Weird Download Popup in Security

Re: Weird Download Popup

Tue, 29 Nov 2005 18:38:35 EDT

caffeinator : Ok, using Opera 8.51 tried your website and indeed got that attempt to download the file. On veiwing your sourcecode for the page I quickly found the offending code on the top of your pages's code:

That, in turn goes to a script that does this:

That's why you are getting the popup.

Remove the Javascript code I first posted from all your header files or whatever other pages that have it.
It's been added at the very top, before the normal page starts. Tricky. ;-)

I.E., remove this code:

It's likely in your Header files, or your site template.
I doubt your host would do it...althought some crappy hosts add-in code to benefit themselves. More likely one of your permissions is set so someone has edited it themselves, or they hacked your login.

You might try posting this over on your webhost's forums as well, or email them. MG2 hasa nice forum as well that has posts about that error msg on your admin login screen ;-).

If I were you, I'd remove the semi-obvious login link for Admin on the MG2 pages as well..wouldn't be hard to brute-force attack that at all. Also stick a blank .HTML file named index.html in your /includes directory to keep people from seeing your includes...shouldn't be able to see it's files IMO.

MG2 is a nice gallery script, I've used it for some time, but the script is meant to be EZ, not secure I'm afraid.

BTW, I'd make sure your website files are backed-up..just in case someone has gotten in and decides to delete it for kicks.

Hope that helps.

CaFF

--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein

Re: Weird Download Popup

Tue, 29 Nov 2005 18:09:01 EDT

Greg_Z : There is this option, which I have had no problems with so far: »pics.livejournal.com/
--
One man's customer loyalty is another man's misguided arrogance.

Re: Weird Download Popup

Tue, 29 Nov 2005 18:04:44 EDT

SandShark : Thanks. Far too much research for a simple site to host my images. I'm in the process of taking the site down. I don't want to cause trouble for myself, the hosting company/servers, or anyone else. I appreciate all of the help, though.
--
BioWillie

Re: Weird Download Popup

Tue, 29 Nov 2005 17:17:33 EDT

Greg_Z : This may help: »phpsec.org/
»search.yahoo.com/search?ei=utf-8···security
»www.hardened-php.net/
--
One man's customer loyalty is another man's misguided arrogance.

Re: Weird Download Popup

Tue, 29 Nov 2005 15:55:39 EDT

SandShark : Thanks again. Is there something that makes you think my password isn't strong. It's a combination of 12 letters and numbers. I found the domainstat.net/stat.php entry in several system directory files, but it keeps coming back after I delete it.

Also, can you tell me, specifically, what might have happened? I'm led to believe that someone, perhaps the person mentioned in Greg_Z 's whois lookup, has access to and can alter files for my sight.

I have no experience or knowledge with PHP or, for that matter, any of the coding that I'm using. Someone in Digital Imaging turned me onto the software, I thought it was simple and easy, and it looked pretty. Other than that, you're "looking" at a dummy when it comes to website security and the vulnerabilities of PHP!
--
BioWillie

Re: Weird Download Popup

Tue, 29 Nov 2005 11:54:23 EDT

sheiny : Well you could start by changing the login password on your admin page. Make it a strong one. You need to remove
src=****://domainstat.net/stat.php
at the top of all your pages because stat.php downloads update2.wmv. Keep an eye on this thread and you will get better, more comprehensive advice.

Re: Weird Download Popup

Tue, 29 Nov 2005 11:39:10 EDT

SandShark : Thanks for the replies. I'm confused, though. Basically, my site is hosted by Surpass Hosting on their servers. Are you saying, by using PHP on my site, that I've opened a hole that would allow someone to change the files? To put up my images, I'm using MG2 that I got from »www.minigal.dk/ which states "that it supports PHP running in safe mode which is unsupported by almost all other dynamic image gallery scripts on the web." Basically, all I did was upload the files to the Surpass servers and used the built-in interface to upload my images.

I'm not sure I understand what I need to do if my site is vulnerable. Can someone please tell me?

