Yesterday I noticed something very strange on my website.  After the page
had loaded, the IE progress ticker was still going and the status bar was
displaying wierd stuff with "www.free20.com" in it.   On doing a 'View
Source', it seemed that a hidden iframe had been added to the source code,
which darted off to some spam/spyware site called "alexafirst.com" and/or
"free20.com"

A lot of Googling later, I discovered many other websites had suffered the
same fate.  (It's odd how this hasn't made the news, actually, as it could
have compromised some serious commercial websites).

So I thought, right, the webhost's server has obviously been hacked.   I
decided to re-upload all my .asp pages to overwrite the hacked versions.
Job done.  Source code restored.

But then this morning I look again at my website and did a 'View Source' to
check again, and lo and behold there is *more* hacked code!

'something' has inserted the following line at the top of each page:

<script language='javascript'
src='http://127.0.0.1:1028/js.cgi?pa&r=4827'></script>


And at the bottom:

<script language='javascript'>postamble();</script>

Where did this code come from?  I sure as f*ck didn't write it.  I'm
appalled that my web pages have been compromised like this.   Obviously I'm
going to contact my webhost about it, but I wondered if anyone here has
experienced anything similar?


--
Owen.
www.binarybaby.co.uk

Owen wrote:
> Yesterday I noticed something very strange on my website.  After the page
> had loaded, the IE progress ticker was still going and the status bar was
> displaying wierd stuff with "www.free20.com" in it.   On doing a 'View
> Source', it seemed that a hidden iframe had been added to the source code,
> which darted off to some spam/spyware site called "alexafirst.com" and/or
> "free20.com"
>
> A lot of Googling later, I discovered many other websites had suffered the
> same fate.  (It's odd how this hasn't made the news, actually, as it could
> have compromised some serious commercial websites).
Most websites use Apache so would be less vonerable.

>
> So I thought, right, the webhost's server has obviously been hacked.   I
> decided to re-upload all my .asp pages to overwrite the hacked versions.
> Job done.  Source code restored.
>
> But then this morning I look again at my website and did a 'View Source' t
o
> check again, and lo and behold there is *more* hacked code!
>
> 'something' has inserted the following line at the top of each page:
>

>
>
> And at the bottom:
>
<code snipt>.
Did / can you check the permissions on the server. If so you could set
it up so that people can only read files from the server rather then
right to it. I would also suggest that you change your password for web
access.I mean for uploading / downloading.

Also, what method of uploading do you use, if it's FTP, check to make
sure it's useing a sicure conection.

>
> Where did this code come from?  I sure as f*ck didn't write it.  I'm
> appalled that my web pages have been compromised like this.   Obviously I'
m
> going to contact my webhost about it, but I wondered if anyone here has
> experienced anything similar?
I have not personally, but there was a case reported on this NG a few
weeks back of a similar situation.
I believe they may have eather, A hacked the entire server, which means
all sites were attacked, or they might have just picked your site at
random and hacked the log-in area, which would be easyer then hacking
the entire server, especially if you use a CMS.
I am not quite sure as to the best way of preventing it though, cause
it would depend on how it is being done.
It is only some simple JavaScript, so maybe useing a re-write function
through .htaccess may help, though this won't be possable on a windows
server.
Maybe just get the host to block the relivant IP address?, that
useually will do the job, unless they are useing a dynamic one.
--
Regards Chad. http://freewebdesign.cjb.cc/contact.html
>
>
> --
> Owen.
> www.binarybaby.co.uk

