Jump to content


Photo

Urgent! Your website has been hacked


  • Please log in to reply
21 replies to this topic

#1 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 29 June 2004 - 08:53 AM

SpywareInfo.com will drop the StartPage-DU onto the computer of anyone visiting
the site using ie with default security. This is a version of the aboutblank hijack.
It will only download it once a day so obviously it is cookie driven. I have tested
this several times.
1. Open i.e with no hijack
2. Visit your site
3. Now I have the hijack
4. Remove it using hijackthis or McAfee
5. Visit your site again several times no hijack
6. Advance the date on my machine by one day and visit your site.
7. Hijack is back.
You need to do something about this a.s.a.p

:techsupport:

:grrr:

#2 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 29 June 2004 - 01:45 PM

seems like you're the only one with the problem, I tested it, plenty of other people concur. Did you just get infected somewhere else. SWI has NOT been hacked
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#3 sin

sin

    RIP

  • Emeritus
  • Pip
  • 33 posts

Posted 29 June 2004 - 02:00 PM

SpywareInfo.com will drop the StartPage-DU onto the computer of anyone visiting
the site using ie with default security. This is a version of the aboutblank hijack.
It will only download it once a day so obviously it is cookie driven. I have tested
this several times.

I tried it too. I did not get hijacked. I even turned off my firewall and all of my antivirus software and enabled all cookies through IE. I agree with Gwy.

nic
graceful insanity is beautiful when accomplished -- come into the closet
feel free to visit my other home, 247fixes

#4 SilverOne

SilverOne

    Spyware's Bane

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 02:08 PM

SpywareInfo.com will drop the StartPage-DU onto the computer of anyone visiting
the site using ie with default security. This is a version of the aboutblank hijack.
It will only download it once a day so obviously it is cookie driven. I have tested
this several times.

My HijackThis log is telling me otherwhise, and I visit this site AT LEAST once a day.

#5 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 29 June 2004 - 02:50 PM

Despite what other people have found I have just repeated the test by
moving the date forward on my PC and opening ie and going straight to
this site. Now I have the infection again just by visiting this site. I am
using Windows XP home edition with SP1 and some other patches.
I am behind a hardware firewall but with on demand virus scanning
disabled. I am only using this browser to visit this site i.e.there is no
possibility that some other site is involved. Could the other people who
have replied to this post tell me what the specs of their machines are
i.e browser and OS etc.

:techsupport:

#6 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 29 June 2004 - 02:54 PM

xp pro sp1 i tried what you said (lowered all my IE security settings to the lowest and allowed everything, disbled anti-virus, took down firewall, disable immnizations, everything). nothing happened, i have swi set as my homepage. you have become infected some other way. swi has not been hacked.
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 29 June 2004 - 03:01 PM

Spywareinfo.com is in my Trusted Zone and nothing like this has ever happened. (Admittedly I do have SpywareBlaster installed, to block any bad ActiveX.)

It's quite puzzling to imagine how you could be experiencing this. One posssibilty is that you're being redirected to a counterfeit look-alike page. We haven't heard of a counterfeit for this site - counterfeit Google and MSN are known, though.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#8 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 29 June 2004 - 03:32 PM

Well if I were going to a counterfeit site it would have to take me there first and
then after infecting my machine switch me to the real site so that I can reply to
your posting. And why will this only happen once in every 24 hours. I assume a
cookie has to expire or something. I will try the test again using a different
computer.

:techsupport:

#9 mr bones

mr bones

    Member

  • Emeritus
  • Pip
  • 66 posts

Posted 29 June 2004 - 04:06 PM

You have this infection simply because you are already infected. Period. SWI is not the cause of your infection, rather your own security, or lack of, that is causing it. I am suggesting a downloaded active X control from some other site is making a random connection to it's own updater to re-infect you and not, as you insinuate, coming from SWI.

Please feel free to post a log for help to clear this infection up. Once it is clear, you may want to re-evaluate this collosal slur you have tried to brand us with.

