Author Topic: Trojan Virus Alert !!!! (Read 7087 times)

Gene O'Keefe · « **on:** May 24, 2013, 06:58:32 PM »

Guys (& Gals) -- be careful when logging onto PAMPA's website...my security suite picked up a Trojan Virus attached to the website and denied me access to it. It is -- Trojan.IframeBMY(engineA)HTML:Iframe.Z6[TrJ](engineB)

Hope this helps someone ( I have: " G Data Total Security Suite "

Geno

Randy Powell · « **Reply #1 on:** May 24, 2013, 08:55:26 PM »

It's times like these, I'm glad I use Unix.

RC Storick · « **Reply #2 on:** May 24, 2013, 10:37:20 PM »

Here I thought that the Trojans were suppose to keep the virus's safe.

Dick Pacini · « **Reply #3 on:** May 25, 2013, 06:15:50 AM »

This is what I got when trying to access Pampa's website:

VIPRE has determined that the site

you are trying to visit contains potentially harmful or objectionable content.

VIPRE is my anti-viral program.

peabody · « **Reply #4 on:** May 25, 2013, 10:50:58 AM »

Didn't do anything for me...I was able to lo on and to download the latest Stunt News.....

EddyR · « **Reply #5 on:** May 25, 2013, 11:19:56 AM »

Site was safe for me. I could not find any virus with the name you posted. I guess you can't go there

Ed

Dick Pacini · « **Reply #6 on:** May 25, 2013, 12:34:33 PM »

I still am getting the lockout from my anti-virus software. If you can get in then you are either unprotected or any anti-virus you have is ineffective.

Bob Reeves · « **Reply #7 on:** May 25, 2013, 01:19:00 PM »

My guess would be a false positave from the AV's that are detecting something. Pretty doubtful some dird would go after a toy airplane site.

EddyR · « **Reply #8 on:** May 25, 2013, 01:52:12 PM »

Quote from: Dick Pacini on May 25, 2013, 06:15:50 AM

This is what I got when trying to access Pampa's website:

VIPRE has determined that the site

you are trying to visit contains potentially harmful or objectionable content.

VIPRE is my anti-viral program.

Note it says "objectionable content". This site has lot of that

Ed

Dick Pacini · « **Reply #9 on:** May 25, 2013, 03:41:54 PM »

I tried getting in a couple of ways not using the PAMPA link. I tried through a GOOGLE search and by typing in the URL directly. Same result, my VIPRE wouldn't let me in.

There is something wrong there and I hope the administrators of PAMPA look into it.

john e. holliday · « **Reply #10 on:** May 25, 2013, 05:57:24 PM »

It has to be your provider. Just now have the PAMPA site up and looking thru it.

Dick Pacini · « **Reply #11 on:** May 25, 2013, 08:04:26 PM »

Quote from: john e. holliday on May 25, 2013, 05:57:24 PM

It has to be your provider. Just now have the PAMPA site up and looking thru it.

John, do you have anti-virus software on your computer?

How about Ed and Bob?

James Mills · « **Reply #12 on:** May 25, 2013, 08:17:28 PM »

I was able to log in but not able to navigate the site, keeps logging me out, doing this a couple of weeks now.

James

Crist Rigotti · « **Reply #13 on:** May 25, 2013, 08:51:18 PM »

Avast detected the Trojan on the PAMPA website.

Rick Bollinger · « **Reply #14 on:** May 25, 2013, 10:49:50 PM »

It kept bumping me off too. I could not access anything through Internet Explorer. When I used Google Chrome as my browser it let me in no problem and was able to download.

Mike Keville · « **Reply #15 on:** May 25, 2013, 11:04:44 PM »

No problem here. Worked just fine...via Internet Explorer as usual.

If in fact there is some sort of malicious problem with the site, you can bet that Bob Kruger will soon sort it out and eliminate it. He takes no prisoners!

Dick Pacini · « **Reply #16 on:** May 26, 2013, 10:19:52 AM »

There have been three different AV programs on three different computers that detected a problem. It isn't server related and has nothing to do with what ISP you are using. The AV programs are on the individual computers. I use Netscape for my browser. I also tried Google Chrome and IE. My AV protected my computer and prevented access using the three different browsers.

If you have no AV software installed, OR it hasn't been updated for some time, you won't have any problem getting on the PAMPA site. That doesn't mean there isn't a Trojan or that your computer isn't at risk.

This isn't a fluke. There is a Trojan on the PAMPA site that could cause great harm to any computer that accesses that site. I hope the administrators of the PAMPA website investigate and get it cleaned up.

