were hosted by Ecommerce Corporation which is IX Webhosting. Am i wrong but does it seem like there is indeed something up with IX webhosting? Why would so many of their customers have this problem? I'm not the brightest bulb in the chandelier but i cant figure out how to pick a particular web host company and target their customers. Further evidence to suggest that IX has / had some sort of security issue on the back end?