Quantcast

Analytic Users Beware!!

INNspiring.com | Innkeeper Forum & Innkeeping Resources

Help Support INNspiring.com | Innkeeper Forum & Innkeeping Resources:

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,969
Reaction score
0
Thought I would share a problem we were just made aware of. Seems our site was hacked into by some hacker that has figured out how to piggyback thrugh Google Crome, which is associated with Analytics. I will leave all the real tech wording to the pros - (Swirt) but wanted everyone to be aware of this problem so you could keep an eye on your site.
Here is what we found: We had opened up Analytics to check our stats and it appeared we had not had a single visitor for the last 2 days. When we opened up our home page we received an alert from Avast stating the site was blocked due to siplank dot com qqp. Also the bottom 1/2 of our home page was missing! Not every page was affected but they did hit several. If you find this problem check ALL your pages.
We did some searches on this and found a couple of tech forum threads that provided us some info to look for. - All of these postings were from the last few days.
DH has been working on our site all evening to get rid of all the added script and is also removing Analytics from the site. We had just started using Analytics about a month ago and thought is was nice. Too bad there are so many malicious people in the world.

I sure hope none of your sites have this problem.
 

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,969
Reaction score
0
As I said DH has been working on this all evening. Seems that once he gets it off a page, it pops back on it a while later. This was stated in one of the tech forum sites as well. It is a true headache.
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
As I said DH has been working on this all evening. Seems that once he gets it off a page, it pops back on it a while later. This was stated in one of the tech forum sites as well. It is a true headache..
Just checking... did you change your FTP username and password? Sombody has access to your server.
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
Please reference the forum site that you are getting this info from. Very little makes sense to me about this. Chrome is a browser and can't write to your site. Analytics is code that gets drawn to your site only within a browser when it runs the javascript. There should be nothing about these two things that would give anyone access to make changes on your server.
It sounds as though your server has been hacked, but I don't see how that is or could be connected to analytics or chrome.....the only connection to analytics would be that they are using a trojan on your server to find and replace analytics code as a way of affecting all pages on the server. It is not so much that analytics has given them access to yoru server..it is that they have access to your server and are using find and replace to create the mess. Who is your host? they are the ones you want to contact.
If you change your ftp username and password and the attack continues, then it is an indication they are in control of the whole server and not just your "space" on the server.
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
On further consideration, there is also the very real posibility that this attack is coming from inside your computer. There may be a trojan on your computer using your ftp to modify your pages and re-upload them.
If you make the fix to one page, then upload it and immediately disconnect that computer from the internet. go keep watch of that website from another computer that is has not been used to modify your site EVER. If the malicious code reappears then you know the attack didn't come from your computer (because you disconnected it from the internet).
If you took the earlier advice and changed your ftp username and password to something long (think 24 characters or more) then it is not coming from your ftp account, which rules in that it is coming from higher up the ladder on the server.
 

YellowSocks

Well-known member
Supporting Member
Joined
May 22, 2008
Messages
2,179
Reaction score
13
Well, and we have something similar but different on the downstairs computer that I have to go look at and figure out...
When you do a search in Google it returns what looks like a good list, but when you click on the links (like for Wikipedia) you get something else. I haven't had a chance to go down there and figure out what the problem is, but I will be later today.
=(
Kk.
 