BillLee · « **Reply #17 on:** May 26, 2013, 12:30:56 PM »

The PAMPA site HAS BEEN HACKED and contains the virus described. All you have to do is take a look at the source code HTML that is sent to the browser to see it.

Looking at the very bottom, all HTML files end with "</HTML>" but the PAMPA site has been hacked to include HTML code following:

<iframe src="http://web277.caxn220.dxe/couxnter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/>
<scrixpt language="javaxscript">
</scrxipt>

(I have "sanitized" the code by adding a bunch of extraneous characters.) Using an inline frame with visibility hidden is a classic hack for adding virus and trojans to websites.

Whoever is responsible for the PAMPA site needs to take corrective action.

Sure glad I use a Linux system.

Dick Pacini · « **Reply #18 on:** May 26, 2013, 02:40:36 PM »

Thank you Bill! Those who responded that they got on without issue have left themselves open to a Trojan infection.

Randy Powell · « **Reply #19 on:** May 26, 2013, 02:58:04 PM »

Bill,

You and me, both my friend.

Mike Griffin · « **Reply #20 on:** May 26, 2013, 03:44:45 PM »

I had no problem because I use all Apple products, IMAC, IPAD. I am still trying to figure out why anyone would want to hack into PAMPA. Just is not the kind of site hackers go after.

Mike

Dick Pacini · « **Reply #21 on:** May 26, 2013, 03:53:57 PM »

Quote from: Mike Griffin on May 26, 2013, 03:44:45 PM

I had no problem because I use all Apple products, IMAC, IPAD. I am still trying to figure out why anyone would want to hack into PAMPA. Just is not the kind of site hackers go after.

Mike

How do you figure you had no problem? The Trojan is on the website and anyone who gains access is vulnerable.

The reason a hacker would infect a site like PAMPA is because of the countless members and visitors who stop in, each one open to infection. That's how viruses and Trojans spread.

RC Storick · « **Reply #22 on:** May 26, 2013, 04:10:09 PM »

Quote from: Dick Pacini on May 26, 2013, 03:53:57 PM

How do you figure you had no problem? The Trojan is on the website and anyone who gains access is vulnerable.

The reason a hacker would infect a site like PAMPA is because of the countless members and visitors who stop in, each one open to infection. That's how viruses and Trojans spread.

Here I have the assassin turned on. You will need to buy your Trojans at the drugstore.

Bob Kruger · « **Reply #23 on:** May 28, 2013, 07:35:26 AM »

All;

I have checked the PAMPA website out thoroughly. I don't see any indications of it being hacked. There are no new files, no changed file dates, Me thinks we are getting false positives.

I have logged onto the site with various computers using various OSs. This includes Windows XP, Ubuntu, Windows 8, and Windows 7. The antivirus platforms include McAfee, Norton (Symantec), AVG, and Avast. No hits noted as of 0900 EST 28 May 2013.

I did notice this weekend that, with systems running Avast and AVG, other sites that I sometimes go to are coming up as hacked. I have contacted the webmasters, and they have all come to the same conclusion - false positive.

That is not to say that there isn't something amiss that I have overlooked. I ask that everyone who is having an issue to email me directly with the details, especially if malicious software is being downloaded to your system. If the site is actually hacked, we will get it fixed.

V/r

Bob Kruger

Randy Powell · « **Reply #24 on:** May 28, 2013, 09:42:09 AM »

Dick,

Apple is Unix based these days (underlying system is BSD based). While certainly not invulnerable, it doesn't have the problems with viruses and such that Windows has. Other problems, but not viruses.

peabody · « **Reply #25 on:** May 28, 2013, 10:39:27 AM »

My Kaspersky never flagged anything....
I ran Spy Bot after reading of the issue......still nothing...
Have fun....

Dan McEntee · « **Reply #26 on:** May 28, 2013, 03:25:05 PM »

I'm definately not a computer expert, but I think you guys having the problem may have your security settings way to high or sensitive. Correct me if I'm wrong, but isn't there an exchange of "cookies" when you log onto a website so your computer can comunicate with the site properly, and this is where your anti-virus software sends out the false positives. There were three of you that had issues, but more than twice as many or maybe more had no trouble. That should tell you something. If there is any kind of advertising on the PAMPA site that may be setting them off. I would take Mr. Kruger's word as gospel on this matter.
Good luck and have fun,
Dan McEntee

BillLee · « **Reply #27 on:** May 28, 2013, 04:22:06 PM »

Quote from: Bob Kruger on May 28, 2013, 07:35:26 AM

All;

I have checked the PAMPA website out thoroughly. I don't see any indications of it being hacked. There are no new files, no changed file dates, Me thinks we are getting false positives.

