The website of my son's band appears to have been corrupted.

Do not visit the following web page unless you know you have the means to recover the integrity of your C: drive's software.
I was forced to re-format my C: drive and restore a backup after a visit.

Here's the malicious page:
www.redbeesociety.co.uk/guestbook.asp

When I accessed it the page was totally different from normal.

1. The page is now mostly black and has a scull in the centre.
2. The maximised page now progresses slowly around, bouncing off the 4 edges of the screen without actually staying on-screen. It goes almost completely off screen.
3. After a visit Internet Explorer no longer works properly.
4. I tried adding the domain "redbeesociety.co.uk" to the "ie-spyad" "ie-ads.reg" file and merging it into the registry, but it didn't solve the problem.
A repeat visit afterward produced the same nasty effect as before.

WOW...certainly looks like they have been hacked. I went to the site using Firefox 0.8 and saw just what you described. I detected no viruses, trojans or spyware having been added to my system. Did you run a HJT scan (or any other scan) to see what had been put on your computer to mess it up?

I took no chances, just reformatted and restored after I discovered that IE was "Not Responding" after attempting to access "IE | Tools | Internet Options | Security | Restricted Sites | Custom Level...".

I scanned with "Hijack This" after the restore of the backup and there was nothing found [in addition to the "ignorelist"].
I assume I'm now clean.
There are no signs of problems.
IE is working OK once more.

What I'd like to know is how my son should proceed to clean up the website.

I'm not experienced with this kind of thing but I guess the first thing to do is contact the folks who are hosting the website and find out how it happened and what should be done to guard against it in the future. Protective measures by both the hosting company and the site owners are probably the case.

I have class tonight. The instructor is certified in ethical hacking. I'll ask and see if he has any info on this kind of thing.

Excellent! :)

Isn't it good to be able to speak to someone who will speak to someone who knows. :D :cool:

I went into "The Edinburgh Room" at "Edinburgh Central Lending Library" to photo copy microfilm copies of original birth and marriage records between 1826 and 1838 to send to a lady in Canada.

And a guy in London went to "The Family Records Centre" in London for me to find the birth record of my fathers' father in 1863 in Newcastle.

It will be interesting to know what Steve`s contact reveals because my two Daughters have just aquired a Web Site each and if they experience a similar problem I will know how to react.Surely the perpitrator can be dealt with, within the law. If found?? So sorry about your Sons site Sylvander.I hope it is resolved quite quickly and that I could not offer a solution.

Stefanus

Its just a javascript that's been added to the guestbook and which makes the browser jump around like a bouncing ball and with a link to the skull (smoking.gif). I couldn't find any nasty redirections or object tags/active X so I don't think it can infect you.

If you turn off javascript you should be able to stop things jumping around and then view source if you want to read the source code.

It seemed odd that an asp page would have been hacked since that would have meant the server had been hacked into. If there is a way of editing the guest book you should be able to confirm that the entry has been added there and to remove it if that option is simply available.

Thereafter the asp code needs to be edited so that scripts and other html cant be added (or at least parsed by) the guestbook. I don't know asp but this could be done with php without too much trouble (I think) ;)

PS
Or just disable the guest book (upload a static page for now) until you get things sorted out by whoever does the web-design.

I could be wrong, but I think the reason IE lockup up tighter than a knot was because there is a javascript that opens a window of index.htm about a hundred times.
openWindow('index.htm')

Here is a text format of the code that was hacked:
http://johns-page.netfirms.com/hack.txt
You'll need to right click and copy link location and open a new window and paste into the address bar.

Did IE fail to respond even after a reboot?

Hi folks,

The instructor identified it as a simple javascript. If the person responsible for web design uploads new pages or updated pages with ftp, they can simply refresh the page and it will replace the hacked page.

The more important question is how the hacker got in. Who is hosting the site? There is a weak password somewhere. All passwords should be more than six characters and include letters, numbers and odd characters such as # or &. We used a password cracking program, as a demonstration, and were able to crack any six letter password we could come up with in under two minutes. A simple dictionary attack worked in seconds.

Once you get over six variable type characters, you need a brute force attack to crack the password and that would take, possibly, 24-48 hours. If the web host or ISP is doing their job, that kind of activity will be noticed and stopped.

It made for an interesting class... ;)

The code that has been added at the top of the guest book entries is a complete webpage's html from <html> to </html> and which includes the javascript itself; it needs to be done that way because some of the script needs to be inside <head></head> tags so you will find that these head tags have infact been duplicated rather than the script added inside the page's own head section. Modifying the .asp page's own head section would have more complicated than simply editing .htm pages and you also need to ask the question as to why the perpetrator only attacked the guestbook.