Mods - If this doesn't belong in Security, please move to the appropriate forum.

Thanks.
--
BioWillie

Re: Weird Download Popup

Tue, 29 Nov 2005 02:18:23 EDT

sheiny : I'm guessing someone added this line to your page:
src=****://domainstat.net/stat.php

update2.wmv wants to install Zango search assistant. Looks like 180Solutions stuff:
»www3.ca.com/securityadvisor/pest···53094136
see:
»pcpitstop.invisionzone.com/index···c=104629

Re: Weird Download Popup

Tue, 29 Nov 2005 01:38:48 EDT

Greg_Z : Looky, a house: »maps.google.com/maps?q=1240+Arkw···=k&hl=en
--
One man's customer loyalty is another man's misguided arrogance.

Re: Weird Download Popup

Tue, 29 Nov 2005 01:28:37 EDT

Greg_Z : I had no problems going to your site www oldbaldandgrumpy com. It is possible that if you are using PHP on your site, and have not taken the proper precautions, it could be that your server with Hostdime may of gotten infected.

When I went to your site, I did not get the pop-up, and went straight to the site. Also server1cuatui.com is a TuCows hosted site.

Result for server1cuatui.com
--> fwhois server1cuatui.com@whois.internic.net
[whois.internic.net]

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered

Domain Name: SERVER1CUATUI.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: »domainhelp.tucows.com
Name Server: NS1.HOSTSAVE.COM
Name Server: NS2.HOSTSAVE.COM
Name Server: NS3.HOSTSAVE.COM
Status: REGISTRAR-LOCK
Updated Date: 24-aug-2005
Creation Date: 24-aug-2005
Expiration Date: 24-aug-2006

The Registry database contains ONLY .COM, .NET, .EDU domains and
--> fwhois server1cuatui.com@whois.opensrs.net:whois
[whois.opensrs.net]
Registrant:
Le, huong
1240 Arkwood ave
COLUMBUS, OH 43227
US

Domain name: SERVER1CUATUI.COM

Administrative Contact:
Le, huong nivahle@yahoo.com
1240 Arkwood ave
COLUMBUS, OH 43227
US
+1.6145782634
Technical Contact:
Tech, Domain domaintech@hostsave.com
3250 W. Commercial Blvd.
Suite 200
Ft. Lauderdale, FL 33309
US
+1.9543348000

Registration Service Provider:
Affinity Internet, Inc., domainmanager@affinity.com
954-334-8000
954-334-8001 (fax)
This company may be contacted for domain DNS/Nameserver changes, and
general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2005.
Record expires on 24-Aug-2006.
Record created on 24-Aug-2005.

Domain servers in listed order:
NS3.HOSTSAVE.COM 207.150.198.114
NS1.HOSTSAVE.COM 207.150.196.199
NS2.HOSTSAVE.COM 207.150.197.103

Domain status: REGISTRAR-LOCK

--
One man's customer loyalty is another man's misguided arrogance.

Weird Download Popup

Tue, 29 Nov 2005 00:19:18 EDT

SandShark : Tonight, I was just going to my site to see if it was up because I've been having issues with my site being down a lot lately. I clicked on the link and about three seconds after my site loaded, a Windows download window opened saying I had chosen to download "Update2.wmv" from »server1cuatui.com. Also, and I don't know if this is related, but when I go to my site, in the progress bar at the bottom of my screen, it says "Waiting for www.oldbaldandgrumpy.com" and then quickly switches to "Waiting for domainstat.net" and eventually my site comes up.

Thinking I might have gotten spyware or a virus on that machine, I tried on three other machines: my PowerBook (OS X 10.4.3), my wife's (Windows XP), and my daughter's (Windows XP). On all three, that same file is wanting to be downloaded. I have Avast! v4.6 Antivirus and Windows Firewall on all three Windows machines, and all are connected to a Linksys router, if that helps.

Any ideas what's going on? Thanks.
--
BioWillie