jbach Posted June 14, 2009 Share Posted June 14, 2009 Hi when recently trying to view my site I get the message 'Warning, viewing this site may harm your computer' And suggest my site is infected with malware. Has anyone experienced this? Should I remove my site temporarily until this is resolved and, if so, what is the easiest way to do this? I need my site for portfolio and business so I can't afford to have it compromised for any length of time...any feedback welcome. Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted June 14, 2009 Share Posted June 14, 2009 First of all, you should submit a ticket and ask the techs to see if the site has been compromised. Then, change password to your cpanel. After that I would begin trying to find where the malware is by downloading a home directory backup and backups of the databases if you use any. When the backups are downloaded to your local computer, run them through your antivirus and see if it finds it. Quote Link to comment Share on other sites More sharing options...
jbach Posted June 14, 2009 Author Share Posted June 14, 2009 First of all, you should submit a ticket and ask the techs to see if the site has been compromised.Then, change password to your cpanel. After that I would begin trying to find where the malware is by downloading a home directory backup and backups of the databases if you use any. When the backups are downloaded to your local computer, run them through your antivirus and see if it finds it. ok thanks Quote Link to comment Share on other sites More sharing options...
jbach Posted June 14, 2009 Author Share Posted June 14, 2009 ok thanks Ok, when trying to login to my cpanel ht*p://www.bitstream.ca/cpanel I seem to be redirected here ht*p://www.bitstream.ca:2082/unprotected/redirect.html and still get the same security warning..... Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted June 14, 2009 Share Posted June 14, 2009 Please open a ticket with the help desk. Link above or in my signature. Quote Link to comment Share on other sites More sharing options...
SteveW Posted June 16, 2009 Share Posted June 16, 2009 'Warning, viewing this site may harm your computer' Is that the exact warning message? If not, can you post the exact wording and punctuation? And in what form are you seeing the message: in Google (or Yahoo) search results, or on an actual HTML page in your browser window, or as a popup window in your browser? If it's a warning underneath your site's links in search engine search results, the site has probably been compromised. If it's a page in your browser window (FF3 or IE8 only, not IE7 or lower or FF2 or lower) it's also likely a real compromise. If it's a popup window, it's most likely the result of a malware infection on your PC, especially if it says you should get "Antivirus XP" or any other antivirus program. That type of malware is called "rogue antivirus". Don't let it scan your computer; don't visit any website it says you should, and don't let it download anything. Quote Link to comment Share on other sites More sharing options...
jbach Posted June 17, 2009 Author Share Posted June 17, 2009 see attached Quote Link to comment Share on other sites More sharing options...
jbach Posted June 17, 2009 Author Share Posted June 17, 2009 apparently some iframes were inserted somehow (comments or???) that contained malicious code. Viewing my site and checking http traffic I noticed some suspicious calls to domains with a '.cn' domain ... Not sure if it was part of the 'hack' but when I check my browser cache after going to my site I also notice a crossdomain.xml file with wide open security settings...doesn't seem right to me! I believe my site has been submitted to Google for verification but haven't hard back yet....frustrating as I NEED my site for portfolio and business stuff. Quote Link to comment Share on other sites More sharing options...
SteveW Posted June 17, 2009 Share Posted June 17, 2009 (edited) The bad iframes are definitely there. I tried to download and examine your home page, but my AV quarantines the file immediately, so I can't look at it. The threat is called Mal_Hifrm-3 by Trend Micro. If you submitted to Google to have the warnings removed, they won't be removing them until the iframes are gone. You'll need to remove the bad code manually, then find out how it got injected so the security hole can be closed. One of your page listings in Google SERPs mentions MovableType. The reason I tried to view your site was to see if you're actually using it. If so, this might be useful: http://secunia.com/advisories/search/?search=movable+type Often the way malware gets into a site is through outdated scripts. Another way that's increasingly common lately is by malware on the webmaster's PC stealing FTP passwords, so do a thorough antivirus and antispyware scan, just in case. Edited June 17, 2009 by SteveW Quote Link to comment Share on other sites More sharing options...
jbach Posted June 17, 2009 Author Share Posted June 17, 2009 Yeah thanks Steve I signed up for a free malware scan of my site by a new firm started by some ex google employees, http://wam.dasient.com/ There is still an iframe and some funky javascript code. I will need to rebuild my blog from scratch but for me the larger issue is being on Google's 'blacklist', and having all my portfolio urls pointing to my site, thus potentially losing many work opportunities. Would luv to know what these hackers hope to gain, and more importantly, how they can be stopped... Quote Link to comment Share on other sites More sharing options...
