Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

General Security General Security
Search Search
Search for:
Tech Support Guy > > >

My website is trying to download Bloodhound.Exploit.213 to everyone who reaches it...


(!)

debrawinters's Avatar
debrawinters debrawinters is offline
Junior Member with 4 posts.
THREAD STARTER
 
Join Date: May 2009
22-May-2009, 04:24 PM #1
My website is trying to download Bloodhound.Exploit.213 to everyone who reaches it...
Our Little League website hosted at lunarpages.com is trying to download
Bloodhound.Exploit.213

on everyone's system! Google has tagged it as malware as well. Where do I find this darn thing???

The website is hxxp://monarchlittleleage.org

Thanks!

Debra

Last edited by Cookiegal; 22-May-2009 at 04:56 PM..
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,485 posts.
 
Join Date: Aug 2003
22-May-2009, 04:59 PM #2
This is happening a lot lately via iframe, pdf or flash exploits. You need to have the web pages checked and cleaned of embedded malicious code.
TOGG's Avatar
Member with 5,652 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
22-May-2009, 05:26 PM #3
Two points to consider;

1. Is 'monarchlittleleage' a spelling error for 'monarchlittleleagues.com'? The latter appears to be a legitimate site that produces no response from my security programs. In any event, it would be a good idea to edit the link out of your post.

2. Have a look at this thread; http://forums.techguy.org/general-se...s-my-site.html If your site, however it's spelt, is loading malware, it's probably the hosting company's servers that are infected.
debrawinters's Avatar
debrawinters debrawinters is offline
Junior Member with 4 posts.
THREAD STARTER
 
Join Date: May 2009
22-May-2009, 05:43 PM #4
More...
OK after surfing the web, I found where to look go to hxxp://monarchlittleague.org and do a View on the Page Source. Scroll down to the bottom and you'll find BELOW </body> and </html> is a lengthy line running a script. I'm positive that's the issue.

I need to remove that, but I don't know how to do it via Joomla! The League's website is hosted on lunarpages.com and joomla.org is the admnistrator.

I'm an old time webmaster that hacks html by hand. These CMS's drive me nuts. Any clue how to remove that line???

Last edited by Cookiegal; 22-May-2009 at 05:53 PM..
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,624 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
22-May-2009, 05:53 PM #5
That site has multiple malicious scripts from chinese sites including infected exploits downloading pdf & flash malware

take it offline immediately & get your host to plug the security hole in joomla that has allowed them to do this
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,624 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
22-May-2009, 06:00 PM #6
Quote:
Originally Posted by debrawinters View Post
OK after surfing the web, I found where to look go to hxxp://monarchlittleague.org and do a View on the Page Source. Scroll down to the bottom and you'll find BELOW </body> and </html> is a lengthy line running a script. I'm positive that's the issue.

I need to remove that, but I don't know how to do it via Joomla! The League's website is hosted on lunarpages.com and joomla.org is the admnistrator.

I'm an old time webmaster that hacks html by hand. These CMS's drive me nuts. Any clue how to remove that line???

there is a lot more than that line infected

there are 7 or 8 scripts on the page all infected

contact your host & take it offline immediately
http://www.lunarpages.com/support/
debrawinters's Avatar
debrawinters debrawinters is offline
Junior Member with 4 posts.
THREAD STARTER
 
Join Date: May 2009
22-May-2009, 07:05 PM #7
Quote:
Originally Posted by dvk01 View Post
That site has multiple malicious scripts from chinese sites including infected exploits downloading pdf & flash malware

take it offline immediately & get your host to plug the security hole in joomla that has allowed them to do this
OMG I just bought my kids a Hedge Hog.

Anyway, I figured this out:
The CMS is Joomla -- someone from Joomla hacked into the site and changed some admin and other important files to 777 permissions. This enabled someone to install execute the script from our site.

Changed the perms, password and all is well again. Thanks for all who replied.
debrawinters's Avatar
debrawinters debrawinters is offline
Junior Member with 4 posts.
THREAD STARTER
 
Join Date: May 2009
22-May-2009, 07:24 PM #8
OK after working with lunarpages.com, I think we patched the holes. If anyone has the time to have another look, that would be great.

I'm GLAD I found this forum!!!! This, by far, is the best forum I've found. Wish I'd known about this long ago.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,624 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
23-May-2009, 08:13 AM #9
it is still infected this morning

you are not alone but you MUST get it taken off line until it is cleaned up

you are infecting everybody who visits your site
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
bloodhound.exploit.213

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