Author Topic: Bizarre malware warning on Chris' site for one user only (Read 4892 times)

Paddy · « **on:** January 28, 2009, 12:06:03 PM »

I'm posting this here in hopes that someone has an idea (Googling hasn't really helped so far)

The situation is this - everyone but Chris' wife can get to his site, http://www.chriskleeman.com with no problems whatsoever. When she attempts to get there, she gets a Google malware warning. But the malware warning references an IP number that is NOT Chris' (an ASO hosted site, like this one) but an IP owned by notorious spam/phisher/cybercriminal hosts hostfresh.com from Hong Kong.

When either Chris or I use Google's webmaster tools to check out Chris' site, there is no problem whatsoever. When she does it - again, all sorts of problems reported and again, the IP number is one that belongs to hostfresh.com, not ASmallOrange.

Needless to say, Chris' site is clean. The only thing I can think of is that Chris' wife's Macbook is infected with the DNS Changer trojan, although as far as I know this is the only problem she's had. She has flushed the cache etc.; and the problem happens at both school and at home, so it's not the router. We're a bit stumped at this point.

See both images to see what Google reports for the IP that ISN'T Chris'. (Chris' IP is 207.210.105.84)

RNKIII · « **Reply #1 on:** January 28, 2009, 12:26:00 PM »

Paddy & Chris,

I get the same warning message when I click on the link provided in the post above.
Did NOT go any farther than that and cancelled out!!!

Bob K. rnkiii

Paddy · « **Reply #2 on:** January 28, 2009, 12:34:27 PM »

OK...I guess I'll contact ASO about this too. The plot thickens.

What IP address did you see in the malware warning? (Yes, please click on it again.

)

Note - it's highly unlikely that there is anything there that would be a problem on a Mac. I just get a blank page when I go to either of the IPs and there is nothing in the source code for either page.

RNKIII · « **Reply #3 on:** January 28, 2009, 12:49:15 PM »

Same IP as in the warning above... 116.50.15.25

Bob K. rnkiii

Paddy · « **Reply #4 on:** January 28, 2009, 02:03:07 PM »

Well...I found the problem. A malicious Javascript had been inserted at the very bottom of the front page.

It has now been removed. I still don't know HOW it got there - along with the pureftpd file that was stuck in the public_html folder. I'm hoping ASO can tell me how this happened and how to prevent it, but no word from them so far.

I'm going to look through the rest of the pages to make sure there is nothing else lurking.

BTW - when I went to the site on my MBP instead of the MacPro, I got the warning too.

jcarter · « **Reply #5 on:** January 28, 2009, 02:09:02 PM »

I saw one of these about 2 weeks ago when I went to a regular ordinary site, but I clicked it off and never thought of it again.
Jane

RNKIII · « **Reply #6 on:** January 28, 2009, 02:09:21 PM »

Works for me now!!!

Bob K. rnkiii

Paddy · « **Reply #7 on:** January 28, 2009, 02:15:34 PM »

Yeah - I've gotten rid of the *&^^% javascript that was the cause of all this. But the question remains...how did it get there to begin with? A server security hole? I'm awaiting ASO's response.

chriskleeman · « **Reply #8 on:** January 28, 2009, 02:22:27 PM »

QUOTE(Paddy @ Jan 28 2009, 03:15 PM) <{POST_SNAPBACK}>

Yeah - I've gotten rid of the *&^^% javascript that was the cause of all this. But the question remains...how did it get there to begin with? A server security hole? I'm awaiting ASO's response.

Gone now from my wife's MacBook Paddy, that did the trick! We're both home today hunkered down for this snowstorm, so the computers have been humming along off and on all day.

Yes, the question is, indeed, how did it get there?

And why Bob and Michelle's computers?

Thanks Paddy!

Chris K

tacit · « **Reply #9 on:** January 28, 2009, 02:33:17 PM »

Some more information:

The problem isn't actually with "chriskleeman.com". The problem originated with "sciencepunk.com".

The IP address 116.50.15.25 is being used for "shared hosting," meaning that more than one Web site lives on that IP address. This is actually very common; most low-cost Web hosting services use shared hosting. It's a system where many Web sites--from several hundred to, in some cases, a thousand or more--are all stored on the same server and all live on the same IP address. When you get a shared hosting account, your Web site is stored on a Web server along with other sites.

The advantage of shared hosting is that it's cheap, because the hosting company does not need to buy one server computer for each site they host. (Dedicated server hosting, where your Web site is the only site stored on a server, is far more expensive; typically starting at twelve times the cost per month of shared hosting, and with high-bandwidth Web sites can easily be a hundred times the cost per month or more.)

The disadvantage of shared hosting is that if one Web site has a security problem, it can affect other Web sites on the same server.

chriskleeman.com and sciencepunk.com (and many other sites) all live on the same server. On January 20, sciencepunk.com was hacked by Russian organized crime. The hack allowed them root access to the server, which allowed them to then place malicious code on every Web site on that server, including chriskleeman.com. Since the Google malware warning blacklist lists sites by IP address, and since the hackers had breached every site living on that address, chriskleeman.com was blacklisted.

sciencepunk.com was running an outdated, insecure version of WordPress, which is how the hack occurred.