I have logged onto the site with various computers using various OSs. This includes Windows XP, Ubuntu, Windows 8, and Windows 7. The antivirus platforms include McAfee, Norton (Symantec), AVG, and Avast. No hits noted as of 0900 EST 28 May 2013.

I did notice this weekend that, with systems running Avast and AVG, other sites that I sometimes go to are coming up as hacked. I have contacted the webmasters, and they have all come to the same conclusion - false positive.

That is not to say that there isn't something amiss that I have overlooked. I ask that everyone who is having an issue to email me directly with the details, especially if malicious software is being downloaded to your system. If the site is actually hacked, we will get it fixed.

V/r

Bob Kruger

Bob, please re-view my post above.

I run Linux (Fedora) on my desktop and my laptop. I do NOT run ANY "virus protection" or other such since it is not useful and not needed in a Linux environment. I use FireFox, current version is 21.0.

When I access the PAMPA home page at http://www.control-line.org/ I get a page downloaded that shows the hacked code. No, I do NOT depend on a virus protection: that is a Windows necessity. I simply do a "View Page Source" and LOOK AT THE CODE that the website delivered. What I posted above (sanitized) is what the hack has inserted in the html that is being served to my browser.

Since the home page is prepared by yet another Microsoft tool (aspx), I suggest you start looking in the DesktopDefault.aspx source code.

BTW, over the years I have had just this kind of hack show up in several websites which I manage, always something the web hosting company where the sites are located is aware of and will fix.

Bob Kruger · « **Reply #28 on:** May 28, 2013, 06:51:03 PM »

Bill;

I am running Linux as well here (Ubuntu). I use both Firefox and Chrome. My Firefox version is 21 as well. None are showing me that this is a hack. A Google search has showed up nothing as well.

Again, I think we are getting a false positive. However, I am doing a dump of the system to a Linux box here and will run grep on all of the files to see if I can find the code is the offending aspx file.

BTW - I have continually run Linux servers since 1995, using RedHat, Slackware, Ubuntu, and other releases. That includes SQL driven PHP and Cgi-Bin based servers. While is know that the PAMPA website is run off of a Microsoft based system, I am not showing the same issue you are.

Bob

Quote from: BillLee on May 28, 2013, 04:22:06 PM

Bob, please re-view my post above.

I run Linux (Fedora) on my desktop and my laptop. I do NOT run ANY "virus protection" or other such since it is not useful and not needed in a Linux environment. I use FireFox, current version is 21.0.

When I access the PAMPA home page at http://www.control-line.org/ I get a page downloaded that shows the hacked code. No, I do NOT depend on a virus protection: that is a Windows necessity. I simply do a "View Page Source" and LOOK AT THE CODE that the website delivered. What I posted above (sanitized) is what the hack has inserted in the html that is being served to my browser.

Since the home page is prepared by yet another Microsoft tool (aspx), I suggest you start looking in the DesktopDefault.aspx source code.

BTW, over the years I have had just this kind of hack show up in several websites which I manage, always something the web hosting company where the sites are located is aware of and will fix.

BillLee · « **Reply #29 on:** May 28, 2013, 07:42:43 PM »

O.k., then where is it coming from?

It isn't a "false positive", the code is there! What on earth is a "false positive" when you're running Linux and Firefox and not using any sort of AV software?

Somebody upstream from my browser is sticking the extra iframe on the html that is coming from the PAMPA server, and the only logical source is the server itself and the aspx code that creates the html. Have you asked the web hosting support folks if they've heard of any hacked websites on their servers?

I suspect you nailed the problem: a Microsoft server. Now all you need to do is find the hacked code on the PAMPA site.

BTW, I just booted the laptop into Vista (Yuch!) and accessed the PAMPA site with Firefox (19.0) and the hack appears as well.
BTW, updated Firefox to 20.0.1, and the hack still shows up.
BTW, updated to 21.0 and the hack still shows up.
BTW, I just looked at the PAMPA site using IE9 and the hack appears there as well.

(Probably have an infected system now. It's Windows, after all!

)

Vista running Norton or whatever, no complaints about the file at all.

Bob Kruger · « **Reply #30 on:** May 28, 2013, 07:48:31 PM »

I have asked them, no answer yet.

