Author Topic: website blocked - mkis  (Read 7958 times)

0 Members and 1 Guest are viewing this topic.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
website blocked - mkis
« on: April 19, 2010, 03:00:58 AM »
well my netsol host domain hxxp://mkis.us is now blocked by avast (see screenshot)

I have notified netsol (network solutions) to block the site wholesale for public view but dont know how quick they will act.
Its not wholesale but obviously I want to check whole thing out.
 
I'm going in now to try take it down myself, although I'm tied a bit to what they will let me do.
I noticed just now that they have made some changes last day or so.

-------------------------------------------------------------------------------------------------------

okay I've got a reading that site is benign - but there are css errors - metatags that are part of netsol search engine optimisation

I've blocked google spider bots from the pages but obviously not enough as yet
when I first set up the domain I co-opted the use of other search engine optimisation and this is where the vulnerability lies.
I don't use their services but I still get emails which I don't open, but as yet I haven't blocked - will do now
but I better get off to do something about this - will reply post 
« Last Edit: April 19, 2010, 03:15:28 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: website blocked - mkis
« Reply #1 on: April 19, 2010, 03:25:58 AM »
Network solutions are under attack at present having been hacked on a number of occasions. I believe there are a couple of posts in the forums. I think the Security info topic.

So you may be hung up in that mess.

I have just visited your site and had a quick rummage about the various links and no alerts by avast, so it looks like network solutions have cleaned up this current hacking attack.

Some nice images on the American Dreams page.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: website blocked - mkis
« Reply #2 on: April 19, 2010, 03:59:32 AM »
Yes David I managed to fix the problem
- but with all the stuff going on at netsol at the moment I'm not totally convinced
- I'm using their builder and most of the stuff was done a long time ago as kind of practice exercises to learn stuff

because I use their builder tool, my actual control becomes limited
- so I have pretty much turned off all site tools
- that is, optimisation tools - but I'm about to let google spider bots back in

You probably got there a bit late - I wonder if I might be able to PM you a jscript unpack link and you could have a look
- i have a ticket in with netsol so I imagine I will be handshaking with a machine for a while

- spider bots back in and all seems okay
- they had added a new tool called Team Tools and it was turned ON - I have no idea why, perhaps I had been a bit absent-minded
- I have been reducing my commitments to netsol bit by bit over the last year but I still have paid contracts that will run for a while yet
« Last Edit: April 19, 2010, 04:15:37 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: website blocked - mkis
« Reply #3 on: April 19, 2010, 04:12:15 AM »
I'm not to familiar with javascript, whilst I can get an idea of what it is trying to do, but I already use jsunpack (sub domain) at a geeky site (jeek), I think you know what one I mean ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: website blocked - mkis
« Reply #4 on: April 19, 2010, 04:20:04 AM »
yup you got it - actual Im okay here - I was just busy for a little while there thinking the worst
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: website blocked - mkis
« Reply #5 on: April 19, 2010, 01:47:18 PM »
Hi mkis,

Have sent you a PM with the various analysis links and all seems non-malicious & non-suspicious now,
what you could check additionally is:
hxtp:/www.networksolutions.com/web-hosting/index.jsp?siteid=100&channelid=P61C100S1N0B142A1D255E0000V100
     status: (referer=www.google.com/trends/hottrends)failure: nonnumeric port: ''
which could be due to a proxy issue...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: website blocked - mkis
« Reply #6 on: April 19, 2010, 02:54:20 PM »
yes thank you very much, just back on internet now.

I hadn't thought to run another analysis so far, so you have put well ahead of the play now. Much appreciated.
I was still sitting on the original anaylsis report, which draws the original block from avast.
so I found out when I compared the two reports.

This tells me that netsol or their associate have corrected the code - I put in a ticket with a link to the original analysis.
The actual metatag code itself I cannot access even though its part of my page - it is externally hooked into my header
I have actually been trying to rid myself of it - only a few lines of script, but engineered by their tool
and there have been a few other buggy bits and pieces that i have to tolerate because no other choice

That said, it appears they have moved much quicker than usual and I can bring up a few issues when they reply to my ticket
and as long as it is a safe site, then that is good enough for me. your input will help me to ensure that it stays that way

Will PM you and very much appreciated
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: website blocked - mkis
« Reply #7 on: April 19, 2010, 03:42:36 PM »
or else was simply my f ix that done it - deactivating their tool
my original analysis report was generated before the deactivation
I better not expect too much
I take it up tomorrow. Its 1.30am here in New Zealand.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: website blocked - mkis
« Reply #8 on: April 19, 2010, 10:33:56 PM »
wake up this morning. check website - block is back  ???
I'm going to have to do root and branch through all the pages obviously in case something slipped by yesterday.
perhaps through team Tools - there may be a genuine infection
no reply to ticket from netsol

I write this before going into netsol to have a look.
will reply post through edit of this post unless I receive a reply from a forum member.

