Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeAV


  • Please log in to reply
3 replies to this topic

#1 mountain goat

mountain goat

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 15 May 2010 - 10:14 AM

Hi there,

I run a small outdoor gear company and my websites are mountaingoathanover.com and mountaingoatnorthampton.com.

Just recently I was informed by a customer that Norton blocks our sites from Google searches, saying the sites are harmful and attacks are being blocked!

Upon further investigation through Norton message boards, a moderator informed me that my sites are infected with FakeAV.

I could really use some help figuring out a fix for this, how to get it removed, and how to ensure it doesn't happen again! I don't want customers thinking we're untrustworthy!

Also, not sure if this post is in the right place.. Let me know if it needs to be moved!

Thanks so much,
Dylan

EDIT: Link to deceptive website deactivated to prevent anyone from inadvertently getting infected. Please do not visit that site without adequate protection. ~ Animal

Edited by Animal, 16 May 2010 - 02:35 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:12 AM

Posted 16 May 2010 - 02:43 PM

Hello,

I have consulted with my colleagues here, and in a situation like this, your best bet is to contact your web-provider or web-host and inform them of the compromised websites. They are the ones best able to assist you.

I had no problems when I went to those sites, but I have pretty tight security on my system. Those with less protection could very well be affected by malicious content added by 3rd parties at this time.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:12 AM

Posted 16 May 2010 - 03:20 PM

The links are infected at the very top. Contact the host, and let them know. It is a SQL Injection attack that prompts the user to scan for malicious files., then prompts you to download a setup.exe. Please contact them asap. If you want to know the links that the site is being redirected to PM me. I will provide them, so you can provide them to the hosting company.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 16 May 2010 - 08:24 PM

I just took a look at your site. It appears any page other than the index will redirect to a fake online scanner which will attempt to install a rogue antivirus program on the visitors computer.

As any page, including one i made up like asdjhalfjkhsdaf.html, presents this page it leads me to believe that your .htaccess in your / folder was hacked.

You can probably fix that by removing the redirects from that file. If you wish me to look at the file you can post it here or send it via pm.

You may also want to contact your provider and let them know in case the hacker accessed your site through a vulnerability they would need to patch. You are also using wordpress 2.9.1. I am not sure if there are any security holes in that version as I cant find the wordpress release notes, but there is a newer version available that you should probably upgrade to.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users