However, I am not seeing an extra frames coming up anywhere on any system I used, and that includes Win 7, XP, and Ubuntu. I also checked all of the browsers on each OS, and no extra frames.

I found the aspx file and downloaded it to my Linux box, used vi to edit it, then just uploaded it. It is now not showing up in the source code. So, while I still think this is a false positive, it may make the site play a little better with other browsers.

Thanks for your input.

Bob

Quote from: BillLee on May 28, 2013, 07:42:43 PM

O.k., then where is it coming from?

It isn't a "false positive", the code is there! What on earth is a "false positive" when you're running Linux and Firefox and not using any sort of AV software?

Somebody upstream from my browser is sticking the extra iframe on the html that is coming from the PAMPA server, and the only logical source is the server itself and the aspx code that creates the html. Have you asked the web hosting support folks if they've heard of any hacked websites on their servers?

I suspect you nailed the problem: a Microsoft server. Now all you need to do is find the hacked code on the PAMPA site.

BTW, I just booted the laptop into Vista (Yuch!) and accessed the PAMPA site with Firefox (19.0) and the hack appears as well.
BTW, updated Firefox to 20.0.1, and the hack still shows up.
BTW, updated to 21.0 and the hack still shows up.
BTW, I just looked at the PAMPA site using IE9 and the hack appears there as well.

(Probably have an infected system now. It's Windows, after all! )

Vista running Norton or whatever, no complaints about the file at all.

Brett Buck · « **Reply #31 on:** May 28, 2013, 08:06:23 PM »

Quote from: Bob Kruger on May 28, 2013, 07:48:31 PM

However, I am not seeing an extra frames coming up anywhere on any system I used, and that includes Win 7, XP, and Ubuntu. I also checked all of the browsers on each OS, and no extra frames.

I found the aspx file and downloaded it to my Linux box, used vi to edit it, then just uploaded it. It is now not showing up in the source code. So, while I still think this is a false positive, it may make the site play a little better with other browsers.

I checked a number of the pages and nothing like the script snippet appears in the source. It may be inserted somewhere after the server, too, maybe at the user ISP.

Brett

Bob Kruger · « **Reply #32 on:** May 28, 2013, 08:16:07 PM »

I found it in a few other files, but have cleaned them as well.

Thanks to all for their input and assistance.

V/r

Bob

Quote from: Brett Buck on May 28, 2013, 08:06:23 PM

I checked a number of the pages and nothing like the script snippet appears in the source. It may be inserted somewhere after the server, too, maybe at the user ISP.

Brett

Dick Pacini · « **Reply #33 on:** May 28, 2013, 08:30:06 PM »

I cleared my history and cache and tried to get on again. Vipre blocked it out.

BillLee · « **Reply #34 on:** May 28, 2013, 08:39:40 PM »

Quote from: Brett Buck on May 28, 2013, 08:06:23 PM

I checked a number of the pages and nothing like the script snippet appears in the source. It may be inserted somewhere after the server, too, maybe at the user ISP.

Brett

Brett, I think Bob has confirmed that he has found aspx files with the hack in it. "I found it in a few other files, but have cleaned them as well."

In my case: I saw the iframe hack while out on the road last weekend using my Sprint 3G air card and my laptop. The examples I have posted this evening are from here at home, using CenturyLink DSL and my desktop system. I.e., two entirely different ISPs, two entirely different paths for the html to arrive at my browser, two entirely different computers.

Edit to add:

In addition to hacked aspx files (or php files in the websites of mine which have suffered similar hacks), another point where code insertion can occur would include the actual web server, Microsoft IIS (or whatever it's called today). If the server is compromised, the html served could be affected. MS IIS servers have historically been very susceptible to this sort of thing and is one reason why most servers use Apache and NOT Microsoft code.

Bob Kruger · « **Reply #35 on:** May 28, 2013, 09:12:04 PM »

Bill;

I am not sure that the extra code snippet is what is keeping certain people from accessing the system. Common denominators are Vipre, and certain browsers. I suspect there are certain settings that people have enabled that flash as hot.

On none of my browsers has another pane or window popped up. Also, no mention of it on the web, nor was the site mentioned on any of they systems that I use to manually download hosts files that redirect trojan/virus sites back to 127.0.0.1.

No mention of domain can220.de

I doubt you are infected. If you are, my profound apologies.

Bob

Quote from: BillLee on May 28, 2013, 08:39:40 PM

Brett, I think Bob has confirmed that he has found aspx files with the hack in it. "I found it in a few other files, but have cleaned them as well."

