Colin Brazier
asked on
Has my website been infiltrated?
I am browsing a site I have developed. www.fobgfc.org
The problem comes when refreshing the page. At the bottom I see "waiting for www.fobgfc.org..." as expected. Then "www.fobgfc.org" is replaced by "tractorsalesandparts.com" . See attached jpg.
We have had, nor want, any dealings with this site. Up til this I had never heard of it.
After not getting far with my shared host, I am turning to EE for an explanation of what is happening here. Has my site been compromised?
Why is it waiting for a site nothing to do with mine?
Please do not try to reproduce, the issue is in the admin section that requires a user ID and password.
Thanks for reading.
Col
The problem comes when refreshing the page. At the bottom I see "waiting for www.fobgfc.org..." as expected. Then "www.fobgfc.org" is replaced by "tractorsalesandparts.com"
We have had, nor want, any dealings with this site. Up til this I had never heard of it.
After not getting far with my shared host, I am turning to EE for an explanation of what is happening here. Has my site been compromised?
Why is it waiting for a site nothing to do with mine?
Please do not try to reproduce, the issue is in the admin section that requires a user ID and password.
Thanks for reading.
Col
ASKER
Hi Andreas, did you forget the screenshot?
My host tells me they have checked their server, all OK with that. I will run Malwarebytes on my PC.
How do I check DNS?
If I could get another user to try to replicate the issue that would rule out my own computer, wouldn't it?
Cheers
My host tells me they have checked their server, all OK with that. I will run Malwarebytes on my PC.
How do I check DNS?
If I could get another user to try to replicate the issue that would rule out my own computer, wouldn't it?
Cheers
Here the screenshot.
yes if somebody else sees this, then its either, this user has the same malware as your PC. Or its originating from Provider or your Server.
Browser Hijacking malware is quite common and frequently not detected by AV products.
just login to the routers web ingterface and check the settings for your internet connection. Verify they are as your privider suggests/documents them. Same for PC, it should have your router as DNS server or your providers DNS-server or other well known good DNS servers.
You can check with ipconfig -all in a windows command shell.
externals.png
yes if somebody else sees this, then its either, this user has the same malware as your PC. Or its originating from Provider or your Server.
Browser Hijacking malware is quite common and frequently not detected by AV products.
just login to the routers web ingterface and check the settings for your internet connection. Verify they are as your privider suggests/documents them. Same for PC, it should have your router as DNS server or your providers DNS-server or other well known good DNS servers.
You can check with ipconfig -all in a windows command shell.
externals.png
ASKER
Usually you only have 1 or 2 DNS servers in your window setup.
I STRONGLY suspect a malware/adware infection on your machine.
I STRONGLY suspect a malware/adware infection on your machine.
ASKER
OK, I have another user on the case.
I am connected to my TV set top box, would that account for all the extra servers?
How would I detect the malware if Malwarebytes draws a blank?
I am connected to my TV set top box, would that account for all the extra servers?
How would I detect the malware if Malwarebytes draws a blank?
TV Set to box? (or just a normal cable modem for internet over TV-Cable)?
Please explain more about this. how your internet access is organized?
What kind of Set Top Box?
Please explain more about this. how your internet access is organized?
What kind of Set Top Box?
ASKER
It's all to do with BT TV. I have a BT broadband connection with a BT hub/router.
I get my Freeview programs through an aerial into the box into the TV, but subscription channels come through my broadband connection, and this is sent to the TV from my router to the set top box via a powerline connection.
At least that's how i understand it to work!
I get my Freeview programs through an aerial into the box into the TV, but subscription channels come through my broadband connection, and this is sent to the TV from my router to the set top box via a powerline connection.
At least that's how i understand it to work!
ASKER
My other user has confirmed he sees it as well.
same provider? Maybe related to the browser.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
try to run both browsers without any extension active. Maybe an extension is causing this.
ASKER
OK, thanks to your advice I think I am getting close.
This is from F12/network (something I did not know about).
Now, it is possible that a user has included a link to this site when they wanted to paste an image from there. Is my site connecting to that site to fetch the image? Instead my user should have saved the image, and uploaded the image to my site, copyright permitting, of course.
Is my summation correct?
This is from F12/network (something I did not know about).
Now, it is possible that a user has included a link to this site when they wanted to paste an image from there. Is my site connecting to that site to fetch the image? Instead my user should have saved the image, and uploaded the image to my site, copyright permitting, of course.
Is my summation correct?
when i call your start page it is not trying to fetch this image.
is it on a subpage?
its not your server fetching the image from that page, its every users browser doing this. Yourserver/page is just providing the URL to the image in the HTML code of the website.
is it on a subpage?
its not your server fetching the image from that page, its every users browser doing this. Yourserver/page is just providing the URL to the image in the HTML code of the website.
ASKER
Yes it is a subpage controlled by admin rights.
This is making more sense now, as we did have a news item about tractors, which one of my users would have posted.
I have an option to toggle whether the item is shown, typically rather than delete an item this is set to Not Show. So one lesson is to delete old items rather than set a flag.
I think the next thing is to fix the script so that the page runs properly, and then have a look at the news item in question.
This is making more sense now, as we did have a news item about tractors, which one of my users would have posted.
I have an option to toggle whether the item is shown, typically rather than delete an item this is set to Not Show. So one lesson is to delete old items rather than set a flag.
I think the next thing is to fix the script so that the page runs properly, and then have a look at the news item in question.
Also dont forget to investigate your PC for malware. It might still be an issue, even its not the reason for the behaviour of the webpage.
ASKER
Yes, M'bytes drew a blank.
It will take me a while to sort the script, I'll post back later.
Thanks.
It will take me a while to sort the script, I'll post back later.
Thanks.
okay then, assuming the strange DNS servers are provider specific or caused by a software you might have installed.
ASKER
A user had set a source of an image to the URL of a picture on this website, rather than a jpg file.
ASKER
Thanks for your help.
see screenshot.
So I guess its originating from your computer or your provider is injecting things.
Check your PC for malwaer/adware. Check our Router and PC network settnigs, especially DNS.