Malware Issue?

So I was reading the forum, and then upon clicking the "previous" link on a thread, got this:


To be clear, I got it when clicking on the "7" from this page:
https://wizardofvegas.com/forum/off-topic/general/11095-land-based-casino-directory-website-project/8/#post230670

I then escaped out of everything. If an administrator can check into this, that would be good- thanks

It seems to imply that DJTeddyBear's website is the culprit. I doubt his website is distributing malware and wouldn't take the warning seriously.

his site is responding with a http 406 "not acceptable" to all requests:
either his site or his web hosting provider got compromised.

curl -vvv http://djteddybear.com/
* About to connect() to djteddybear.com port 80 (#0)
* Trying 74.124.194.111... connected
* Connected to djteddybear.com (74.124.194.111) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: djteddybear.com
> Accept: */*
>
< HTTP/1.1 406 Not Acceptable
< Date: Fri, 29 Mar 2013 23:10:43 GMT
< Server: Apache
< Content-Length: 323
< Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host djteddybear.com left intact
* Closing connection #0
<html><head><title>Error 406 - Not Acceptable</title><head><body><h1>Error 406 - Not Acceptable</h1><p>An error has occurred. Generally a 406 error is caused because a request has been blocked by Mod Security. If you believe that your request has been blocked by mistake please contact the web site owner.</p></body></html>

It only seems to respond with the 406 error when using curl. I get normal headers and content with Chromium.

Blame it on the North Koreans.

Quote: JB

It seems to imply that DJTeddyBear's website is the culprit. I doubt his website is distributing malware and wouldn't take the warning seriously.

Although I concur, I don't have a clue what's going on.

I get a similar warning when using Safari on my Mac, but when using FireFox, the site comes up fine. Ditto for using my iPhone.


I entered a support request with my web host.

This is nt the first time this has happened, so I'm starting to wonder if my web host has issues of their own....

Quote: JB

It only seems to respond with the 406 error when using curl. I get normal headers and content with Chromium.

What are Curl and Chromium? Alternate web browsers?

I've been having a issue here the past few days. If I click the back button on my browser to return to a previous page it gives me a error and says that the we page is unavailable. If I refresh the page it comes up fine.

Mikey -
If you use the back button after posting, you'll get that error. That's not just here. ANY website form will give you some type of error if you attempt to go back after hitting the submit button.

---

I got a response from my webhost's support. As far as I can tell, the solution is to A) Upload my website from scratch (will do later when I have time), and B) update my browser and other internet software. That second part sounds like BS. I get that maybe updated software will fix my problems, but am I supposed to tell that to anyone that uses my site? Even those unidentified people that use my site? Really?

And how is Google involved?

If anybody can explain any of this, let me know.

Thanks.

Quote: email from InMotionHosting.com Support

Hello David,

Thank you for contacting us.

I will be happy to assist you with your inquiry. I was able to replicate and do see that your sites have been compromised. There were redirects injected in the following .htaccess files:

public_html/djdavemiller.com/.htaccess
public_html/pages/.htaccess
public_html/davemillerweddings.com/pages/.htaccess
public_html/reverenddavemiller.com/pages/.htaccess

I have removed the injections by renaming each .htaccess file .htaccess.hacked for your review. While currently I do not see further evidence of the hack, this does not necessarily mean that this hack has been fully eradicated. I would suggest to have your developer review your files carefully to ensure that there are no back doors open that may cause this issue to reoccur.

In order to protect yourself from these types of attacks there are a few things you can do, although nothing is 100%. First, update all your software to the most recent versions,particularly browsers, Operating systems, and other highly popular software such as Adobe Reader, etc... These are main targets for infiltration due to the sheer number of copies in use out there. Also, run more than one virus/spy-ware scanner. These programs all verify against their own lists and they all have different items they look for and find. Lastly, and probably the most effective, change your password often. Much like changing the oil in your auto, the more often the better, but there is no need to do it too often. Usually once every month or two will be fine. Ensure your password does not contain a word that can be found in a dictionary or a simple number sequence. Random numbers, letters, and symbols are best. Keep this password physically written down somewhere and not in a small text file on your computer that can be read from an intruder.

Again, nothing is 100% but this will indeed increase your security against repeated attacks.

After you have identified and cleaned the file or uploaded from a clean backup copy, which is the most preferred method, you can contact Google for a recrawl so they can remove your sites from the blacklist. Google calls this site reconsideration and you can see that information here: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=35843
Please let us know if you have any further questions; we are more than happy to help. By the way, our new support center features hundreds of great new articles, improved search results and a new community driven Question and Answer section! Our new support center is located at inmotionhosting.com/support.

Best Regards,
Edward M.

