Results 1 to 16 of 16
  1. #1
    Newbie
    Join Date
    January 18th, 2005
    Posts
    12
    Hijacked?
    I'm not sure if this is the right forum to post this ... but here goes..

    everytime I load the index page of my site [url removed] at the bottom of the browser it says its loading

    www *xxx* xxx *xxx* xxx/index.php (remove the *dot* for full url)

    and the page freezes and asks me if I want to continue loading script

    Problem is I don't know who the hell tbh.jp is

    when I view the source code of the page that freezes it shows that tbh.jp being called using an iframe

    I did not install this code on my website ..... anybody with any idea whats going on? Your help will be appreciated.
    Last edited by Kellie aka Ms. B; July 16th, 2005 at 11:42 AM.

  2. #2
    Lone Ranger muddyboots's Avatar
    Join Date
    March 11th, 2005
    Location
    Asheville, NC
    Posts
    219
    It may be something on your computer. I can load it on mine. It's laptop AC adapters, right?
    Dennis Duffy
    Slavin' over a hot keyboard for nickels & dimes ... and nobody understands what I do.

  3. #3
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    abantu,

    I've temporarily removed the URL. I am seeing the call tbh js also. It's also associated with an ActiveX prompt. When I said "no" to the prompt, I got a blank web page.

    I will allow the prompt from my test computer and grab the source code. But I want to make sure that nothing malicous is being installed because of ActiveX prompt. Hence the removal of the link for now.

  4. #4
    ABW Veteran Mr. Sal's Avatar
    Join Date
    January 18th, 2005
    Posts
    6,795
    But I want to make sure that nothing malicous is being installed because of ActiveX prompt.
    ActiveX prompt,again?

    I feel good that I always say, NO! to any ActiveX prompt.
    ...

  5. #5
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Thumbs down
    Savvy shoppers will also assume the worse. A drive-by install of malware and exit quicker then when presented witha Flash intro screen.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  6. #6
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    abantu,

    You may have been hacked if the thb site is not yours. I'm getting different things happening when I access your site. If it does go through to your site without the thb stuff coming up (doesn't come up everytime) I get the following php error message:

    Warning: main(http://www.xxx/ac_adapters/index1.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/xxxx/public_html/index.php on line 1

    With xxx being your domain.

    If *it* does go through then your page contents contains nothing codewise expect an iframe to the tbh site. I've not looked through all the sniffer files yet, however what I've look at so far is a bunch of code to determine what browser version I'm running, if I have SP2 installed, etc. Looks like something either was installed or was a failed install. I'm still trying to figure out what.

    Regardless, I would start by accessing your files on your site (either via FTP or web control if you have that) and checking your actual index page. Line 1 would probably be the best place to start and see if your code has been altered (which is seems it probably has). Replace it with the correct coding for your site.

    You should also contact your hosting company.

  7. #7
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Oops...I also removed the full URL of the broken link you gave as that seems to be the source of malicous code.

  8. #8
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Installed fe.exe

  9. #9
    Newbie
    Join Date
    January 18th, 2005
    Posts
    12
    i've double checked the index file via FTP and through cpanel and everything seems as it should be...... it is calling ac_adapters/index1.php via a simple include command.

    ac_adapters/index1.php then queries an mysql database

    I have no activex on any of my files.

    I will contact my host to find out if they can tell me anything.

    Right now I have no clue what to do

  10. #10
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Look for any files that you don't recognize the names and maybe check your htaccess files also.

    Hopefully your hosting company will be able to track it down for you. It's definitely coming from somewhere on the server and not from the end users computer.

  11. #11
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    abantu,

    The malicous code may be higher up than that particular domain. I got the same thing on one of the other domains on that IP. I'm also getting the php errors on some of the other domains as well. I also got a php error calling one of your lib files. Then when I refreshed the page I got the install thing.

    Your hosting company needs to let you know about the security of the servers as well.

  12. #12
    Newbie
    Join Date
    January 18th, 2005
    Posts
    12
    contacted my host and they say they are working on it. They didn't say much about what the problem is.

    When i posted my problem on their forum other webmasters mentioned they are expriencing the same problem.
    There is speculation that is some form of "DNS cache poisoning attack"

    Thanks for your help guys

  13. #13
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Are you running PHPBB? There are some serious security holes in that.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  14. #14
    Crazy like a fox suzigeek's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,096
    abantu,
    Can I ask who your host is? If you'd rather not disclose thats fine
    Suz~~GearGirl~~

  15. #15
    Newbie
    Join Date
    January 18th, 2005
    Posts
    12
    suzigeek, I just emailed you the name of the webhost.

    Dynamoo, No 'i'm not running PHPBB. But others on the same server might be

  16. #16
    Newbie
    Join Date
    January 18th, 2005
    Posts
    12
    forgot to mention that I have been with this webhost for 2yrs and I have not had any problems

  17. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Google Hijacked?
    By Rick K. in forum Search Engine Optimization
    Replies: 7
    Last Post: May 27th, 2005, 01:30 PM
  2. Hijacked? Very Strange - Need Help
    By bob95603 in forum Midnight Cafe'
    Replies: 2
    Last Post: January 26th, 2005, 01:35 AM
  3. Link Hijacked
    By speda1 in forum Suspicious Activity!
    Replies: 1
    Last Post: December 3rd, 2003, 02:56 PM
  4. Please Help!!! My computer has been hijacked!!!
    By wtjpm in forum Suspicious Activity!
    Replies: 5
    Last Post: June 14th, 2002, 02:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •