Solved

Has my website been infiltrated?

Posted on 2016-09-19
21
57 Views
Last Modified: 2016-09-20
I am browsing a site I have developed.  www.fobgfc.org

The problem comes when refreshing the page. At the bottom I see "waiting for www.fobgfc.org..." as expected. Then "www.fobgfc.org" is replaced by "tractorsalesandparts.com". See attached jpg.

waiting for tractorsalesandparts.com
We have had, nor want, any dealings with this site.  Up til this I had never heard of it.

After not getting far with my shared host, I am turning to EE for an explanation of what is happening here.  Has my site been compromised?

Why is it waiting for a site nothing to do with mine?

Please do not try to reproduce, the issue is in the admin section that requires a user ID and password.

Thanks for reading.

  Col
0
Comment
Question by:colinspurs
  • 11
  • 10
21 Comments
 
LVL 11

Expert Comment

by:andreas
Comment Utility
I cant see any connection attempt to that page when I call  www.fobgfc.org. The only external references I get is google-analytics.

see screenshot.

So I guess its originating from your computer or your provider is injecting things.

Check your PC for malwaer/adware. Check our Router and PC network settnigs, especially DNS.
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
Hi Andreas, did you forget the screenshot?

My host tells me they have checked their server, all OK with that.  I will run Malwarebytes on my PC.

How do I check DNS?

If I could get another user to try to replicate the issue that would rule out my own computer, wouldn't it?

Cheers
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
Here the screenshot.

yes if somebody else sees this, then its either, this user has the same malware as your PC. Or its originating from Provider or your Server.

Browser Hijacking malware is quite common and frequently not detected by AV products.

just login to the routers web ingterface and check the settings for your internet connection. Verify they are as your privider suggests/documents them. Same for PC, it should have your router as DNS server or your providers DNS-server or other well known good DNS servers.

You can check with ipconfig -all in a windows command shell.
externals.png
1
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
The screenshot is from my ipconfig.  Seems a lot of servers?!

dns.JPG
If all is OK with my PC and/or someone else can see the message, how serious is it?   Does it happen all the time and people just get on with life?

Col
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
Usually you only have 1 or 2 DNS servers in your window setup.

I STRONGLY suspect a malware/adware infection on your machine.
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
OK, I have another user on the case.

I am connected to my TV set top box, would that account for all the extra servers?

How would I detect the malware if Malwarebytes draws a blank?
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
TV Set to box? (or just a normal cable modem for internet over TV-Cable)?

Please explain more about this. how your internet access is organized?
What kind of Set Top Box?
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
It's all to do with BT TV.    I have a BT broadband connection with a BT hub/router.

I get my Freeview programs through an aerial into the box into the TV, but subscription channels come through my broadband connection, and this is sent to the TV from my router to the set top box via a powerline connection.

At least that's how i understand it to work!
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
My other user has confirmed he sees it as well.
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
same provider? Maybe related to the browser.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 11

Accepted Solution

by:
andreas earned 500 total points
Comment Utility
Try with firefox or google-chrome. There you also have development tools where you can see all the network traffic the page load will cause. Its also from where I got the screenshot.

The Dev-tools can be activated via F12 after that reload the page and see whats happening. dont forget to turn off all extensions like adblock, flashblock or noscript to get valid results.
1
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
I am using Chrome.

I have just tried Firefox and also get the message...

Firefox message
With Edge I do  not get any messages at all.

I can fix the script, I was afraid if I did that I would not be able to see/capture the tractors message.
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
try to run both browsers without any extension active. Maybe an extension is causing this.
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
OK, thanks to your advice I think I am getting close.

This is from F12/network (something I did not know about).

Network link
Now, it is possible that a user has included a link to this site when they wanted to paste an image from there.  Is my site connecting to that site to fetch the image?  Instead my user should have saved the image, and uploaded the image to my site, copyright permitting, of course.

Is my summation correct?
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
when i call your start page it is not trying to fetch this image.
is it on a subpage?

its not your server fetching the image from that page, its every users browser doing this. Yourserver/page is just providing the URL to the image in the HTML code of the website.
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
Yes it is a subpage controlled by admin rights.

This is making more sense now, as we did have a news item about tractors, which one of my users would have posted.

I have an option to toggle whether the item is shown, typically rather than delete an item this is set to Not Show.  So one lesson is to delete old items rather than set a flag.

I think the next thing is to fix the script so that the page runs properly, and then have a look at the news item in question.
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
Also dont forget to investigate your PC for malware. It might still be an issue, even its not the reason for the behaviour of the webpage.
1
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
Yes, M'bytes drew a blank.

It will take me a while to sort the script, I'll post back later.

Thanks.
0
 
LVL 11

Expert Comment

by:andreas
Comment Utility
okay then, assuming the strange DNS servers are provider specific or caused by a software you might have installed.
0
 
LVL 3

Author Comment

by:colinspurs
Comment Utility
A user had set a source of an image to the URL of a picture on this website, rather than a jpg file.
0
 
LVL 3

Author Closing Comment

by:colinspurs
Comment Utility
Thanks for your help.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

These days socially coordinated efforts have turned into a critical requirement for enterprises.
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now