#10 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 29 June 2004 - 04:35 PM

Mr bones I am just reporting what I have found. I am not blaming anyone or
assuming that I know why this is happening. I don't need any help to get rid
of this. I have been a computer programmer for the past 25 years so I can sort
out minor problems like this easily. Nor is it due to my lack of security. Perhaps
you blame all the people who ask for help in the malwear removal forum for
causing their own problems. Not a very helpful attitude I think.
There is nothing random about this and a visit to this site and only this site +
advancing the clock by 1 day is necessary to reinfect my machine. If I don't visit
the site it doesn't happen. Sites do get hacked and no one should assume that it
can never happen to them. At the very least you should keep an open mind. I
will try to pin the problem down further.

:techsupport:

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 29 June 2004 - 08:05 PM

It seems clear that your connection to SWI is intercepted and the hijack done before (or after) you get here. A BHO could do that, and recently there have been a lot of hidden BHO's found on hijacked PC's..

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 29 June 2004 - 08:10 PM

For the moment I have failed to pin down the problem.
I would like to thank gwyrox732 and cnm for their help. I now have two
hypotheses about the problem but first I would like to repeat the info
about the setup I am using.

1. Hardware firewall
2.Windows XP home with SP1 and some later security patches installed.
3.Internet explorer with SP1 and the latest security patches installed.
4.On demand virus scanning disabled.
5.Default security i.e medium in the 'Internet Zone'.
6.If I set the security to high in the 'Internet zone' then I can't recreate the
problem. But this means that many sites will not be displayed properly and
would probably not be acceptable for most users.

Here are the two ideas I have about the problem.

a) spywareinfo.com really has been hacked and will download the aboutblank
hijack to some PCs. But only once per day.

b) There is something on my PC (call it X) which will wait until I visit the spyware
info.com site and will then install the aboutblank trojan on my PC. Believe me,
I have repeatedly tested this and the visit to spywareinfo.com really is necessary

What is there in favour of a). Well setting security to high, in the ie internet zone,
prevents the installation of the hijack.

What is there in favour of b). No one else has been able to reproduce the problem
even when they set security to low and turn off on demand virus scanning.

But in the end both a) and b) are equally disturbing. Suppose a) is true then it
means the site has been hacked.
Suppose b) is true then it means that there are versions of the aboutblank hijack
which cannot be removed by highjackthis or McAfee viruscan or by the advice you
give in your forums. If X really exists then you don't know how to remove it and
it might explain why so many people in the malware forum complain that their
browser hijack keeps returning.

Finally I would like to repeat that I have no interest in proving that either a) or
b) is true. I appreciate the help that the volunteers on this site are trying to
provide. I know that if I never visit this site again I will won't get re-infected.

:techsupport:

#13 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 29 June 2004 - 09:02 PM

...there are versions of the aboutblank hijack
which cannot be removed by highjackthis or McAfee viruscan

This is true. There are special tools for seeing the app_init DLLs, for instance. Post your log in the Malware Removal forum, and if Shadowwar or freeatlast or some other knowledgeable Expert comes to your aid it will be removed. :)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#14 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 03 July 2004 - 10:28 PM

Ok I finally managed to pin it down and there are various ways to defeat it which
may be useful for other variations. But its not related to this site so I eat humble
pie, crow etc. etc.
1. I noticed that the reinfection only happened every 24 hours. Other people seem
to have infections which re-occur after 2 or 4 hours etc. So try the following.
I set my system clock to the year 2020. Ran ie got the infection again. Cleaned
it using hijackthis and retested. The tests show that I will be free of the reinfection
until 01/01/2021 and by that time either this computer will have died or the
server to which I am hijacked will have died. So if you have an infection which
you can clear but which reloads after a few hours or a day or a week try the above
solution. However its not ideal because it doesn't clear out the file which is trying to
reload the trojan and it won't help with hijacks which don't use a system timer.
2. Ran Pandasoft anti virus software and it identified a dll and an exploit and
claimed to have deleted it but the fact that it kept finding it again seemed to show
that it couldn't do the job. Oviously the dll is locked in some way.
3. Downloaded Find&Fix and used it to move and delete the dll. Retested, all clear
at least until 2030 etc. etc.

