Announcement Announcement Module
Collapse
No announcement yet.
Help! Weird code embeds itself into index.html Page Title Module
Move Remove Collapse
Search Search Module
Collapse

Advertisement Advertisement Module
Collapse

Featured Images Featured Images Module
Collapse

Mediabistro Creative Sites Mediabistro Creative Sites Module
Collapse
Latest Topics Latest Topics Module
Collapse

Advertisement Advertisement Module
Collapse

Sponsors Sponsors Module
Collapse

This topic is closed.
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help! Weird code embeds itself into index.html

    http://3b7.ru:8080/index.php

    I do not know what this is or where it comes from but it showed up in my index.html! It didn't corrupt anything and all I had to do was edit my file and delete it or re-upload the source file.

    I've been searching anti-virus forums but I can't find it anywhere. I don't know if this is something I should even worry about but it's just too weird!

  • #2
    So what are saying is that line of code MAGICALLY appeared in your document when you put it on your server?

    O_o
    Professional Pixel Pusher — Designing the world around you. | Working daily to reach 10,000 hours of practice.

    Comment


    • #3
      Originally posted by CkretAjint View Post
      So what are saying is that line of code MAGICALLY appeared in your document when you put it on your server?

      O_o
      Yup. I'm 29 yrs. old with a degree in graphic design just so everyone knows I'm not some kid posting nonsense.

      You're exactly right though. I don't purposely type iframes into my <body> for fun. It wouldn't make sense to screw up my own web site and place of business and it's even illogical to input a mindless code. Like I said, I have no clue if it's a trojan worm but it's definitely programmed to attach itself to index files and hide itself there (I'm guessing through ftp software). I tried to find a place like an online antivirus community to post about this possible "threat". Maybe it's just dormant and waiting for instructions to do something.. like possibly hijack a site or steal personal info.. who knows.

      Comment


      • #4
        I couldn't see any code at all in the link you provided—view source just showed a blank page. Because 1.) you mentioned you didn't put the code there, and 2.) it's a bit unusual to see port 8080 in a regular URL, and 3.) the domain is Russian but the server is in France. Individually these things wouldn't necessarily alarm me, but taken together they raise a big red flag.

        When a server is compromised, it's not uncommon for hackers to create some sort of script that will modify all index pages on a server, like writing javascript to them. The javascript could then redirect visitors to a site that will execute malicious code. IOW, what's happening is highly suspicious and you should contact your hosting company ASAP.

        If you're running any scripts (like PHP), make sure they're secure. In a shared hosting environment a poorly coded script on one site can endanger every site that's hosted on the same machine. IOW, I'm not saying it's YOU, I'm saying it could be you or anyone with an insecure script. Or it could be some other security hole.

        P.S. If your site has more than one index page, be sure to check all of them.

        Digi
        Last edited by digizan; 08-14-2009, 04:34 PM.
        The world is divided into people who think they are right.
        —Anonymous

        Comment


        • #5
          Originally posted by digizan View Post
          I couldn't see any code at all in the link you provided—view source just showed a blank page. Because 1.) you mentioned you didn't put the code there, and 2.) it's a bit unusual to see port 8080 in a regular URL, and 3.) the domain is Russian but the server is in France. Individually these things wouldn't necessarily alarm me, but taken together they raise a big red flag.

          When a server is compromised, it's not uncommon for hackers to create some sort of script that will modify all index pages on a server, like writing javascript to them. The javascript could then redirect visitors to a site that will execute malicious code. IOW, what's happening is highly suspicious and you should contact your hosting company ASAP.

          If you're running any scripts (like PHP), make sure they're secure. In a shared hosting environment a poorly coded script on one site can endanger every site that's hosted on the same machine. IOW, I'm not saying it's YOU, I'm saying it could be you or anyone with an insecure script. Or it could be some other security hole.

          P.S. If your site has more than one index page, be sure to check all of them.

          Digi
          That is not a link to anything. That is the code that attaches itself to my index.html. I think that's exactly what I said in the first place. I know there are hundreds even thousands of viruses out there that nobody has no clue about and what they're programmed to do I just thought I'd mention it to the community for future's sake. You're right about a security hole and I'm determined to find it. I spend countless hours troubleshooting systems for security problems and I've been doing it for almost a decade now. If I can't pinpoint the source, I usually do a fresh install of my OS.
          Last edited by sudodesign; 08-14-2009, 05:19 PM.

          Comment


          • #6
            Originally posted by sudodesign View Post
            I think that's exactly what I said in the first place.
            My intent was to confirm that your suspicions are probably correct and to point out that if there's something malicious going on, then it would probably be due to the server being hacked, not something happening "through ftp software" (i.e. visiting antivirus communities will likely be useless as it would be something that would need to be addressed by the hosting company).

            Sorry if I annoyed you by trying to help—I won't make the same mistake twice.