In my case: I saw the iframe hack while out on the road last weekend using my Sprint 3G air card and my laptop. The examples I have posted this evening are from here at home, using CenturyLink DSL and my desktop system. I.e., two entirely different ISPs, two entirely different paths for the html to arrive at my browser, two entirely different computers.

Edit to add:

In addition to hacked aspx files (or php files in the websites of mine which have suffered similar hacks), another point where code insertion can occur would include the actual web server, Microsoft IIS (or whatever it's called today). If the server is compromised, the html served could be affected. MS IIS servers have historically been very susceptible to this sort of thing and is one reason why most servers use Apache and NOT Microsoft code.

Dick Pacini · « **Reply #36 on:** May 28, 2013, 09:29:31 PM »

Bob, as has been pointed out in earlier posts, G Data Total Security Suite and Avast both picked it up as well as my Vipre.

Three different computers from three different areas using three different A/V programs all say there is an issue with PAMPA's site.

I have sent the URL of PAMPA to Vipre in an email, asking for their help, although you will probably have it repaired before I hear back.

Bob Kruger · « **Reply #37 on:** May 28, 2013, 09:50:30 PM »

Dick;

The site gave one of my machines here some problems on Sunday, but as of today they are not a problem. And that is across a wide range of platforms, operating systems, web browsers, and antivirus software.

OK, problem solving 101 review.

1. Some users this past weekend had trouble accessing the site and the reason given to them was from their antivirus software.
2. Bill Lee points out what he believes is hacked code.
3. I remove that code, they clear their caches, and then the same people are still getting the same message.
4. So, let us see what it is:
   a. There is something amiss on the site that affects a few people.
   b. There are settings on the systems of a few people that are affecting their ability to access the site.
   c. There was a security release that went out in the past week that is now flagging what is identified as a security issue, and possibly incorrectly.
   d. Could this be a false positive or their something else that needs attention?
   e. I can not replicate any of this here.

Bottom Line: I need hard log messages to give me the info necessary to report what I can not replicate.

I am pretty sure that after updating the code on the site tonight, you have cleared your cache, and you still getting the same message, that there is either something else amiss, or there is a false positive that I can not replicate on a variety of platforms that I have available. All I've gotten (other than from Bill Lee's code capture) is "I am getting kicked out of the PAMPA website".

So, do this for me. Email me directly the error message your AV software gives you. Line for line, word for word, character for character from the log. Let me know the OS you are running, the browser, and all other information. Do this, and I have something I can sink my teeth into and run with.

In fact, if everyone will do that who is having a problem, I will work the the host provider to track down the problem if one exists.

Will you assist?

Bob

Quote from: Dick Pacini on May 28, 2013, 09:29:31 PM

Bob, as has been pointed out in earlier posts, G Data Total Security Suite and Avast both picked it up as well as my Vipre.

Three different computers from three different areas using three different A/V programs all say there is an issue with PAMPA's site.

I have sent the URL of PAMPA to Vipre in an email, asking for their help, although you will probably have it repaired before I hear back.

Dick Pacini · « **Reply #38 on:** May 28, 2013, 10:10:04 PM »

Bob, I sent you a screen shot twice but I'm not sure it went through. Can you advise?

It is the same info I posted early in this thread.

Using Windows XP and Firefox 17.0.1

Bob Kruger · « **Reply #39 on:** May 29, 2013, 03:34:18 AM »

Dick;

No email from you - with or without screen shots.

The only screen shots that I have seen are from Bill Lee.

I set up a Lenovo T61 with XP, Firefox v21, and Avast. All updates installed, all security patches for XP installed. Latest version of Java installed. No problems with the PAMPA web site reported here on this system.

I am out of advice for you. Best I can recommend is that you review the logs for Vipre and get me some specifics. Otherwise, I am shooting in the dark.

Bob

Quote from: Dick Pacini on May 28, 2013, 10:10:04 PM

Bob, I sent you a screen shot twice but I'm not sure it went through. Can you advise?

It is the same info I posted early in this thread.

Using Windows XP and Firefox 17.0.1

BillLee · « **Reply #40 on:** May 29, 2013, 07:20:27 AM »

Quote from: Bob Kruger on May 28, 2013, 09:12:04 PM

.....

On none of my browsers has another pane or window popped up. Also, no mention of it on the web, nor was the site mentioned on any of they systems that I use to manually download hosts files that redirect trojan/virus sites back to 127.0.0.1.

.........