888-321-4678
757-416-6575 (Int'l)
NEW: 24x7 EMAIL and PHONE Technical Support

Did you know?
We'll Build, Update and Promote Your Site for You! Visit
www.inmotionhosting.com/webdesign

This is the link that leads to the warning in my google chrome browser also as the OP

https://wizardofvegas.com/forum/off-topic/general/11095-land-based-casino-directory-website-project/7/

I can not open it or even look at the code in Google Chrome

But I can view the source code in IE8 just fine and no malware is detected.

Looks to me Google has DJTB sites on a malware list from ???
It will not even allow me to view without a warning just the images below.
Go thru your website files on your computer with your anti-virus program first before uploading them again if that is what you end up doing.
All it takes is one virus.

http://www.hit-it-again-roulette.com/ also has the same notice in Chrome

from
http://validator.w3.org/checklink
I get the same 406

Lines: 3, 4 http://djteddybear.com/images/slot_icon.JPG
Status: 406 Not Acceptable
The server isn't capable of responding according to the Accept* headers sent. This is likely to be a server-side issue with negotiation.

Lines: 2, 3 http://djteddybear.com/images/bj_icon.JPG
Status: 406 Not Acceptable
The server isn't capable of responding according to the Accept* headers sent. This is likely to be a server-side issue with negotiation.


DJ, for a simple test,
just remove the link to the images on page 7 at WoV and see if us Chrome users still get an error here in WoV.
we should not

Quote: DJTeddyBear

Quote: email from InMotionHosting.com Support

There were redirects injected in the following .htaccess files:

...

I have removed the injections by renaming each .htaccess file .htaccess.hacked for your review.

You should download those .htaccess.hacked files to your computer and open them up in an editor to see what domain the redirects were sending visitors to.

Quote: DJTeddyBear

Mikey -
If you use the back button after posting, you'll get that error. That's not just here. ANY website form will give you some type of error if you attempt to go back after hitting the submit button.

---

I got a response from my webhost's support. As far as I can tell, the solution is to A) Upload my website from scratch (will do later when I have time), and B) update my browser and other internet software. That second part sounds like BS. I get that maybe updated software will fix my problems, but am I supposed to tell that to anyone that uses my site? Even those unidentified people that use my site? Really?

And how is Google involved?

If anybody can explain any of this, let me know.

Thanks.

Basically, Firefox, Chrome, and Safari all send URLs to Google to check for malware before they load up the page. If that website is on Google's list of known Malware sites, you get the response as shown in the web browser above.

You got on Google's malware list because of the compromised .htaccess files. It's kinda silly he's saying to scan your computer; what's more likely the problem is that permissions were set wrong on your web server (likely set to something like chmod 777). Check the permissions on your web directories and make sure they are setup properly.

You also need to look through your entire web directory, because most of the time they will leave backdoors that will allow them to re-upload the hacked .htaccess files. Your safest bet is to completely delete the copy you have up there, and restore from a backup. Make sure to set the permissions on your directories and files correctly (chmod 444 or 644).

Once you've got all that fixed, submit a request to Google to recrawl the page and get off the blacklist.

Quote: 7craps

DJ, for a simple test,
just remove the link to the images on page 7 at WoV and see if us Chrome users still get an error here in WoV.
we should not

I did that (changed the images to links). There's a problem though: TheBigPaybak has the images I posted, in the quotes of two of his posts.

be extremely careful with the urls that are in the .htaccess.hacked - the links that are encoded in there are possibly live drive-by root-kit loading sites - i.e. pc's/macs can get pwnt just loading the urls with vulnerable browsers.

curl is a text-based command line url retrieval application - http://en.wikipedia.org/wiki/CURL - I used this because Chrome was warning that your site was compromised - so loading with a web browser would be potentially hazardous...

You may also want to grab some malware scanner - http://www.malwarebytes.org/ - free version works fine.

You can register for the google webmasters account through: http://www.google.com/webmasters/ - through that you can "claim" your domain and make sure that Google knows to clear their alerts for your site.

Once you know your site is locked down - you can request that google re-indexes your site so that google searches for your site don't result in this:

DJ Teddy Bear aka DJ Dave Miller
www.djteddybear.com/This site may harm your computer.
A Private Party DJ Entertainer and Wedding OFficiant. Get the wedding of your dreams, without the trappings of mainstream religion. Serving the Northern New ...

Well, my DJTeddyBear.com site no longer has that Malware warning.

This link should work again:
https://wizardofvegas.com/forum/off-topic/general/11095-land-based-casino-directory-website-project/7/

A couple of my other sites still have it - only because I haven't gotten around to doing everything Google needs me to do yet...