"Owen" <spam@spam.com> wrote in message
news:rd2dnU9wgenK4xvZRVnyig@pipex.net...
>
> Yesterday I noticed something very strange on my website.  After the page
> had loaded, the IE progress ticker was still going and the status bar was
> displaying wierd stuff with "www.free20.com" in it.   On doing a 'View
> Source', it seemed that a hidden iframe had been added to the source code,
> which darted off to some spam/spyware site called "alexafirst.com" and/or
> "free20.com"
>
> A lot of Googling later, I discovered many other websites had suffered the
> same fate.  (It's odd how this hasn't made the news, actually, as it could
> have compromised some serious commercial websites).
>
> So I thought, right, the webhost's server has obviously been hacked.   I
> decided to re-upload all my .asp pages to overwrite the hacked versions.
> Job done.  Source code restored.
>
> But then this morning I look again at my website and did a 'View Source'
> to check again, and lo and behold there is *more* hacked code!
>
> 'something' has inserted the following line at the top of each page:
>
> <script language='javascript'
> src='http://127.0.0.1:1028/js.cgi?pa&r=4827'></script>
>
>
> And at the bottom:
>
> <script language='javascript'>postamble();</script>
>
> Where did this code come from?  I sure as f*ck didn't write it.  I'm
> appalled that my web pages have been compromised like this.   Obviously
> I'm going to contact my webhost about it, but I wondered if anyone here
> has experienced anything similar?

Sounds horrible - but fortunately I've not experienced this (must make a
note to check ...)

Out of curiosity, when you re-uploaded your pages was it then okay? I ask
because it may be that it is the server which has been compromised and is
adding header and footer code - and not your website.

It may also be worth dropping free20.com an email about it. I get the
impression from their homepage that they are the soft of site where anyone
can sign up, so its probably an individual who is the culprit who is making
use of free20. Let free20 know and hopefully they will terminate the
offending account.
--
Brian Cryer
www.cryer.co.uk/brian

Owen wrote

>
> Yesterday I noticed something very strange on my website.  After the
> page had loaded, the IE progress ticker was still going and the status
> bar was displaying wierd stuff with "www.free20.com" in it.   On doing
> a 'View Source', it seemed that a hidden iframe had been added to the
> source code, which darted off to some spam/spyware site called
> "alexafirst.com" and/or "free20.com"
>
> A lot of Googling later, I discovered many other websites had suffered
> the same fate.  (It's odd how this hasn't made the news, actually, as
> it could have compromised some serious commercial websites).
>
> So I thought, right, the webhost's server has obviously been hacked.
> I decided to re-upload all my .asp pages to overwrite the hacked
> versions. Job done.  Source code restored.
>
> But then this morning I look again at my website and did a 'View
> Source' to check again, and lo and behold there is *more* hacked code!
>
> 'something' has inserted the following line at the top of each page:
>
> <script language='javascript'
> src='http://127.0.0.1:1028/js.cgi?pa&r=4827'></script>
>
>
> And at the bottom:
>
> <script language='javascript'>postamble();</script>
>
> Where did this code come from?  I sure as f*ck didn't write it.  I'm
> appalled that my web pages have been compromised like this.
> Obviously I'm going to contact my webhost about it, but I wondered if
> anyone here has experienced anything similar?

Before you lay into your webhost, are you sure it's not your browser
that's compromised?  Browser hijacking is very common.

--
Charles Sweeney
http://CharlesSweeney.com

Owen wrote:
> Yesterday I noticed something very strange on my website.  After the page
> had loaded, the IE progress ticker was still going and the status bar was
> displaying wierd stuff with "www.free20.com" in it.   On doing a 'View
> Source', it seemed that a hidden iframe had been added to the source code,
> which darted off to some spam/spyware site called "alexafirst.com" and/or
> "free20.com"
>
> A lot of Googling later, I discovered many other websites had suffered the
> same fate.  (It's odd how this hasn't made the news, actually, as it could
> have compromised some serious commercial websites).
>
> So I thought, right, the webhost's server has obviously been hacked.   I
> decided to re-upload all my .asp pages to overwrite the hacked versions.
> Job done.  Source code restored.
>
> But then this morning I look again at my website and did a 'View Source' t
o
> check again, and lo and behold there is *more* hacked code!
>
> 'something' has inserted the following line at the top of each page:
>
> <script language='javascript'
> src='http://127.0.0.1:1028/js.cgi?pa&r=4827'></script>
>
>
> And at the bottom:
>
> <script language='javascript'>postamble();</script>
>
> Where did this code come from?  I sure as f*ck didn't write it.  I'm
> appalled that my web pages have been compromised like this.   Obviously I'
m
> going to contact my webhost about it, but I wondered if anyone here has
> experienced anything similar?
>
>
I wonder if there are not two separate things going on here. The
<script></script> (top and bottom) looks very similar to what my
firewall installs in all web pages. It does not direct you to other
sites.  That is another process that is possibly/probably spy ware.

