The "zbind exploit"

Forum Moderators: phranque

Message Too Old, No Replies

The "zbind exploit"

super70s

8:20 pm on Mar 11, 2010 (gmt 0)

My website was hacked on Mar. 7 or 8 by some culprit who used what's known as the "zbind exploit." I found a file named "za.tgz" on my server, and inside its folder were two executable files named "zbind" and "zero." When you used "www.(mydomain).com" you'd be taken to some crap with only three URLs, but when you didn't use the "www" in the URL, the site would work normally. My site is hosted by Yahoo Small Business and they were great in helping to get the site working properly again, they deleted the command that was causing this.

I was just wondering if anyone is familiar with this "zbind" thing, and what steps I could take to prevent this from happening in the future.

JS_Harris

4:43 am on Mar 14, 2010 (gmt 0)

zbind exploits the xml/rpc functions of the infected site. Look over your log files for attempts to POST something to xmlrpc.php (in wordpress, it might be a different file for other software).

One fix, if you don't post articles remotely, is to disable the xml/rpc ability completely. The Wordpress site gives instructions on this, as do the sites of other similar software applications.

super70s

11:23 pm on Mar 17, 2010 (gmt 0)

Thanks for the info JS, I will look into disabling XML.

One huge side effect was that my Google Adsense impressions were cut in half after this malicious act. I wrote to Adsense support and they suggested I request a reconsideration of my site, which I have done.

Here's the URL for that in case this should happen to any of you:

[google.com...]

(BTW, never seen so many broken URLs on the help pages at Google's Webmaster Central, get your act together guys!)