Author Topic: Html: Iframe-inf (Read 4284 times)

Lapinska · « **on:** December 02, 2009, 09:03:41 PM »

I got it when i went to hxxp://www.twoweekwait.com/ i have been going to this website for a year and it just set off my avast for the first time today. i have tried to report it to the person who runs the site but i cannot get ahold of their contact info due to not being able to access the website. is there any way you can tell me if it's really infected?

DavidR · « **Reply #1 on:** December 02, 2009, 09:17:36 PM »

Looks like the site has been hacked, a very common issue now.

There is a hidden iframe tag in the page code, redirecting to hXXp://reycross.com, why that would be there is strange, given that the iframe tag is inside a META tag.

There are also some other strange iframe tags later and I don't know if they are legit, but possibly are.

The first hidden iframe tag is also repeated near the bottom of the page source code and yet again after the closing HTML tag, a standards no, no, and very suspect.

####
Every 3.6 seconds a website is infected http://forum.avast.com/index.php?topic=47096.msg396648#msg396648.

spg SCOTT · « **Reply #2 on:** December 02, 2009, 09:22:25 PM »

Hi Lapinska, welcome to the forum

Unfortunately the site does seem to have been infected:

http://www.UnmaskParasites.com/security-report/?page=www.twoweekwait.com

There is an iframe that has been inserted into the page after the closing html and body tags, which is wrong. (image)

The domain it points to is known to be malicious, and is listed in a few malware lists, shown on page three here:

http://www.mywot.com/en/scorecard/reycross.com#page-3

This kind of detection is very common these days, with many 'legitimate sites' becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

EDIT: Ahh...the preview never showed the post...hate when that happens...
I didn't catch the fact that it repeats either...

EDIT2: Just a side note...it is a godaddy domain...which seems to be popular with the malware people...
http://www.malwarebytes.org/forums/index.php?act=Search&CODE=simpleresults&sid=2c0ada8d49bccbdecd657751401928e2&highlite=godaddy

polonus · « **Reply #3 on:** December 02, 2009, 09:27:38 PM »

Hi Lapinska,

Here is an infection report for this redirect to a page hosted on a Dutch site:

Hidden external link

reycross.com suspicious ↗ - displaying 1 of 1
<IFrame> hidden link - htXp://reycross.com/lib/index.php

From 13 pages visited on this site during the last 90 days, 4 pages without user's consent
have been downloading and installing malicious software. Suspicious content was found on 2009-12-02.
The malicious software is being hosted on 1 domain, e.g. reycross.com/.

This site was hosted on 1 network including AS32244 (LIQUID).

Malicious software includes 4039 trojans, 2079 scripting exploits, 55 exploits.

This site was hosted on 3 network(s) including AS20495 (WEDARE), AS49544 (INTERACTIVE3D), AS18106 (VIEWQWEST).

Site has been used as a re-directing site for spreading malcode.
It seems reycross.com has been functioning as a re-direct to infect 394 sites,
e.g. nuevoslideres.com/, provobreastsurgeon.com/, medicaltourinfo.com/.

Has this site been hosting malware?
Yes and malicious software has been infecting 1859 domains,
e.g. stkc.go.th/, dieta.sk/, mosaicodelivrosfsm.org/,

polonus

DavidR · « **Reply #4 on:** December 02, 2009, 09:33:41 PM »

Well that will have Lapinska in a spin, 3 comprehensive confirmations in short order, the site has been hacked

spg SCOTT · « **Reply #5 on:** December 02, 2009, 09:44:29 PM »

Don't know why it didn't show your post though...had that happen a couple of times (just now in another thread)...

at least they are all slightly different...

Lapinska · « **Reply #6 on:** December 02, 2009, 10:09:33 PM »

haha, thanks guys. i just wanted to make sure it wasn't just my computer or something. good grief, the internet isn't safe to do anything anymore! I am sure the 'hacker' is targeting this particular site because it's users are female and most women are computer illiterate ( no offense ) so they make an easy target. i'm a women but fortunately i'm a bit smarter than most; thanks again i will continue to try and contact the owner.

polonus · « **Reply #7 on:** December 02, 2009, 10:17:49 PM »

Hi Lapinska,

Security on the Internet is with the bright girls, always, and you now have all the info you need to convince the female? webmaster to do some cleansing of the website in question. This adding of malcode to trusted reputable sites comes with vulnerabilities in older website software(s) or in this case a PHP hack.

polonus

DavidR · « **Reply #8 on:** December 03, 2009, 12:13:10 AM »

Quote from: Lapinska on December 02, 2009, 10:09:33 PM

haha, thanks guys. i just wanted to make sure it wasn't just my computer or something. good grief, the internet isn't safe to do anything anymore! I am sure the 'hacker' is targeting this particular site because it's users are female and most women are computer illiterate ( no offense ) so they make an easy target. i'm a women but fortunately i'm a bit smarter than most; thanks again i will continue to try and contact the owner.

You're welcome.

I somehow doubt this is a targeted attack just because it appeals to women or might be administered by women; for the most part there are bots (automated tools) that trawl the internet seeking out sites with vulnerable software that they can exploit.

If it were targeted then I would say the targets would be those sites that have huge audiences, when we see on these forums small websites as well as the mega sites.

Author Topic: Html: Iframe-inf (Read 4284 times)

Lapinska

Html: Iframe-inf

DavidR

Re: Html: Iframe-inf

spg SCOTT

Re: Html: Iframe-inf

polonus

Re: Html: Iframe-inf

DavidR

Re: Html: Iframe-inf

spg SCOTT

Re: Html: Iframe-inf

Lapinska

Re: Html: Iframe-inf

polonus

Re: Html: Iframe-inf

DavidR

Re: Html: Iframe-inf