Edit - original post - 8.33am   /   problem fixed - 8.45am  *grrrrrrr                   *

Took redirection to google docs page off the home page to see if that makes any difference
- but I dont think that is the problem


« Last Edit: April 19, 2010, 11:26:36 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: website blocked - mkis
« Reply #9 on: April 20, 2010, 11:46:21 PM »
Hi mkis,

Read this: http://ddanchev.blogspot.com/2010/04/dissecting-wordpress-blogs-compromise.html
It is not you as an end user that is responsible for security, it is sloppiness of Network Solutions and Wordpress. They let them back in, and their comment is "We feel your pain", and I think that is a lame excuse. Their first priority as they are offering services is to keep malcreant hackers out and protect and educate their blogger/users,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: website blocked - mkis
« Reply #10 on: April 21, 2010, 09:40:55 PM »
sorry Polonus, I had said I would PM but have been in the foulest of moods over last few days

my issue is a bit different than the spectrum of problems that have hit netsol but ddanchev is bang on when he says '(netsol) should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.'

my issue concerns the error recorded in my original unpack analysis posted in my OP (see screenshot)

line:3: SyntaxError: unterminated string literal:
          error: line:3: document.title = String("mkis"); idzzz.push('printwrap');valzzz.push('null');txtzzz.push('
          error: line:3: .........................................................................................^

(exploit?) which I seem to have circumvented by reducing the extent of external involvement in the jscript environment, in particular appear to have written out qualifiers that follow String("mkis") for they are no longer manifest in later analyses

likewise, related to environment status you direct to - which analysis came after my fix - but does direct to my original analysis
hxtp:/www.networksolutions.com/web-hosting/index.jsp?siteid=100&channelid=P61C100S1N0B142A1D255E0000V100
     status: (referer=www.google.com/trends/hottrends)failure: nonnumeric port: '

and then block occurs again the next morning, before I tighten up even further external involvement in script on page

The external involvement in script in this case is a metatags script attached to header mkis -
<meta name="robots" content="index, follow"><meta name="description" content="mkis is market information systems for indigene in NZ and US for today and tomorrow"><meta name="keywords" content="mkis,media,market,web,New Zealand,United States,Aupouri,development,Indigene"><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<script language="javascript">

as you see equivalent control carries no cache, which I actual prescribed ages ago, but was still unable to rid myself of meta script itself, so pretty much stuck with it - still the case, though previously had implicated more third parties than is case now
and script is still active in so much as contents are submitted to following search engines - cipinet, Excite (Jp.), FyberSearch, Google, Internet Times, WalHello - and I imagine are communicated first instance but not only by google spider bots

at one stage equiv control had carried content written into the header string, and this now draws a failure - now minus additional third  parties but relating still to an environment - (which may be a dangerous vulnerability still unfixed)

Obvious there are still vulnerabilities as script draws errors - but these are not so dangerous
for example, a near exact similar externally involved script in another of my websites has drawn no block at all
same presciption except in this case the equivalent control had never cached content and so has never carried the especially dangerous vulnerability (I am speculating a bit here, because I say, I have only limited control through Site Tools)

The point I am trying to make is that while there are still relatively benign vulnerabilities in both these sites, manifest in errors that are returned in the analyses, and while these are still an issue, there was also previously a potentially dangerous vulnerability in mkis hosting service site that may now have enabled the incidence of a malicious exploit (I'm certainly not ruling it out)

the unterminated string literal is particularly worrying, unless someone can explain this to me
          error: line:3: document.title = String("mkis"); idzzz.push('printwrap');valzzz.push('null');txtzzz.push('
          error: line:3: .........................................................................................^

the download zip | explanation relating to this string literal still draws a block
however is now fixed at surface level anyway (that is, internal visible level)
worry is whether it is merely playing dead, and given conducive environment could reinstate exploit

netsol has been cleaning out the scripts and doing other work to tidy up site tools like ftp
I'm not convinced that this cleaning out has any effect on my issues even they have marked these issues as resolved
I'm not going to be totally satisfied until the metatag scripts have been totally removed from my pages
I don't think I need the externally involved search engine optimisation, and I doubt if I ever did need it

I think google took issue with it at one stage, but now seems to have accepted it
- I've mentioned before about this change in google and the loosening up of their search algorithm

anyways, here's the security postings from netsol

ftp password  -  http://docs.google.com/View?id=ah85g3kzb4tn_272t37x2fgj

run a script  -  http://docs.google.com/View?id=ah85g3kzb4tn_273dzfsnmc4

I've posted them through redirection links to google docs
I moved one of these redirection links off my mkis home page because I thought that the makeup of the link address may have  approximated obfuscated text to the point that it was confusing the avast scanner - but no, this is not the problem

The problem is the continued persistence of the metatag script
« Last Edit: April 21, 2010, 09:46:37 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: website blocked - mkis
« Reply #11 on: April 21, 2010, 10:16:51 PM »
Hi mkis,

Overview from FETCHER with user agent Googlebot 2.1:
Status: 200 OK
General info
content-length: 8405 ? accept-ranges: bytes ? server: Apache/2.2.8 (Unix) FrontPage/5.0.2.2635 ? last-modified: Mon, 19 Apr 2010 21:44:46 GMT ? connection: close ? etag: "f987af-20d5-4849ddea18bb9" ? date: Wed, 21 Apr 2010 20:13:05 GMT ? content-type: text/html ?
Linkshrefs (external links <h3>Home</h3> <h3>Te Aupouri</h3> <h3>Indigene</h3> <h3>Web Media</h3> <h3>Learning</h3> <h3>Market</h3> <h3>United States</h3> <h3>Workshop</h3> <h3>Scrapbook</h3> <h3>American Dreams</h3> Web Hosting referenced content (<link>) (i.e. css, rss) link type rel scripts/template.css stylesheet scripts/website.css stylesheet scripts/1.css stylesheet scripts/print.css stylesheet scripts/1custom.css stylesheet scripts/icwebsiteelement.css stylesheet
Encoding:
Reported encoding (content-type): (not defined), decoding failed
No meta content-type/encoding
Guessed encoding: ascii 1.0, decoding success
scriptreferenced scripts link type htxp://mkis.us/../scripts/ic_globals_published.js htxp://mkis.us/scripts/user.js htxp://mkis.us/scripts/photoalbum.js inline scripts Not yet available

greets,

pol



Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!