Jump to content


Photo

Q: Warning, Viewing This Site May Harm Your Computer?


  • Please log in to reply
17 replies to this topic

#1 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 14 June 2009 - 04:29 PM

Hi
when recently trying to view my site I get the message 'Warning, viewing this site may harm your computer'

And suggest my site is infected with malware.

Has anyone experienced this?

Should I remove my site temporarily until this is resolved and, if so, what is the easiest way to do this?

I need my site for portfolio and business so I can't afford to have it compromised for any length of time...any feedback welcome.

#2 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,907 posts

Posted 14 June 2009 - 04:38 PM

First of all, you should submit a ticket and ask the techs to see if the site has been compromised.
Then, change password to your cpanel.

After that I would begin trying to find where the malware is by downloading a home directory backup and backups of the databases if you use any. When the backups are downloaded to your local computer, run them through your antivirus and see if it finds it.

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk


#3 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 14 June 2009 - 04:46 PM

First of all, you should submit a ticket and ask the techs to see if the site has been compromised.
Then, change password to your cpanel.

After that I would begin trying to find where the malware is by downloading a home directory backup and backups of the databases if you use any. When the backups are downloaded to your local computer, run them through your antivirus and see if it finds it.



ok thanks

#4 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 14 June 2009 - 04:54 PM

ok thanks



Ok, when trying to login to my cpanel
ht*p://www.bitstream.ca/cpanel
I seem to be redirected here
ht*p://www.bitstream.ca:2082/unprotected/redirect.html

and still get the same security warning.....

#5 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 14 June 2009 - 06:20 PM

Please open a ticket with the help desk. Link above or in my signature.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#6 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 16 June 2009 - 05:12 PM

'Warning, viewing this site may harm your computer'

Is that the exact warning message? If not, can you post the exact wording and punctuation?

And in what form are you seeing the message: in Google (or Yahoo) search results, or on an actual HTML page in your browser window, or as a popup window in your browser?

If it's a warning underneath your site's links in search engine search results, the site has probably been compromised. If it's a page in your browser window (FF3 or IE8 only, not IE7 or lower or FF2 or lower) it's also likely a real compromise. If it's a popup window, it's most likely the result of a malware infection on your PC, especially if it says you should get "Antivirus XP" or any other antivirus program. That type of malware is called "rogue antivirus". Don't let it scan your computer; don't visit any website it says you should, and don't let it download anything.

#7 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 16 June 2009 - 07:11 PM

see attached

Attached Files



#8 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 16 June 2009 - 07:16 PM

apparently some iframes were inserted somehow (comments or???) that contained malicious code.

Viewing my site and checking http traffic I noticed some suspicious calls to domains with a '.cn' domain ...

Not sure if it was part of the 'hack' but when I check my browser cache after going to my site I also notice a crossdomain.xml file with wide open security settings...doesn't seem right to me!

I believe my site has been submitted to Google for verification but haven't hard back yet....frustrating as I NEED my site for portfolio and business stuff.

#9 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 16 June 2009 - 08:14 PM

The bad iframes are definitely there. I tried to download and examine your home page, but my AV quarantines the file immediately, so I can't look at it. The threat is called Mal_Hifrm-3 by Trend Micro.

If you submitted to Google to have the warnings removed, they won't be removing them until the iframes are gone.

You'll need to remove the bad code manually, then find out how it got injected so the security hole can be closed. One of your page listings in Google SERPs mentions MovableType. The reason I tried to view your site was to see if you're actually using it. If so, this might be useful: http://secunia.com/a...ch=movable type

Often the way malware gets into a site is through outdated scripts.

Another way that's increasingly common lately is by malware on the webmaster's PC stealing FTP passwords, so do a thorough antivirus and antispyware scan, just in case.

Edited by SteveW, 16 June 2009 - 08:15 PM.


#10 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 17 June 2009 - 07:27 AM

Yeah thanks Steve
I signed up for a free malware scan of my site by a new firm started by some ex google employees, http://wam.dasient.com/

There is still an iframe and some funky javascript code.

I will need to rebuild my blog from scratch but for me the larger issue is being on Google's 'blacklist', and having all my portfolio urls pointing to my site, thus potentially losing many work opportunities.