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,969
Reaction score
0
On further consideration, there is also the very real posibility that this attack is coming from inside your computer. There may be a trojan on your computer using your ftp to modify your pages and re-upload them.
If you make the fix to one page, then upload it and immediately disconnect that computer from the internet. go keep watch of that website from another computer that is has not been used to modify your site EVER. If the malicious code reappears then you know the attack didn't come from your computer (because you disconnected it from the internet).
If you took the earlier advice and changed your ftp username and password to something long (think 24 characters or more) then it is not coming from your ftp account, which rules in that it is coming from higher up the ladder on the server..
Swirt thanks for the words of wisdom. We (well mostly DH) worked on the site until late last night when we had a powerful storm and decided to stop. This morning he was back at it. He changed the ftp Id/password first. He has run a full scan of his PC. Our host, AMHosting did a full scan of our site but did not find anything - go figure.
Seems as though he has taken care of much of it and it does not seem to be coming back like it was, bouncing from one page to another, some multible pages at a time. One puzzling thing is that I still get a 'block' warning from Avast when I open one page of our site on my PC with FoxFire but if I open it with IE, no warnings? DH only uses IE and he was getting the warning, but is not at all now. Have any ideas on this?
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
On further consideration, there is also the very real posibility that this attack is coming from inside your computer. There may be a trojan on your computer using your ftp to modify your pages and re-upload them.
If you make the fix to one page, then upload it and immediately disconnect that computer from the internet. go keep watch of that website from another computer that is has not been used to modify your site EVER. If the malicious code reappears then you know the attack didn't come from your computer (because you disconnected it from the internet).
If you took the earlier advice and changed your ftp username and password to something long (think 24 characters or more) then it is not coming from your ftp account, which rules in that it is coming from higher up the ladder on the server..
Swirt thanks for the words of wisdom. We (well mostly DH) worked on the site until late last night when we had a powerful storm and decided to stop. This morning he was back at it. He changed the ftp Id/password first. He has run a full scan of his PC. Our host, AMHosting did a full scan of our site but did not find anything - go figure.
Seems as though he has taken care of much of it and it does not seem to be coming back like it was, bouncing from one page to another, some multible pages at a time. One puzzling thing is that I still get a 'block' warning from Avast when I open one page of our site on my PC with FoxFire but if I open it with IE, no warnings? DH only uses IE and he was getting the warning, but is not at all now. Have any ideas on this?
.
I suppose it is possible that Firefox is loading the one page with the warnings from cache. Hard to say without an actual page to look at (email me if you don't want it displayed here)..
My guess overall is that your host server was taken over and in standard spin, the host cleaned up the breach then deny that it was on their side of things, to limit their liability. If you have access to FTP logs, I'd look at the FTP logs and see what was making the changes. IF the FTP logs show nothing, then it is a good indication it came from the server itself. (disclaimer: I am just speculating on the little info I have from this thread)
 

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,969
Reaction score
0
On further consideration, there is also the very real posibility that this attack is coming from inside your computer. There may be a trojan on your computer using your ftp to modify your pages and re-upload them.
If you make the fix to one page, then upload it and immediately disconnect that computer from the internet. go keep watch of that website from another computer that is has not been used to modify your site EVER. If the malicious code reappears then you know the attack didn't come from your computer (because you disconnected it from the internet).
If you took the earlier advice and changed your ftp username and password to something long (think 24 characters or more) then it is not coming from your ftp account, which rules in that it is coming from higher up the ladder on the server..
Swirt thanks for the words of wisdom. We (well mostly DH) worked on the site until late last night when we had a powerful storm and decided to stop. This morning he was back at it. He changed the ftp Id/password first. He has run a full scan of his PC. Our host, AMHosting did a full scan of our site but did not find anything - go figure.
Seems as though he has taken care of much of it and it does not seem to be coming back like it was, bouncing from one page to another, some multible pages at a time. One puzzling thing is that I still get a 'block' warning from Avast when I open one page of our site on my PC with FoxFire but if I open it with IE, no warnings? DH only uses IE and he was getting the warning, but is not at all now. Have any ideas on this?
.
I suppose it is possible that Firefox is loading the one page with the warnings from cache. Hard to say without an actual page to look at (email me if you don't want it displayed here)..
My guess overall is that your host server was taken over and in standard spin, the host cleaned up the breach then deny that it was on their side of things, to limit their liability. If you have access to FTP logs, I'd look at the FTP logs and see what was making the changes. IF the FTP logs show nothing, then it is a good indication it came from the server itself. (disclaimer: I am just speculating on the little info I have from this thread)
.
I believe you are right about the cashe on Firefox. Today the warning has been removed and our site is clear.