Bob, just a point: the extra iframe had a style "visibility: hidden;". Consequently, you would NOT see any sort of window popped up unless some JavaScript somewhere changed the visibility to "visible".

As a test, using firebug, I redisplayed the page after manually setting the visibility to visible, also changed the size from 10px by 10px to 100x100. Sure enough, a 100x100 empty box in the upper left corner of the screen. So: bottom line, the iframe was there, it was accessing the can220.de site for whatever was there.

As another test, I actually accessed that site in another browser window and got nothing in response. I suspect that the hack was ultimately supposed to load a trojan or a virus, but it was either discovered or is yet a work-in-progress.

I also looked at the can220.de site in various security and privacy info sites:

WOT Scorecard: https://www.mywot.com/en/scorecard/can220.de
McAfee Site Advisor: https://www.siteadvisor.com/sites/can220.de
Webmaster Tips Site Information: http://www.wmtips.com/tools/info/?url=can220.de
Safe Browsing Diagnostic: http://www.google.com/safebrowsing/diagnostic?site=can220.de

None fussed about the site.

My conclusion: while some AV programs pick it up and complain, IMHO, it is (currently) benign and of no concern, other than the inconvenience it imposes on some.

Bob Kruger · « **Reply #41 on:** May 29, 2013, 07:28:53 AM »

Concur on its current benign nature. Thanks for the diligence. I downloaded all of the system files last night to my Linux system, grepped them all for the can220.de domain, and removed the offending lines. There were a total of four files. The cleaned files were properly uploaded and permissions set. We will see what happens in the future.

Just as a precaution, I think I will add can220.de domain to my hosts files on my Linux and Window systems and have it reroute to 127.0.0.1.

Just one more thing to have to look out for.

Bob

Quote from: BillLee on May 29, 2013, 07:20:27 AM

Bob, just a point: the extra iframe had a style "visibility: hidden;". Consequently, you would NOT see any sort of window popped up unless some JavaScript somewhere changed the visibility to "visible".

As a test, using firebug, I redisplayed the page after manually setting the visibility to visible, also changed the size from 10px by 10px to 100x100. Sure enough, a 100x100 empty box in the upper left corner of the screen. So: bottom line, the iframe was there, it was accessing the can220.de site for whatever was there.

As another test, I actually accessed that site in another browser window and got nothing in response. I suspect that the hack was ultimately supposed to load a trojan or a virus, but it was either discovered or is yet a work-in-progress.

I also looked at the can220.de site in various security and privacy info sites:

WOT Scorecard: https://www.mywot.com/en/scorecard/can220.de
McAfee Site Advisor: https://www.siteadvisor.com/sites/can220.de
Webmaster Tips Site Information: http://www.wmtips.com/tools/info/?url=can220.de
Safe Browsing Diagnostic: http://www.google.com/safebrowsing/diagnostic?site=can220.de

None fussed about the site.

My conclusion: while some AV programs pick it up and complain, IMHO, it is (currently) benign and of no concern, other than the inconvenience it imposes on some.

Dick Pacini · « **Reply #42 on:** May 29, 2013, 08:06:43 AM »

Quote from: Bob Kruger on May 29, 2013, 03:34:18 AM

Dick;

No email from you - with or without screen shots.

The only screen shots that I have seen are from Bill Lee.

I set up a Lenovo T61 with XP, Firefox v21, and Avast. All updates installed, all security patches for XP installed. Latest version of Java installed. No problems with the PAMPA web site reported here on this system.

I am out of advice for you. Best I can recommend is that you review the logs for Vipre and get me some specifics. Otherwise, I am shooting in the dark.

Bob

Strange that you didn't get either email. I used the email address that I had on file for you, which is the same as in your profile.

That being said, whatever it is that you did to clean the PAMPA site worked. I can get on now without any problems. Thanks to all who helped solve this mystery.

Bob Kruger · « **Reply #43 on:** May 29, 2013, 04:21:31 PM »

Glad its not giving you problems. Trying to fix something without the details is like calling your mechanic and say "My check engine light came on. What's wrong?" One needs the details to diagnose.

I thank Bill Lee for that. His finding the offending line in the scripts gave me the info needed to check all other files and delete those lines. And, I learned a few things as well.

The good news is that the lines are gone, things should settle down, I will be more dilligent in my checks of the site, and, most importantly, neither Bill nor I believe any malicious code was downloaded to anyone's system.

Bob

Quote from: Dick Pacini on May 29, 2013, 08:06:43 AM

Strange that you didn't get either email. I used the email address that I had on file for you, which is the same as in your profile.

