Frontpage - Hidden Spam Virus?

[Brummie Broad]

Hope someone can help. Every time I open Frontpage it comes up with spam links and I have to manually delete them, otherwise they get sent out with my 'feeds'. Another website I update less often had the same problem and it deleted the HTML from most of the pages!

I think it has a hidden spam virus. I've gone through the HTML (like pulling teeth) and found these two lines which look a bit suspect:

<font style="position:absolute;overflow:hidden;height:0;width:0"><a href="

and

<!--[if gte mso 9]>
<xml><o:shapedefaults v:ext="edit" spidmax="1027"/>
</xml><![endif]-->

I delete them, but the last one (spidmax) is greyed and keeps returning. I don't know what else to try.

I'd be REALLY grateful for any advice because the thought of it deleting the entire website (like it did the other one) is seriously keeping me awake at nights. If you need to view the 'source code', the website is www.brummieblogs.com.

Debbie

 

[Ian]

That "<font style="position:absolute;overflow:hidden;height:0;width:0">" part doesn't look right as it is making some text invisible which I can't see why you'd want. I can't see that code on the page though.

I don't think that the last bit of code you pasted is anything to worry about though - it's just MS Office markup junk.

Can you post a screenshot of what happens in frontpage so I can see what you mean please?

 

[Brummie Broad]

That "" part doesn't look right as it is making some text invisible which I can't see why you'd want. I can't see that code on the page though.

I don't think that the last bit of code you pasted is anything to worry about though - it's just MS Office markup junk.

Can you post a screenshot of what happens in frontpage so I can see what you mean please?

Wow, that was quick, thanks very much. I've only just deleted the spam links and they don't show up now. I'll get a screen pic when it does it again and post it. Thanks again for taking the time - impressed!

 

[Brummie Broad]

Virus screenshots - Frontpage

Hello, sorry, I had a load of work come in so I've been busy. I've taken some screenshots of the problem, which keeps reoccurring and, if left, just seem to get worse (more and more spam links). Really hope you can help 'cos I want to get rid of the bugger!

Or if this doesn't work (told you I was rubbish at this stuff) the link is here: http://www.brummieblogs.com/screenshots.htm

 

[Brummie Broad]

Oooh, sorry if I made the postings go funny - shall I take up knitting instead or something?

 

[Ian]

Oh dear now that does look serious! Can you explain the process you use to edit the website, as I'd assume that the code is being injected on the server side and then you are just viewing it (rather than creating it at your end).

Are you manually creating all of the pages in HTML and then uploading them, or are you using any server side scripts?

 

[Brummie Broad]

Hi Ian - Oh gosh, you think its serious?! Now I'm really nervous. I use Frontpage to edit the site, then save/upload it. I'm assuming I don't use server side scripts because I don't know what they are. If I delete all the links in HTML, they're gone for a couple of days, then come back again. If I don't update the website for a few days, there's more links.

Should mention that this problem occurred when I was holidaying in America (and yes, updated the website from there). Searched internet but can't find anything relating to this problem apart from this: http://www.heise-online.co.uk/secur...-among-outdated-WordPress-blogs--/news/110512 (which doesn't related to Frontpage).

Hope you can help!

 

[Brummie Broad]

Incidentally, the links don't show up on the actual web page when viewed on a browser.

 

[Ian]

If they don't appear for a couple of days it sounds like your host could be compromised, as it could be someone going in manually and adding them if they have your FTP data for some reason.

I'd change your FTP login details with your host ASAP and then contact them to let them know it looks like it is being modified server-side without your knowledge. They should have logs which would show how someone could be getting access to your site data.

 

[Brummie Broad]

To be honest, I regularly check my computers for any virus/malware etc. (I use them for work so if they go down I basically starve to death), but they're clean, my security is pretty tight, so I was surprised anything got through at all.

REALLY appreciate your advice. I've changed my login password (is that enough or should I change the username details too?) and sent a detailed email to the host server, will let you know what they say.

If this problem gets solved (because its driving me mad) I'll send you some chocolate from the factory down the road from me - Cadburys

 

[Brummie Broad]

Well they responded quite quickly, considering its Sunday, but it sounds a bit generic:

"We apologize for any inconvenience caused. We are sorry but we do not provide such logs of any account. The majority of the "hacks" are because of using cheap php driven pages and/or frontpage. In order to prevent such issue we suggest you to download your whole website to your local PC and re-upload them scanning thoroughly. As a safe guard you need to make sure you have the most up to date version of the software you are using as many packages get patched for security.
Also please change the FTP password as soon as possible and we strongly recommend to change all passwords such as FTP, control panel, registered email ID, phpmyadmin. Password needs to be combination of alphanumeric + special characters, and should necessarily exceed more that eight characters."

Now at the risk of looking like a Complete Idiot, how do I download a whole website that I've been using for five years and which contains hundreds of pages and pictures, check them all and upload each one of them again? Or is there a shortcut I'm not aware of (not having done it before)? Otherwise its going to take me FOREVER!

 

[Ian]

You should be able to download them all by highlighting the root directory in your FTP application (not frontpage) and downloading to your PC... however if you aren't using any CGI or PHP scripts then I don't see how they could edit the pages.

It might be worth seeing if changing the password has done the trick in a few days time, but if it does happen again when you check the page could you post the HTML of the file to a post here and I'll have a manual read though

 

[Brummie Broad]

You're a star! Will download and check all the files. Having changed the password, the spam links haven't yet returned - keeping my fingers crossed it's done the trick.

Hugely appreciated

 

[Brummie Broad]

Well its been four days now since I changed the password for my website, and it seems to have solved the problem with the spam links! Yippeeeeee! Hope it stays away, nasty little thing. I also downloaded all the web pages and ran a scan on them on my computer, but nothing was found.

During a few sleepless nights when I thought I might lose my entire website, a couple of ideas occurred to me. Because my web pages are based on the same template, and because I know the problem occurred in September, I went to the ‘problem’ website page and copied the source code (right click and View Source) into a Word document and saved it. Then I did the same with a website page that definitely doesn’t have the problem and copied and pasted that source code into a separate word document. Then I did a comparison of both documents (Tools/Compare) to see if there are any changes that might indicate a HTML bug. I didn’t find anything, but obviously will try this again if the spam virus returns. Just thought this might be able to help someone else ‘weed’ out a problem in HTML.

Secondly, also looking at the website page with the ‘problem’, I looked to see if the spam links were there in the source code before I opened up Frontpage/software. I figured if its not on the website but is in Frontpage, the software is the problem. If its there on the website before you open up Frontpage, then the problem lies elsewhere. Obviously, haven’t been able to do this because the spam links haven’t come back (phew!).

Dunno if this helps anyone, but that's my twopenneth worth.

Again, thanks for all your help

 

[Ian]

Glad it seems to have worked