Guestbooks are a simple one thread bulletin board and so if html can be parsed by the form submissions then just like here (before the html was turned off because someone had played around with some redirection) it can be abused.

"Did IE fail to respond even after a reboot?"
I didn't hang around to find out; I assumed something nasty was afoot, so re-formatted & re-stored a backup.
Now that I know it isn't too nasty I studied the effects. I get:
1. Ddhelp: An error has occurred in your program. Close or ignore.
2. Tried to close down, but that halted. msimn "Not Responding".
3. "End Task" & then close down continued successfully.
4. "Keyboard Error or No Keyboard Present" at next startup. Solved that OK.
5. IE OK after reboot.

"There is a weak password somewhere."
I passed this info along to No.1 son [I'd already asked about the password] and told him about this thread and the comments of all. He's going to pass it along to the band member delegated to deal with the website. [No.1 son had been doing all of that and more and was finding it too much, so some of it had to be offloaded. They now have a manager also, to take some of the load.]
I may be a few days before anything is done about it. The band are going down to London tomorrow [Wed 13th Oct] to play a gig at Islington Academy. Then the day after they are on BBC Digital Radio 6, the Gideon Coe Show between 10 am and 1 pm. See here http://www.bbc.co.uk/6music/presenters/gideon_coe/ . They'll be playing live, but haven't been told whether it's to be acoustic or electric. [It'd be interesting to hear both.] And they may be interviewed live, I don't know. Listen in, I'd be interested to hear opinions, so I hope some will listen in and report back. :)

"If you turn off javascript"
How do I do that?
I have added their domain name redbeesociety.co.uk to the "ie-spyad" "ie-ads.reg" file and merging it into the registry, then set "Restricted Sites | Java Permissions | Disable Java", but it has made no difference that I can see.

|| IE || Tools || Internet Options || Security || Internet Zone || Custom Level || Scripting || DISABLE Active Scripting or set it to PROMPT ||

Whoever last entered stuff into the GuestBook and called themselves setan from newyork also pasted the script. The same entry sets the background to black so that the text in the earlier guest book entries lower down is not immediately visible; it should all show up however if you highlight the relevant area.

Java is different and not of any relevance to this web page.

Just made a Biiiiig mistake! I logged on to Sylvander`s link, :o I know. If I told you there where a zillion stars------. :o Anway I could not catch the soafd, and had to shut down. Paul if I or any one follows your latest posting here will it disable that THING after logging on or is that just for the host PC. Curious (As usual) :)

Stefanus

Thanks Paul, I was able to view the code. :)

That site is s-t-i-l-l pooched ain't it?

I just don't see the correlation between a skeleton and a red bee :confused:

I think they were originally going to be "The Dead Bee Society" [wordplay on "The Dead Poets Society"].

Based on a story about a boy who kept a couple of dead bees in a matchbox.

The keyboard player at the time suggested red bees.

["Better dead than red" becomes "Better red than dead"?]

So "Red Bees" are better than "Dead Bees". :)

["Red Poets" are better than "Dead Poets"?]

Where did you see the skeleton?

Being a story or book of sorts, wouldn't
"Read Bees" be a play on words?

I opened your link to their site and got an animated (.gif I think) pic of a skull and bony hand repeatedly flashing the viewer the "One finger salute".

I did download some of the free tune segments long ago though before the site went south.

Not there anymore, the site seems to be all fixed now. I went to a few of it's pages and listened to another couple soundtracks. Sort of mellow for alternative but they have a real clean sound...

Sounds like my son. :)

Easy going, mellow, patient, funny, great sense of humour like his mother.
The kind of person I like to know.

They are in it for the long haul.
No gimmicks, no cheap tricks.

I advised him to play in a style they can still play when they're no longer young and fit and fast.
That doesn't mean to say they can't let rip a little. :D
Did you hear the drum rolls around the kit in the later part of "When we talk of horses"?
Nice!

In conversation I'd mentioned to him that drum rolls used to be employed all the time [rather like tap dancing was once in vogue], but that at some point about the 70's drumming was "dumbed down" [Elton John's drummer springs to mind] and drummers stopped using them so much [or at all].
Perhaps he thought "not a bad idea" and suggested they be included.

You should hear the guitar part in the later stages of "The Homecoming"!
I'm listening to it now.

Heaven is here! Heaven is now!

And the things that drummer can do with a tambourine is astonishing!