That being said, whatever it is that you did to clean the PAMPA site worked. I can get on now without any problems. Thanks to all who helped solve this mystery.

john e. holliday · « **Reply #44 on:** May 30, 2013, 08:39:57 AM »

No virus on my end from the visit to the sight. Did find out that what we were paying for we were not getting from ATT-Uverse. Supposed to be high speed internet and TV package. No reimbursement from them either. I am sad that a company I spent half my life with decided to go with the ATT name. I retired from SBC(Southwestern Bell Communications/Phone Company) and the they bought out ATT and changed the name.

Thanks for keep the PAMPA site clean.

Bob Kruger · « **Reply #45 on:** May 30, 2013, 04:51:06 PM »

John;

Looks as if there was nothing to worry about, as the link led to nothing. Could have been worse.

It is disturbing that someone hacked the site and/or the server hosting the site. Even more disturbing that the site provider denies it was hacked (although there is no other way that the code got attached unless it was part of the original system installed by the previous sitemaster, and having worked with him, I am absolutely sure that is not the case.)

So, it means just increased vigilance and another set of checks to run regularly to make sure that malicious scripts are not installed on the site. Frankly, I found myself in the rut of what I could not see did not exist. Sort of like "if the tree fell in the woods but no one heard it, did it happen?"

Live and learn.

Bob

Quote from: john e. holliday on May 30, 2013, 08:39:57 AM

No virus on my end from the visit to the sight. Did find out that what we were paying for we were not getting from ATT-Uverse. Supposed to be high speed internet and TV package. No reimbursement from them either. I am sad that a company I spent half my life with decided to go with the ATT name. I retired from SBC(Southwestern Bell Communications/Phone Company) and the they bought out ATT and changed the name.

Thanks for keep the PAMPA site clean.

Don Hutchinson AMA5402 · « **Reply #46 on:** May 30, 2013, 09:09:39 PM »

I seem to have a problem with the website too. I log in but nothing shows up to allow me to look at anything. I can't get to the membership list, rulebooks or anything else. I see no change on the front page after I log in. Checked and password is correct!

Don

Brett Buck · « **Reply #47 on:** May 30, 2013, 09:17:18 PM »

Quote from: Don Hutchinson AMA5402 on May 30, 2013, 09:09:39 PM

I seem to have a problem with the website too. I log in but nothing shows up to allow me to look at anything. I can't get to the membership list, rulebooks or anything else. I see no change on the front page after I log in. Checked and password is correct!
Don

  I think I know what the issue is. Are you using Windows and Internet Explorer? If so, several people have had the same problem, and the issue was that cookies were not enabled. I don't use internet explorer (since it hasn't been available for maybe 10 years now), but there is a security setting that will prevent cookies from being stored. At one time the security preferences showed up as a slider, and you can't set it to "most secure" because it will not store the cookies. What happens is you log in successfully, it tries to bring up the "member" home page and features, but the cookie is deleted immediately, making it look like nothing happened. Basically it immediately forgets you.

   I checked and you successfully logged in today. If you still saw nothing, it is almost certainly because the cookie was deleted. More than a few people had this problem. Alternately, try it with Firefox, Opera, Chrome, or some other browser.

   Brett

p.s. I dug around in the PAMPA site user statistics, and while it might not be malicious, just old or buggy code, your browser "user agent" shows Internet Explorer 1 (!) which is essentially impossible. What browser/version are you using (go to menu and click "About Internet Explorer..." or whatever it is.) The user agent identifies your browser to the site, which may or may not make any difference, Mine shows up completely screwy, too - Netscape Navigator 6 (!!) when in fact it is:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.59.8 (KHTML, like Gecko) Version/5.1.8 Safari/534.59.8

Mike Keville · « **Reply #48 on:** May 30, 2013, 09:22:55 PM »

Hmmm...I've been using Windows and Internet Explorer to log in, and have had no problem whatsoever. I haven't a clue what any of those other things (Firefox, et al.) are - no do I care - but to date I've had no problem with this eight-year-old set-up.

(Life being what it is, I'll probably wish I hadn't said that.)

Brett Buck · « **Reply #49 on:** May 30, 2013, 10:16:08 PM »

Quote from: Mike Keville on May 30, 2013, 09:22:55 PM

Hmmm...I've been using Windows and Internet Explorer to log in, and have had no problem whatsoever. I haven't a clue what any of those other things (Firefox, et al.) are - no do I care - but to date I've had no problem with this eight-year-old set-up.