Finally some final thoughts for the pious people who think that you can only get
infected if you visit porn websites etc and therefore you deserve to die. You know
who you are, don't you?
Yesterday Microsoft put out a security fix to ie which removed some of its functions.
This will break some computer programs which depend on these published
functions and was an admission by Microsoft that there are holes in ie and outlook
and media player which it cannot fix. These holes will allow trojans to attack your
machine even if you have a firewall and on demand virus scanning. Most users
don't even know what a firewall or on demand virus scanning is. So what chance
do they have?

Finally much of the advice on this site is unrealistic. I know that saying this will
iritate many of the people who try to help but I'm going to offer alternative advice.
If your browser is hijacked do this.
1. Goto Mozilla.org
2. Download the Mozilla browser and install it. (13 Mb download). It is free.
3. Use this until your hijack is resolved or until you decide that you can't be
bothered with ie anymore. Many of the hijack problems with ie could be simply
resolved if you could uninstall ie and reinstall it. But you can't. Its part of the
operating system. You can make it invisible but you can't uninstall it. This stupid
decision by Bill Gates is responsible for many of the problems that ie users are
having today. Browser hijacks are rampant and people spend hours on sites such
as this trying to resolve them and failing. Life is too short.


:techsupport:

#15 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 03 July 2004 - 10:35 PM

Yes, shaunw, we do recommend FireFox/Mozilla/etc to vicitims after their problems are resolved. Most of us use them ourselves all the time. But it is advised that you clear the problems on your computer before you make the switch for the following reasons:

1)Some infections can cause major slow-downs
2)Many infections clutter up the system
3)Leavng dangerous files on your computer isn't good
4)Perhaps one of your problems is a dialer? Just a simple browser switch doesn't fix that.
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#16 shaunw

shaunw

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 07 July 2004 - 10:47 PM

Well I accept what you say about rogue diallers and extreme slowdowns having to be
removed first but most of the people with problems on this site do not seem to have
either of these and most of their distress comes from the fact that they cannot use the
internet and the clear up process is slow. Sometimes I feel that for most of the people
posting problems on this site it would be quicker for them to backup the data files they
really need and reformat and start again. But I suppose that might be beyond the skills
of the average user.
What concerns me most is the present state of Internet Explorer and the fact that the
truth about this is not getting through to people. Having a good firewall, and up to date
anti virus package and applying all the microsoft fixes will not save you.
There is a hole in ie that Microsoft tried to fix last weekend but the fix doesn't work.
A simple script on a website could delete the contents of your harddisk or download
a key logger that records your passwords, credit card details etc. and sends them
back to a hacker. The scripts for this exploit are freely available. Many of the hijacks
reported on this site may have used this exploit. The only safe way to use ie is with
scripting disabled.



:techsupport:

#17 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 07 July 2004 - 11:02 PM

Firefox is recommended over and over here.
Mike feels that no one in their right mind will browse with IE.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#18 StUiTeRdWeRg

StUiTeRdWeRg

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 July 2004 - 09:48 AM

Hmm.. I should do that switch also then I guess.. Never tried any other browser and now my home computer seems not to be mine anymore... I'll post hijackthis log later this week, first I want to make sure not to add problems on the big pile needingless.

#19 ChaoGuy

ChaoGuy

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 08 July 2004 - 04:39 PM

Well I accept what you say about rogue diallers and extreme slowdowns having to be
removed first but most of the people with problems on this site do not seem to have
either of these and most of their distress comes from the fact that they cannot use the
internet and the clear up process is slow. Sometimes I feel that for most of the people
posting problems on this site it would be quicker for them to backup the data files they
really need and reformat and start again. But I suppose that might be beyond the skills
of the average user.
What concerns me most is the present state of Internet Explorer and the fact that the
truth about this is not getting through to people. Having a good firewall, and up to date
anti virus package and applying all the microsoft fixes will not save you.
There is a hole in ie that Microsoft tried to fix last weekend but the fix doesn't work.
A simple script on a website could delete the contents of your harddisk or download
a key logger that records your passwords, credit card details etc. and sends them
back to a hacker. The scripts for this exploit are freely available. Many of the hijacks
reported on this site may have used this exploit. The only safe way to use ie is with
scripting disabled.