Would luv to know what these hackers hope to gain, and more importantly, how they can be stopped...

#11 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,797 posts

Posted 17 June 2009 - 09:56 AM

This is becoming the most common form of site defacement these days. In the past hackers would love to leave a note on someone's home page saying "Hacked by". Today the attackers are using the exploited sites to further infect of windows based pc's.

We have been doing quite a bit of research into this and will be publishing a report in the next few days with some ways to prevent this and other attacks. I was told years ago, the safest thing to do to protect your data is to unplug your computer from the internet.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#12 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 17 June 2009 - 03:34 PM

I've totally removed all elements of my MT blog and have uploaded a simple 'underconstruction' page and image.

However, my browser will only go to a now non-existent blog page at
http://bitstream.ca/mt/index.html

when I simply want to go to
http://bitstream.ca/

Is this something I have to clear at the Google diagnostics page?

#13 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,907 posts

Posted 17 June 2009 - 03:40 PM

While I never used MT, make sure there is no MT folder, nothing in the cgi-bin folder and there are no redirects in the htaccess file.

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk


#14 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 17 June 2009 - 03:42 PM

When you request hxxp://yoursite.ca/ without specifying a page, your server looks to see which page to serve. It looks for index.html, index.htm, index.php... Whichever one it finds first, it serves.

Whichever page you want it to serve when no page is specified in the request needs to have one of those names.

What is the name of your "under construction" page? The solution is probably to simply rename it to index.html.

This isn't related to the site compromise or Google diagnostics. It's how Apache is configured to work. People can only request files from your server. If they don't specify one, Apache uses its own judgment, based on its configuration, about which one to send.

-----

If you were using an old MT version, and weren't using any other third-party scripts, a security vulneratility in MT would be the likely suspect for how the hack occurred. If you don't plan to use MT anymore, be sure to uninstall it: remove the program itself from the server. This is because even if it's not being used, the security hole exists as long as the program files are there. You can optionally delete its folder, too.

Also from what Thomas said, ensure that cgi-bin (and all folders) contain no files put there by the hack, and ensure that your .htaccess, if you have one, doesn't contain any code redirecting visitors to sites other than yours.

Would luv to know what these hackers hope to gain, and more importantly, how they can be stopped...

They make money by installing Windows exploits on visitors' PCs, stealing information, and using it in identity theft schemes and things like that. It's big business.

What website owners can do to stop them is:
Use strong, long, random passwords and never reuse passwords in more than one place.
Keep all website scripts (MT, WordPress, etc.) up to the latest versions. When a new version comes out, install it within one day, if at all possible.
Keep your PC free of viruses. This is more important now than ever. A virus on your PC can lead to your remote website getting hacked.

Has anyone experienced this?

About 10,000 websites a day experience this.

Edited by SteveW, 17 June 2009 - 04:03 PM.


#15 bizbot

bizbot

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 18 June 2009 - 09:13 AM

Hi
when recently trying to view my site I get the message 'Warning, viewing this site may harm your computer'

And suggest my site is infected with malware.

Has anyone experienced this?

Should I remove my site temporarily until this is resolved and, if so, what is the easiest way to do this?

I need my site for portfolio and business so I can't afford to have it compromised for any length of time...any feedback welcome.


I have the same problem with my website and received a Malware notification from Google. I opened a support ticket and need help!

#16 bizbot

bizbot

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 18 June 2009 - 10:12 AM

I have the same problem with my website and received a Malware notification from Google. I opened a support ticket and need help!


Very quick response from tch support - thanks!

It appears there were iframes to jumbobestrate.cn/ and shopmoviefestival.cn/ - malware sites.

#17 jbach

jbach

    Family Friend

  • Members
  • PipPip
  • 46 posts

Posted 22 June 2009 - 07:53 AM

While I never used MT, make sure there is no MT folder, nothing in the cgi-bin folder and there are no redirects in the htaccess file.


Still trying to remove the redirect....been a while since I've done this..where do I find the .htaccess file? Is it invisible by default?

Edited by jbach, 22 June 2009 - 07:54 AM.


#18 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,907 posts

Posted 22 June 2009 - 08:18 AM

Its invisible by default, so you need to have either the file manager in cpanel or your ftp program to show hidden files.

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users