• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 122
  • Last Modified:

Has my website been infiltrated?

I am browsing a site I have developed.  www.fobgfc.org

The problem comes when refreshing the page. At the bottom I see "waiting for www.fobgfc.org..." as expected. Then "www.fobgfc.org" is replaced by "tractorsalesandparts.com". See attached jpg.

waiting for tractorsalesandparts.com
We have had, nor want, any dealings with this site.  Up til this I had never heard of it.

After not getting far with my shared host, I am turning to EE for an explanation of what is happening here.  Has my site been compromised?

Why is it waiting for a site nothing to do with mine?

Please do not try to reproduce, the issue is in the admin section that requires a user ID and password.

Thanks for reading.

  Col
0
colinspurs
Asked:
colinspurs
  • 11
  • 10
1 Solution
 
andreasSystem AdminCommented:
I cant see any connection attempt to that page when I call  www.fobgfc.org. The only external references I get is google-analytics.

see screenshot.

So I guess its originating from your computer or your provider is injecting things.

Check your PC for malwaer/adware. Check our Router and PC network settnigs, especially DNS.
0
 
colinspursAuthor Commented:
Hi Andreas, did you forget the screenshot?

My host tells me they have checked their server, all OK with that.  I will run Malwarebytes on my PC.

How do I check DNS?

If I could get another user to try to replicate the issue that would rule out my own computer, wouldn't it?

Cheers
0
 
andreasSystem AdminCommented:
Here the screenshot.

yes if somebody else sees this, then its either, this user has the same malware as your PC. Or its originating from Provider or your Server.

Browser Hijacking malware is quite common and frequently not detected by AV products.

just login to the routers web ingterface and check the settings for your internet connection. Verify they are as your privider suggests/documents them. Same for PC, it should have your router as DNS server or your providers DNS-server or other well known good DNS servers.

You can check with ipconfig -all in a windows command shell.
externals.png
1
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
colinspursAuthor Commented:
The screenshot is from my ipconfig.  Seems a lot of servers?!

dns.JPG
If all is OK with my PC and/or someone else can see the message, how serious is it?   Does it happen all the time and people just get on with life?

Col
0
 
andreasSystem AdminCommented:
Usually you only have 1 or 2 DNS servers in your window setup.

I STRONGLY suspect a malware/adware infection on your machine.
0
 
colinspursAuthor Commented:
OK, I have another user on the case.

I am connected to my TV set top box, would that account for all the extra servers?

How would I detect the malware if Malwarebytes draws a blank?
0
 
andreasSystem AdminCommented:
TV Set to box? (or just a normal cable modem for internet over TV-Cable)?

Please explain more about this. how your internet access is organized?
What kind of Set Top Box?
0
 
colinspursAuthor Commented:
It's all to do with BT TV.    I have a BT broadband connection with a BT hub/router.

I get my Freeview programs through an aerial into the box into the TV, but subscription channels come through my broadband connection, and this is sent to the TV from my router to the set top box via a powerline connection.

At least that's how i understand it to work!
0
 
colinspursAuthor Commented:
My other user has confirmed he sees it as well.
0
 
andreasSystem AdminCommented:
same provider? Maybe related to the browser.
0
 
andreasSystem AdminCommented:
Try with firefox or google-chrome. There you also have development tools where you can see all the network traffic the page load will cause. Its also from where I got the screenshot.

The Dev-tools can be activated via F12 after that reload the page and see whats happening. dont forget to turn off all extensions like adblock, flashblock or noscript to get valid results.
1
 
colinspursAuthor Commented:
I am using Chrome.

I have just tried Firefox and also get the message...

Firefox message
With Edge I do  not get any messages at all.

I can fix the script, I was afraid if I did that I would not be able to see/capture the tractors message.
0
 
andreasSystem AdminCommented:
try to run both browsers without any extension active. Maybe an extension is causing this.
0
 
colinspursAuthor Commented:
OK, thanks to your advice I think I am getting close.

This is from F12/network (something I did not know about).

Network link
Now, it is possible that a user has included a link to this site when they wanted to paste an image from there.  Is my site connecting to that site to fetch the image?  Instead my user should have saved the image, and uploaded the image to my site, copyright permitting, of course.

Is my summation correct?
0
 
andreasSystem AdminCommented:
when i call your start page it is not trying to fetch this image.
is it on a subpage?

its not your server fetching the image from that page, its every users browser doing this. Yourserver/page is just providing the URL to the image in the HTML code of the website.
0
 
colinspursAuthor Commented:
Yes it is a subpage controlled by admin rights.

This is making more sense now, as we did have a news item about tractors, which one of my users would have posted.

I have an option to toggle whether the item is shown, typically rather than delete an item this is set to Not Show.  So one lesson is to delete old items rather than set a flag.

I think the next thing is to fix the script so that the page runs properly, and then have a look at the news item in question.
0
 
andreasSystem AdminCommented:
Also dont forget to investigate your PC for malware. It might still be an issue, even its not the reason for the behaviour of the webpage.
1
 
colinspursAuthor Commented:
Yes, M'bytes drew a blank.

It will take me a while to sort the script, I'll post back later.

Thanks.
0
 
andreasSystem AdminCommented:
okay then, assuming the strange DNS servers are provider specific or caused by a software you might have installed.
0
 
colinspursAuthor Commented:
A user had set a source of an image to the URL of a picture on this website, rather than a jpg file.
0
 
colinspursAuthor Commented:
Thanks for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now