:techsupport:

Well the only problem that I have swiching between browsers is that IE is a connected program to many Windows features, and there are quite a bit of them that need to use that Such as Desktop Properties, Outlook Express, Microsoft Outlook, and Microsoft Front page need to use IE as an add on for it features, from what you are say is, if everyone needs to Swich to Firefox, it would mean a full uninstallated IE from Windows wich in bad terms sets the Explore back to it early coding that if you click on a folder, it opens a new window, so called the 3.X version of the Explorer, and that is the reason to my slight complaint to this, and plus it would land many programs and services disabled so that it would be unable to use Filesharing programs, and Chat Rooms because of the missing IE compounet(sp?), but that is my point about this some of you need to think about it before fully uninstalling IE and deleting the files to it, it won't be the same anymore, plus Firefox is still a bit buggy and it would probbly crash Windows if I were to run, plus Windows update will no longer work eaither.

So please read and think about it.

#20 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 08 July 2004 - 06:20 PM

Hardly.

Have you tried Firefox?

The shell, explorer.exe, would _not_ revert to a progman.exe-ish Windows 3.11-ish state. While it uses IE for Web content, it is a more than capable file navigator on its own. It does not rely on IE for that.

Active Desktop relies on IE because the Windows developers didn't think ahead and make Windows like Linux - native JPG/GIF and transparent text support is in Linux because KDE and Gnome were coded well, unlike Explorer.

IE cannot be uninstalled from a system without specialized tools. Firefox is not one of them. Even if you removed IE, it would not disable filesharing programs, chat rooms, or other programs in general unless they were coded to depend only on IE instead of their own interfaces, which would alienate Linux and Mac users.

Outlook works without IE; I know because I use that at my office and I browse with nothing but Firefox.

Frontpage works without IE; in fact, it works excellently with Firefox, but I still prefer Dreamweaver.

Windows Update doesn't cease functioning; the Windows Update shortcut in the Start Menu forces IE to open to Windows Update and Windows Update only.

In short, IE stays resident on your system even if you choose another browser as your primary and use that only - why else would you still have to download all those IE patches from Windows Update?

I ask you to name one system-critical service that would be stopped were IE to be removed. I give you an answer now: none.

Firefox only has two major bugs, and one was patched this afternoon involving a shell: extension handler, which it passes off to the Windows shell. The other one is a slight lag issue with Adobe Acrobat Reader 6 and PDF files.
Signature file is under revision. This will be back shortly.

#21 Sasquatch

Sasquatch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 July 2004 - 12:24 PM

After reading this thread, I would like to add my .02 (FWIW being a brand new member and all)

shaun, it sounds like your system is lacking critical updates at the very least.

Programmer or not, you are not invincible nor are you immune to having a vulnerable system.
Get away from Internet Explorer and Outlook / Outlook Express... http://www.mozilla.org

#22 Outrigger

Outrigger

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 September 2004 - 05:47 AM

I was refered to this thread by Screwfix.co.uk (a UK supplier of building materials) after I queried the fact that I had received the c2.lop cookie after accessing their home page. They deny any responsibility. A couple of friends have tried accessing their page - one got the cookie, the other didn't. We can spot any difference in our security setup.

I have been surfing various sites over the last 2 days and not got any cookies as a result. But as soon as I go to the Screwfix home page, I get it again.

Given their assurance that they do not employ any form of tracking cookie (which I accept - it is a very reputable company) why am I getting C2.lop and why only when I access Screwfix's home page?

Incidentally, it doesn't make any difference whether I browse it with IE or Firefox.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button