Site generating JS:Agent-BA[Trj]

[guateweb]

Many thanks again for the good lesson, I have done wht it takes to survive another day in the web coded sea and you really have help me, I just hope my hosting guys learn a bit from you guys too. Thay have being told. Sorry about the 2nd I.P. will never happend again. Best regards. Rene

[DavidR]

You're welcome.

Don't worry about the IP it is just so you know should you need to post again.

A belated welcome to the forums.

[ldylion214]

Hi,
I'm glad I found your forum.  I hope this is not considered thread hijacking but I have the exact same problem.  My site (hxxp://www.tribeazure.com) does not do this each time I go to it but it does it regularly.  I have called my hosting company twice only to be told there is nothing they can do.  They want a screenshot but the challenge there is once this particular 116.50.15.25...file is trying to open the computer completely freezes.  I see one characteristic of this parasite is it sucks all of the virtual memory.  It's hard to take a screenshot when I am forced to shut the system off.  I'm frustrated. 
I do not find a long string of script on either of the pages this has happened to me but if I do I won't take it out before taking the shot.  I also referred the tech girl to this page to review this topic here so I tried that too.

Does this happen because the host has been compromised or is it my computer is infected and passes it to them?  GRRR. 

Thank you all in advance for any help you have to offer.  I'm not so lucky guateweb with his host.

Nicci

[DavidR]

For a Hosting company to say there is nothing that they can do about it speaks volumes about there technical ability (or the lack of it that they can't protect their servers and customers) nd I would be looking elsewhere.

That IP you gave is:

Checking IP: 116.50.15.25...
Name:      116-50-15-25.myrdns.com
IP:      116.50.15.25
Domain:   myrdns.com

http://www.robtex.com/dns/myrdns.com.html

dns information about myrdns.com. ... myrdns.com is a domain controlled by two nameservers at hostfresh.com. They are on the same IP network. ...

Is HostFresh.com is your Hosting source ?

I visited your site and no alerts, so nothing there at the home page at this time. If you get it in the future you will have to check the page source code and you will be looking for either a <script> or <iframe> tag that you didn't place there.

[ldylion214]

THank you very much, David.  My host is Godaddy.  I am none to impressed with their tech department if that's what we want to call it.  The worst part of all is they will not send the issue onto the REAL techies.  I did find a way to get rid of it at least until it infects the server at godaddy again.  I republished the clean file again and that seemed to get rid of it.  I have noticed it only affects the index pages of a site. It also seems to be a new problem because when searching this there was very little info and only recent info.

Thanks again!! Nicci

[DavidR]

No problem, glad I could help.

One thing I forgot to mention you should change any passwords that you have to use to edit and upload your pages, to a one that is stronger (a mix of alpha, numeric characters at least 8 characters and preferably longer). This may help, but if there is a vulnerability in the hosting software (old version, etc. that could be how it is hacking pages).

Perhaps time to start looking for a new Host, whilst things are calm and you know the kind of questions you need to ask of a potential Host, based on your experiences in this case.

Since the index.htm/html page is the first that many arrive at that would be the most efficient method to reach the majority of visitors. There is also a sneaky one doing the rounds where if there is a custom error 404 page (displayed when there is a page not found error) that has been hacked in some attacks.

Welcome to the forums.

[ldylion214]

I think you are right about it being time to search for a new host. 

Thank you for the welcome and your help.  It is much appreciated.

   Nicci

[DavidR]

You're welcome, glad I could help.

[polonus]

Also read the information through this link:
http://blog.trendmicro.com/ie-zero-day-follow-up-now-featuring-mass-sql-injections/

polonus

[ldylion214]

Also read the information through this link:
http://blog.trendmicro.com/ie-zero-day-follow-up-now-featuring-mass-sql-injections/

polonus

Great article.  Very informative and very scary.  My problem seems to be resolved since publishing a "clean" page and changing my password at GoDaddy but if anyone would like to check it that would be much appreciated, (hxxp://www.tribeazure.com)
Thanks!  Nicci

[DavidR]

Nothing detected, keeping strong passwords I'm sure will help, but I would use this quiet time to investigate a new host.

Explaining what had happened and if they have any security in place which would combat that. The responses should be able to guide you in a) their responsiveness, b) understanding of the problem, e.g. how pages in sites hosted by them could become infected and c) what measures they have in place to combat that.

[polonus]

Hi ldylion214

This site is clean:
     
Exploit Prevention Lab LinkScanner
GreenCheck    Congratulations! LinkScanner Online did not find any exploits.
Scanned:    
Thursday, February 26, 2009

polonus