I have had the same thoughts about the server issue. Our host just moved us to a new server about a week prior to this problem. Our problem was linked to the Analytics code on our site, indirectly and Analytics stopped collecting data. There was a long line of code that had been inbeded in it which had to be removed. As you know, this was not done by Analytics, but by the malicious software that found analytics to piggyback on.
One of the main things we were really worried about was the conficker worm which we have gotten numerous reports about lately and what we are reading about. One of our friend's PC was infected with this and it was terrible. This new worm threat has everyone running rampant...another 4/1 execution date. Any advise on this potential problem?
 

wfosterphoto

Member
Joined
Feb 7, 2009
Messages
9
Reaction score
0
I've been a reader here for a long time, but never posted. I thought I would chime in on this issue.
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
I had a similar problem a while back in which someone installed a .htaccess file in my server that redirected any visitor from Google, Yahoo and other search engines to an external website. My hosting company recommended Malwarebyte's application and it found the problem.
Also, you might try browsing your server for a hijacked .htaccess file that automatically redirects site visitors to either a page within your site or a completely external site.
Best of luck,
Bill Foster
_____________________
Fresnel Marketing
www.fresnelmarketing.com
916.984.7063
 

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,969
Reaction score
0
I've been a reader here for a long time, but never posted. I thought I would chime in on this issue.
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
I had a similar problem a while back in which someone installed a .htaccess file in my server that redirected any visitor from Google, Yahoo and other search engines to an external website. My hosting company recommended Malwarebyte's application and it found the problem.
Also, you might try browsing your server for a hijacked .htaccess file that automatically redirects site visitors to either a page within your site or a completely external site.
Best of luck,
Bill Foster
_____________________
Fresnel Marketing
www.fresnelmarketing.com
916.984.7063.
Bill, thanks for posting and welcome to the forum (offically). Well I didn't have a virus on my (or HD's) PC and all seems to be working well now. The trojan that was connected to our site did not redirect them off the site or to other pages. What we found was that it had damaged our Google Analytics code and some of the 'techies' on some forums think it was trying to capture the info that Analytics collects to provide us the data. I really am not sure if that was the case or not but we have cleared that issue and are closely monitoring our site.
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
I've been a reader here for a long time, but never posted. I thought I would chime in on this issue.
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
I had a similar problem a while back in which someone installed a .htaccess file in my server that redirected any visitor from Google, Yahoo and other search engines to an external website. My hosting company recommended Malwarebyte's application and it found the problem.
Also, you might try browsing your server for a hijacked .htaccess file that automatically redirects site visitors to either a page within your site or a completely external site.
Best of luck,
Bill Foster
_____________________
Fresnel Marketing
www.fresnelmarketing.com
916.984.7063.
Bill, thanks for posting and welcome to the forum (offically). Well I didn't have a virus on my (or HD's) PC and all seems to be working well now. The trojan that was connected to our site did not redirect them off the site or to other pages. What we found was that it had damaged our Google Analytics code and some of the 'techies' on some forums think it was trying to capture the info that Analytics collects to provide us the data. I really am not sure if that was the case or not but we have cleared that issue and are closely monitoring our site.
.
I don't think they were trying to capture analytics data. It simply replaced code near the bottom of you page to put in an iframe that referenced another site that was set up to infect computers. They weren't after your analytics data, they were after your visitors' computers.
I think the analytics code just got whacked in the crossfire.
 