I am just guessing here - no offense intended.


--
TK
http://www.wejuggle2.com/
Still Having a Ball











.

----== Posted via codecomments.com - Unlimited-Unrestricted-Secure Usenet Ne
ws==----
http://www.codecomments.com The #1 Newsgroup Service in the World! 120,000+ 
Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

>Owen.
>www.binarybaby.co.uk

If it's on the site above, I don't see it now.

Owen wrote:

> Yesterday I noticed something very strange on my website.  After the page
> had loaded, the IE progress ticker was still going and the status bar was
> displaying wierd stuff with "www.free20.com" in it.   On doing a 'View
> Source', it seemed that a hidden iframe had been added to the source code,
> which darted off to some spam/spyware site called "alexafirst.com" and/or
> "free20.com"

Hmm.

free20.com - contact is:

Fan ShuangPing
Fan ShuangPing
School 26
JiaoZuo Henan
CN
tel:  8603 65988872
fax:  8603 65988872
do168@126.com

IP: 63.246.154.15 which resolves back to unitedcolo.net (no website) which
seems to be owned by Sago Networks (sagonet.com), a hosting company &
registration service in Tampa, Florida.


alexafirst.com - contact is:

Admin Name........... wu jun chang
Admin Address........ nanhai lishui
Admin Address........
Admin Address........ foshang
Admin Address........ 528244
Admin Address........ GD
Admin Address........ CN
Admin Email.......... baijinceo@126.com
Admin Phone.......... +86.75786219443
Admin Fax............ +86.75786219443

Note, both have @126.com addresses. 126.com is also based in China. IPs:
61.177.95.155 (Chinanet) and 202.108.9.77 (China Network Communications
Group Corporation).

Why don't you drop them an email?

On Wed, 7 Jun 2006 08:21:00 +0100, "Owen" <spam@spam.com> wrote:


Have you tried.

After uploading immediately view the source on the server using an
editor and a 'Telnet' type connection (of whatever type) to ensure the
code has reached the destination intact.

Can you be sure the code leaving your PC is intact? Has your computer
been attacked?

Matt


--
Veritas Vincti
http://www.probertencyclopaedia.com

Owen wrote:
> Yesterday I noticed something very strange on my website.

Not your website, it's your browser or desktop. Local side anyway

> <script language='javascript'
> src='http://127.0.0.1:1028/js.cgi?pa&r=4827'></script>

127.0.0.1 is localhost, ie your desktop machine. This sort of script
sometimes gets added legitimately by some "firewall" (sic) products,
but your problem here might be due to inadvertent installation of some
malware trojan.

Chaddy2222 wrote:
> Owen wrote: 
> Most websites use Apache so would be less vonerable.
> 
> 
> <code snipt>.
> Did / can you check the permissions on the server. If so you could set
> it up so that people can only read files from the server rather then
> right to it. I would also suggest that you change your password for
> web access.I mean for uploading / downloading.
>
> Also, what method of uploading do you use, if it's FTP, check to make
> sure it's useing a sicure conection.
> 
> I have not personally, but there was a case reported on this NG a few
> weeks back of a similar situation.
> I believe they may have eather, A hacked the entire server, which
> means all sites were attacked, or they might have just picked your
> site at random and hacked the log-in area, which would be easyer then
> hacking the entire server, especially if you use a CMS.
> I am not quite sure as to the best way of preventing it though, cause
> it would depend on how it is being done.
> It is only some simple JavaScript, so maybe useing a re-write function
> through .htaccess may help, though this won't be possable on a windows
> server.
> Maybe just get the host to block the relivant IP address?, that
> useually will do the job, unless they are useing a dynamic one.
> --
> Regards Chad. http://freewebdesign.cjb.cc/contact.html 

They may have been able to place an executable script on your site. Just
re-uploading your files won't get rid of it. An executable could be put in
place by getting a hold of your ftp login/password, but also can occur if
you allow file uploads somewhere on your site and don't restrict the
allowable file extensions.

--
dp