Head Guru Posted June 17, 2009 Share Posted June 17, 2009 This is becoming the most common form of site defacement these days. In the past hackers would love to leave a note on someone's home page saying "Hacked by". Today the attackers are using the exploited sites to further infect of windows based pc's. We have been doing quite a bit of research into this and will be publishing a report in the next few days with some ways to prevent this and other attacks. I was told years ago, the safest thing to do to protect your data is to unplug your computer from the internet. Quote Link to comment Share on other sites More sharing options...
jbach Posted June 17, 2009 Author Share Posted June 17, 2009 I've totally removed all elements of my MT blog and have uploaded a simple 'underconstruction' page and image. However, my browser will only go to a now non-existent blog page at http://bitstream.ca/mt/index.html when I simply want to go to http://bitstream.ca/ Is this something I have to clear at the Google diagnostics page? Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted June 17, 2009 Share Posted June 17, 2009 While I never used MT, make sure there is no MT folder, nothing in the cgi-bin folder and there are no redirects in the htaccess file. Quote Link to comment Share on other sites More sharing options...
SteveW Posted June 17, 2009 Share Posted June 17, 2009 (edited) When you request hxxp://yoursite.ca/ without specifying a page, your server looks to see which page to serve. It looks for index.html, index.htm, index.php... Whichever one it finds first, it serves. Whichever page you want it to serve when no page is specified in the request needs to have one of those names. What is the name of your "under construction" page? The solution is probably to simply rename it to index.html. This isn't related to the site compromise or Google diagnostics. It's how Apache is configured to work. People can only request files from your server. If they don't specify one, Apache uses its own judgment, based on its configuration, about which one to send. ----- If you were using an old MT version, and weren't using any other third-party scripts, a security vulneratility in MT would be the likely suspect for how the hack occurred. If you don't plan to use MT anymore, be sure to uninstall it: remove the program itself from the server. This is because even if it's not being used, the security hole exists as long as the program files are there. You can optionally delete its folder, too. Also from what Thomas said, ensure that cgi-bin (and all folders) contain no files put there by the hack, and ensure that your .htaccess, if you have one, doesn't contain any code redirecting visitors to sites other than yours. Would luv to know what these hackers hope to gain, and more importantly, how they can be stopped... They make money by installing Windows exploits on visitors' PCs, stealing information, and using it in identity theft schemes and things like that. It's big business. What website owners can do to stop them is: Use strong, long, random passwords and never reuse passwords in more than one place. Keep all website scripts (MT, WordPress, etc.) up to the latest versions. When a new version comes out, install it within one day, if at all possible. Keep your PC free of viruses. This is more important now than ever. A virus on your PC can lead to your remote website getting hacked. Has anyone experienced this? About 10,000 websites a day experience this. Edited June 17, 2009 by SteveW Quote Link to comment Share on other sites More sharing options...
bizbot Posted June 18, 2009 Share Posted June 18, 2009 Hiwhen recently trying to view my site I get the message 'Warning, viewing this site may harm your computer' And suggest my site is infected with malware. Has anyone experienced this? Should I remove my site temporarily until this is resolved and, if so, what is the easiest way to do this? I need my site for portfolio and business so I can't afford to have it compromised for any length of time...any feedback welcome. I have the same problem with my website and received a Malware notification from Google. I opened a support ticket and need help! Quote Link to comment Share on other sites More sharing options...
bizbot Posted June 18, 2009 Share Posted June 18, 2009 I have the same problem with my website and received a Malware notification from Google. I opened a support ticket and need help! Very quick response from tch support - thanks! It appears there were iframes to jumbobestrate.cn/ and shopmoviefestival.cn/ - malware sites. Quote Link to comment Share on other sites More sharing options...
jbach Posted June 22, 2009 Author Share Posted June 22, 2009 (edited) While I never used MT, make sure there is no MT folder, nothing in the cgi-bin folder and there are no redirects in the htaccess file. Still trying to remove the redirect....been a while since I've done this..where do I find the .htaccess file? Is it invisible by default? Edited June 22, 2009 by jbach Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted June 22, 2009 Share Posted June 22, 2009 Its invisible by default, so you need to have either the file manager in cpanel or your ftp program to show hidden files. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.