wfosterphoto

Member
Joined
Feb 7, 2009
Messages
9
Reaction score
0
I've been a reader here for a long time, but never posted. I thought I would chime in on this issue.
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
I had a similar problem a while back in which someone installed a .htaccess file in my server that redirected any visitor from Google, Yahoo and other search engines to an external website. My hosting company recommended Malwarebyte's application and it found the problem.
Also, you might try browsing your server for a hijacked .htaccess file that automatically redirects site visitors to either a page within your site or a completely external site.
Best of luck,
Bill Foster
_____________________
Fresnel Marketing
www.fresnelmarketing.com
916.984.7063.
Bill, thanks for posting and welcome to the forum (offically). Well I didn't have a virus on my (or HD's) PC and all seems to be working well now. The trojan that was connected to our site did not redirect them off the site or to other pages. What we found was that it had damaged our Google Analytics code and some of the 'techies' on some forums think it was trying to capture the info that Analytics collects to provide us the data. I really am not sure if that was the case or not but we have cleared that issue and are closely monitoring our site.
.
Copperhead said:
Bill, thanks for posting and welcome to the forum (offically). Well I didn't have a virus on my (or HD's) PC and all seems to be working well now. The trojan that was connected to our site did not redirect them off the site or to other pages. What we found was that it had damaged our Google Analytics code and some of the 'techies' on some forums think it was trying to capture the info that Analytics collects to provide us the data. I really am not sure if that was the case or not but we have cleared that issue and are closely monitoring our site.
Good news about the virus. The reason you should download and run Malwarebyte is there's a virus going around that captures your FTP login information and sends it back to the virus perpetrator. Then, since they have your FTP login, they simply place whatever files and code they want into your website without you knowing it until you notice a problem.
Right now, this is the easiest and most common way for these hackers to get into your server. My web hosting service advised me that Norton and the other virus scanners aren't picking up this particular trojan horse.
Bill
 

YellowSocks

Well-known member
Supporting Member
Joined
May 22, 2008
Messages
2,179
Reaction score
13
I've been a reader here for a long time, but never posted. I thought I would chime in on this issue.
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
I had a similar problem a while back in which someone installed a .htaccess file in my server that redirected any visitor from Google, Yahoo and other search engines to an external website. My hosting company recommended Malwarebyte's application and it found the problem.
Also, you might try browsing your server for a hijacked .htaccess file that automatically redirects site visitors to either a page within your site or a completely external site.
Best of luck,
Bill Foster
_____________________
Fresnel Marketing
www.fresnelmarketing.com
916.984.7063.
wfosterphoto said:
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
:welcome:
I had to download that program a month or two ago when we had this virus that kept popping up and trying to force us to buy an antivirus program. It was incessant and highly annoying and infuriating.
=)
Kk.
 

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,969
Reaction score
0
I've been a reader here for a long time, but never posted. I thought I would chime in on this issue.
It's likely your normal anti virus software isn't able to detect and destroy the trojan horse you have acquired. Try downloading Malwarebyte's Anti Malware (do a Google search and download from Cnet). Run the program and destroy the virus, then change your FTP password. Don't change your password until you run this application.
I had a similar problem a while back in which someone installed a .htaccess file in my server that redirected any visitor from Google, Yahoo and other search engines to an external website. My hosting company recommended Malwarebyte's application and it found the problem.
Also, you might try browsing your server for a hijacked .htaccess file that automatically redirects site visitors to either a page within your site or a completely external site.
Best of luck,
Bill Foster
_____________________
Fresnel Marketing
www.fresnelmarketing.com
916.984.7063.
Bill, thanks for posting and welcome to the forum (offically). Well I didn't have a virus on my (or HD's) PC and all seems to be working well now. The trojan that was connected to our site did not redirect them off the site or to other pages. What we found was that it had damaged our Google Analytics code and some of the 'techies' on some forums think it was trying to capture the info that Analytics collects to provide us the data. I really am not sure if that was the case or not but we have cleared that issue and are closely monitoring our site.
.
I don't think they were trying to capture analytics data. It simply replaced code near the bottom of you page to put in an iframe that referenced another site that was set up to infect computers. They weren't after your analytics data, they were after your visitors' computers.
I think the analytics code just got whacked in the crossfire.
.
Swirt, that is really what I meant, I just am really poor at getting this techie language accross.
Thanks for explaining it!
 

Latest posts

Top