            Digi
            The world is divided into people who think they are right.
            —Anonymous

            Comment


            • #7
              Originally posted by digizan View Post
              My intent was to confirm that your suspicions are probably correct and to point out that if there's something malicious going on, then it would probably be due to the server being hacked, not something happening "through ftp software" (i.e. visiting antivirus communities will likely be useless as it would be something that would need to be addressed by the hosting company).

              Sorry if I annoyed you by trying to help—I won't make the same mistake twice.

              Digi
              I'm not at all annoyed. You were really helpful except for the whole not reading the initial post part lol. I just hate having to type the exact same thing.

              Anyway, I'm pretty sure it's not GoDaddy's fault which is my host server. I have to disagree with it not happening through ftp software because that's the only other way to access a live mark-up file. To be more specific, I'm not saying it's the ftp software itself but the "worm" is worming it's way through the software somehow. Example: worm is programmed to execute on open ftp software and its target is index.html.
              Last edited by sudodesign; 08-14-2009, 06:56 PM.

              Comment


              • #8
                HTML:IFrame-inf

                Originally posted by sudodesign View Post
                http://3b7.ru:8080/index.php

                I do not know what this is or where it comes from but it showed up in my index.html! It didn't corrupt anything and all I had to do was edit my file and delete it or re-upload the source file.

                I've been searching anti-virus forums but I can't find it anywhere. I don't know if this is something I should even worry about but it's just too weird!
                It sounds strange, but I had the same link included in a iframe which automatically was put inside the body tag.

                It is a kind of virus named HTML:IFrame-inf

                What is does (in my case) is corrupt the index.html file by truncating it, let's say it deletes the last 10 textlines inside the sourcecode.

                At first I noticed that something looked and went wrong with th homepage, but I couldn't understand since it was at my server so who or what had access to my server?

                Than it turned out (after a loooooong search) that one of my webpage designing tools was infected by that virus and included this line inside the index.html file.

                The first couple of days nothing happend, but then the truncation began...

                Looks like the http://3b7.ru:8080/index.php creates some kind of doorway to your site which let's 'capture' your server in a certain way.

                Meanwhile I got rid of the virus and uploaded a fresh copy of the index.html file. So far it looks okay, but don't know what will happen in the future. Maybe my server was hijacked, so don't know if it can happen again (also after chaning the password for my server).

                So it really is a virus!

                Regards,
                Nick
                Last edited by Virgo Nightingale; 08-14-2009, 07:57 PM. Reason: Remove url tags

                Comment


                • #9
                  Originally posted by UserNick View Post
                  It sounds strange, but I had the same link included in a iframe which automatically was put inside the body tag.

                  It is a kind of virus named HTML:IFrame-inf

                  What is does (in my case) is corrupt the index.html file by truncating it, let's say it deletes the last 10 textlines inside the sourcecode.

                  At first I noticed that something looked and went wrong with th homepage, but I couldn't understand since it was at my server so who or what had access to my server?

                  Than it turned out (after a loooooong search) that one of my webpage designing tools was infected by that virus and included this line inside the index.html file.

                  The first couple of days nothing happend, but then the truncation began...

                  Looks like the http://3b7.ru:8080/index.php creates some kind of doorway to your site which let's 'capture' your server in a certain way.

                  Meanwhile I got rid of the virus and uploaded a fresh copy of the index.html file. So far it looks okay, but don't know what will happen in the future. Maybe my server was hijacked, so don't know if it can happen again (also after chaning the password for my server).

                  So it really is a virus!

                  Regards,
                  Nick
                  Thanks for the confirmation.. I'm glad this is out in the open now and more web designers will start checking their index files. Maybe there are a of infected web sites out there but nobody payed any attention to it because it's in a hidden iframe.

                  This is an effort to find out the source of this problem and hopefully in the future to prevent it.

                  I also cleaned up my index file and ran a few antivirus scans but I'll have to wait to see if the same problem occurs.

                  Comment


                  • #10
                    Originally posted by sudodesign View Post
                    Thanks for the confirmation.. I'm glad this is out in the open now and more web designers will start checking their index files. Maybe there are a of infected web sites out there but nobody payed any attention to it because it's in a hidden iframe.

                    This is an effort to find out the source of this problem and hopefully in the future to prevent it.

                    I also cleaned up my index file and ran a few antivirus scans but I'll have to wait to see if the same problem occurs.
                    What concerns me the most is why some virusscanners notice and others don't notice the virus... (well in fact it is malware which causes this 'error'). Even the best virusscanners doesn't seem to notice it and that is just strange since it is a harmful virus which is able to connect to your webspace...