There is a lesson in here for everyone running any kind of software on a Web server: it is absolutely vital that anyone running software such as WordPress, UBBthreads, phpNuke, phpBB, Forumer, or any other server-side program to be absolutely religious about keeping track of updates and installing them as soon as they come out. A person who fails to do so is at high risk of being hacked. The hackers don't even have to know about your site; they use automated tools that scan the internet automatically to search for outdated versions of popular server-side software.

jcarter · « **Reply #10 on:** January 28, 2009, 02:37:33 PM »

Wonderful explanation, thank you!
I was curious about this too.

Its turned to rain here, pouring, and its one holy mess, because its all ice under it.
Jane

Xairbusdriver · « **Reply #11 on:** January 28, 2009, 03:11:49 PM »

Thanks for the explanation, tacit. As I understand it, this problem depends on the user having javascript enabled because the script actually sent the browsers to the blacklisted site? The other sites on the server were probably never on any blacklist, correct?

Anyway...
The site seems to be working fine now except for the pictures of Chris. Is he supposed to be that ugly?!

Paddy · « **Reply #12 on:** January 28, 2009, 03:16:15 PM »

Tacit, I'm not sure whether your explanation actually applies.

As I noted - 116.50.15.25 IS NOT Chris' IP address. That IP belongs to hostfresh.com - a notorious Hong Kong spam/criminal host. chriskleeman.com and sciencepunk.com are NOT hosted by the same host. chriskleeman.com is hosted by A Small Orange - the same host that this site uses.

There was some sort of redirect going on as far as I can tell; I did find a javascript that had been injected into the index page for the site. It has now been removed. I still don't know how it got there, and that is worrying. Chris' IP is not on any blacklists that I checked

I also found a pureftpd. file (with a bunch of numbers after it) that I KNOW I didn't put on the site. It was in the public_html folder and I've removed that too. PureFTPD is an ftp server - I don't know what this file actually was since it had no extension and opening it in TextEdit just yielded a lot of gibberish, though the word "iTunes" showed a couple of times in the first block of text at the top. It was 880Kb or so.

I just got a response from ASO, which really wasn't all that helpful. He didn't provide any info on the how or why and simply suggested updating any software we were running. We're NOT running any software, other than PHP, which is the very latest version. No blogs, no forums, no MySQL... He also suggested we change the password(s) - no problem, but is that all we can do?

GRRRR....

Paddy · « **Reply #13 on:** January 28, 2009, 05:52:36 PM »

More conversations with ASO - they don't really know how we ended up with the injected javascript. They've seen a few of these, but none lately and none on Chris' server. Password has now been changed and all offending javascript is now removed.

And the pureftpd file was nothing to worry about - ASO use pureftpd and that was in fact some sort of temporary file that gets put there while FTPing is going on. I'm not sure why it was so persistent, but not going to expend any more mental energy on it.

tacit · « **Reply #14 on:** January 31, 2009, 02:55:47 PM »

QUOTE(Paddy @ Jan 28 2009, 09:16 PM) <{POST_SNAPBACK}>

Tacit, I'm not sure whether your explanation actually applies.

As I noted - 116.50.15.25 IS NOT Chris' IP address. That IP belongs to hostfresh.com - a notorious Hong Kong spam/criminal host. chriskleeman.com and sciencepunk.com are NOT hosted by the same host. chriskleeman.com is hosted by A Small Orange - the same host that this site uses.

There was some sort of redirect going on as far as I can tell; I did find a javascript that had been injected into the index page for the site. It has now been removed. I still don't know how it got there, and that is worrying. Chris' IP is not on any blacklists that I checked

Right you are. Mea culpa; the redirect was happening so fast I was seeing 116.50.15.25 as the Web site's address. Oops!

QUOTE(Paddy @ Jan 28 2009, 09:16 PM) <{POST_SNAPBACK}>

I also found a pureftpd. file (with a bunch of numbers after it) that I KNOW I didn't put on the site. It was in the public_html folder and I've removed that too. PureFTPD is an ftp server - I don't know what this file actually was since it had no extension and opening it in TextEdit just yielded a lot of gibberish, though the word "iTunes" showed a couple of times in the first block of text at the top. It was 880Kb or so.

PureFTP is the FTP server used by the ISP. When you upload a file, PureFTP uploads it to a temporary file, then at the end of the upload renames the temporary file to the correct name. You will see those PureFTP files any time you do an upload that gets interrupted.

QUOTE(Paddy @ Jan 28 2009, 09:16 PM) <{POST_SNAPBACK}>

I just got a response from ASO, which really wasn't all that helpful. He didn't provide any info on the how or why and simply suggested updating any software we were running. We're NOT running any software, other than PHP, which is the very latest version. No blogs, no forums, no MySQL... He also suggested we change the password(s) - no problem, but is that all we can do?

GRRRR....

Hackers are using brute-force dictionary attacks against Web sites, looking for FTP passwords, so that's a good place to start. My FTP passwords use a combination of upper and lowercase letters and numbers.

News:

Author Topic: Bizarre malware warning on Chris' site for one user only (Read 4892 times)