(Life being what it is, I'll probably wish I hadn't said that.)

If your security setting is less than "maximum" it will work without problems.

Internet Explorer is the web browser embedded with Windows, and generally functional if a bit backwards. The browser is what takes the HTML script (HTML being a rudimentary type of computer program) and interprets it to make the web pages you see. The script looks like this:

************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   <meta name="description" content="Post reply" />
   <meta name="keywords" content="PHP, MySQL, bulletin, board, free, open, source, smf, simple, machines, forum" />
   <script language="JavaScript" type="text/javascript" src="http://stunthanger.com/smf/Themes/default/script.js?rc2p"></script>
   <script language="JavaScript" type="text/javascript"><![CDATA[
      var smf_theme_url = "http://stunthanger.com/smf/Themes/dilbermc";
      var smf_images_url = "http://stunthanger.com/smf/Themes/dilbermc/images";
      var smf_scripturl = "http://stunthanger.com/smf/index.php";
   // ]]></script>
   <title>Post reply</title>
   <link rel="stylesheet" type="text/css" href="http://stunthanger.com/smf/Themes/dilbermc/style.css?rc2" />
   <link rel="stylesheet" type="text/css" href="http://stunthanger.com/smf/Themes/dilbermc/style_lightbrown.css?rc2" />
   <link rel="stylesheet" type="text/css" href="http://stunthanger.com/smf/Themes/default/print.css?rc2" media="print" />
   <link rel="help" href="http://stunthanger.com/smf/index.php?action=help" target="_blank" />
   <link rel="search" href="http://stunthanger.com/smf/index.php?action=search" />
   <link rel="contents" href="http://stunthanger.com/smf/index.php" />
   <link rel="prev" href="http://stunthanger.com/smf/index.php?topic=31563.0;prev_next=prev" />
   <link rel="next" href="http://stunthanger.com/smf/index.php?topic=31563.0;prev_next=next" />
   <link rel="index" href="http://stunthanger.com/smf/index.php?board=4.0" />
            <style type="text/css">
               #FBSlideLikeBox_left {background: url(http://stunthanger.com/smf/Themes/dilbermc/images/FBSlideLikeBox/default.png) 292px 0 no-repeat; float: left; height: px; position: fixed; left: -292px; padding-right: px; top: 20%; width: 292px; z-index: 2000;}
               #FBSlideLikeBox_left #FBSlideLikeBox3_left {height: 590px; right: 0; position: absolute; border: 3px solid #3B5998; width: 292px; background: #f8f8f8;}
               #FBSlideLikeBox_right {background: url(http://stunthanger.com/smf/Themes/dilbermc/images/FBSlideLikeBox/default.png) 0 0 no-repeat; float: right; height: px; position: fixed; right: -292px; padding-left: px; top: 20%; width: 292px; z-index: 2000;}
               #FBSlideLikeBox_right #FBSlideLikeBox3_right {height: 590px; left: 0; position: absolute; border: 3px solid #3B5998; width: 292px; background: #f8f8f8;}
               #FBSlideLikeBox_left #FBSlideLikeBox2_left {position: relative; clear: both; width: auto;}
            </style>
            <script type="text/javascript">!window.jQuery && document.write(unescape('%3Cscript

etc (this is the first bit of the source HTML for this page).

********************************

When you visit a web page, what you actually do is download this script (which is relatively small by download standards) and the browser interprets the script on your local machine to construct the web page you see.

Firefox, Chrome and Opera are other brands of web browser (all free) that are intended to do the same thing. There are standards for how the scripts are to be interpreted, but they are not strenuously enforced by either the web page makers or the browser makers. Internet Explorer is pretty notorious for making up their own "standards", ostensibly to "enhance the experience" but many times had the effect, intentional or not, to make web pages ONLY work on Internet explorer and not the others.

In many cases this has led to visceral hatred of Internet Explorer/Microsoft because you many times have to make regular script for most people, and a hacked-up script to work with IE. This has generally gotten better as later versions have been produced, since said visceral hatred has led to drastic loss of market share for IE and they have been forced to get their act together and stop playing games. IE 6 is the most evil, the later versions are progressively less evil.

Right now, depending on whose numbers you look at, Chrome (from Google) is at about 40%, IE (all versions) is 30%, Firefox (from mozilla.org) is about 20%, and Safari (Macintosh default browser) is about 8%. All are free. Chrome generally runs MUCH MUCH faster than the others on Windows.

Brett