                    Comment


                    • #11
                      Originally posted by sudodesign View Post
                      I'm not at all annoyed. You were really helpful except for the whole not reading the initial post part lol. I just hate having to type the exact same thing.
                      sudodesign, I don't appreciate your tone as directed toward Digizan. She is a super helpful member of this community, particularly as regards issues relating to web design and programming. In my opinion, your snarky tone in response to her post is uncalled for, and frankly, I can see someone misinterpreting that the link in your initial post was the page in question.
                      "Lucy, you got some 'splainin' to do!" - Ricky Ricardo

                      Comment


                      • #12
                        Originally posted by urstwile View Post
                        sudodesign, I don't appreciate your tone as directed toward Digizan. She is a super helpful member of this community, particularly as regards issues relating to web design and programming. In my opinion, your snarky tone in response to her post is uncalled for, and frankly, I can see someone misinterpreting that the link in your initial post was the page in question.
                        Hi Urstwile,

                        I agree upon the fact that Sudodesign was a little bit 'rough' in his expression(s) towards Digizan, he could have expressed himself in a somewhat milder form and have more patience, but...

                        I also understand WHY he reacted this way. Since I have had the same problem (corrupted index files) and told people, hardly anyone did believe me! Because the whole story sounds so weird and unbelievable! After telling it for the 1000th time, it really becomes annoying when people are questioning your proposition. Even when they repeat your question to better understand if they read it in the good manner (like Digizan did in het first reply). I know this because I had similar reponses from webdesigners

                        But still Digizan was really helpful and Sudodesign could have been a little more patient in the way he expressed himself. And after all he apologized with a sorry...

                        So I'm not defending anyone or provocing anyone either, it's just my point of view as an observer who have been there too (in 'a world of disbelieve' )

                        Regards,
                        Nick

                        Comment


                        • #13
                          Originally posted by urstwile View Post
                          sudodesign, I don't appreciate your tone as directed toward Digizan. She is a super helpful member of this community, particularly as regards issues relating to web design and programming. In my opinion, your snarky tone in response to her post is uncalled for, and frankly, I can see someone misinterpreting that the link in your initial post was the page in question.
                          You don't have to appreciate my tone. You're entitled to that but I've always found it a little funny how "tones" are misinterpreted from reading text. You obviously can't hear me, no facial expressions or hand gestures are present but yet you're the first to cast judgement on a person's "tone" which is immature. I'm glad you find ways to exhibit your dramatic opinions solely for attention but it doesn't faze me and it shouldn't. I really don't take anything personal in a forum.

                          I gave credit when credit was due and told her she was helpful. There's no need to brown-nose and make it some personal affair. Address the issue or don't bother at all. As you can see, your post has nothing to offer in this topic. You're just stirring things up, for what? Your amusement? Well, it's a waste of your time and mine and everyone reading this thread because it turns into some circus show of a civil court case that leads nowhere but to "he said, she said". If one can't take a little sarcasm and of all places in a forum, then you better watch out because the real world is full of it up close and personal. This is just a forum for information. This isn't eHarmony so I won't dramatize this out of context. I'm not here to judge anyone's personality or psychoanalyze why anyone is a "meanie". I have better things to do such as solving security problems and hopefully helping others with the same problems. I'm just a business man getting straight to the point. I'm not here to build a relationship with anyone or ask some random person for forgiveness. It's irrational because nobody knows anyone on a personal level. You, me, anyone on this forum could be 10 years old so having to filter out hundreds or maybe even thousands of users to advocate a sorry just sounds a little too illogical. I'm just here to gain knowledge or give knowledge and nothing short of that. Anyway, shedding light on a virus like this supersedes any petty misunderstanding between professionals. Can you imagine having a business meeting at your workplace and someone always jumping out of their chair to address why someone sounds mean in that meeting? Nothing would ever get done. This is business period.



                          UserNick - Out of curiousity and comparison, what text editor and ftp software do you use?

                          Comment


                          • #14
                            I found a virus with AntiVir. I hope that did the trick.
                            Last edited by sudodesign; 08-15-2009, 08:04 PM. Reason: Keep it general.

                            Comment


                            • #15
                              Virus

                              Originally posted by sudodesign View Post
                              I caught found a virus with AntiVir. I hope that did the trick.
                              I used ESET Smart Security (http://www.eset.com) but it didn't notice the HTML:IFrame-inf virus/malware. Someone alerted me that at one of my sites a virus-alert popped-up. He was using Avast! (www.avast.nl/english)

                              So I switched to Avast! and indeed lots of virus-alerts came up and so I became aware of the fact that it has something to do with a virus. After checking my sites and servers, it seemed that almost any index.html among some other pages were infected. So I deleted them and replaced them with clean copies. Also I changed the servers password from a different PC (to be sure).

                              The programs which were infected were: WS-FTP Pro (http://www.ipswitch.com) and Studio Webdesign 4 Pro (http://www.easycomputing.com) the Dutch equivalent of Serif Webplus X2 (http://www.serif.com/webplus).

                              So I got rid of the virus and installed fresh copies of those programs too.

                              Maybe if you have some links I can check dor you how Avast! responses to them. But I assume when you don't have the hidden iframe in your index.html than it should be okay.

                              Never heard about this kind of virus and always was in the assumption that my PC was safe since I had the best antivirus software available and up2date (ESET won lots of prizes). So it's not it seems...

                              Regards,
                              Nick

                              Comment

                              Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us
                              Working...
                              X