BuddyEmmons.com exploit codes removed

[Wiz Feinberg]

The buddyemmons.com website has been exploited with multiple exploit codes and redirects. If you visit the website with JavaScript enabled you may become infected and will probably join a botnet.

For your safety, please use a current version of the Firefox browser, preferably with the NoScript! add-on installed. This will protect you from iframe cross site scripting attacks and from JavaScript redirects.

As this website is visited by many of our members I thought you should know about the problem in advance, rather than by finding out the hard way.

The offending iframe exploit was removed on November 27 and the source of the exploit is being investigated. However, until the source of the exploit has been determined and secured against re-entry, it may not be safe to visit this website, without the NoScript! add-on.

If you must use Internet Explorer to visit the above mentioned, or similarly exploited website, only do so if you have the best commercial anti-malware protection installed, updated and monitoring for threats in real time. One such security program is Trend Micro Internet Security, which has a web threat evaluation module. If the threat returns, this module will see it before the page loads and will block the page, warning you about the danger of proceeding. You can try it for free for 30 days, fully functional.

If you have visited buddyemmons.com in the past three months, before the hostile code was removed, using Internet Explorer, without cream of the crop security protection, you may already be pwned by the criminals behind this cyber attack. You should scan your PC for known "malware" using MalwareBytes Anti-Malware.

[Ernie Renn]

I re-uploaded the index page. I can't find any other infected pages. If anybody locates any others, please drop me a line. Thanks!

Sorry for any inconvenience. Update your anti-virus and if nothing else, wait to visit there. It sucks that this crap is coinciding with Buddy closing up the store part.

The website will continue after the closing.

Perhaps try going in the back way... BE Fun Stuff!

(Address edited...) I also changed the password on the site, which I may keep doing every week or so for a while. This stuff sucks. If it is on my compuer 'aspersky isn't seeinhg it.

[Wiz Feinberg]

Ernie;
That link is missing the required colon. However, that particular page, as well as index.htm, is clean, as of right now.

Your site is hosted on a Microsoft IIS server. These are highly exploitable via SQL Injection attacks. If you have or had a database for the online store that is how the hackers may have broken in. One unsantized line of code is all it takes and there are plenty available according to the success of the summertime attacks from China.

Another means of entry could be a keylogger planted on your computer, or somebody else's who has login permission to work on the website. When you, or they log into to the ftp client, or web control panel, the keylogger captures the credentials and sends them home to the people running the attack. Attacks using stolen ftp credentials were very successful this past spring and summer, with tens of thousands of websites infected through that trick alone.

SQL and PHP Injection attacks added tens of millions of vulnerable websites to the web botnets, many of which are still functioning as exploit conduits.

Please make sure you have the best security software you can afford installed on the computer used to manage your websites. Keep it updated and scan for threats. If you need more protection against "malware" go get MalwareBytes Anti-Malware from my website. Install it, update it and scan for threats (like keyloggers).

[Wiz Feinberg]

Ernie;
Your website is no longer infected, as of November 30, at 1:45 AM.

There are things you will need to do to have the malware warning removed by Google and its security partners. Please read everything on this page, on StopBadware.org. They are responsible for blacklisting infected websites, for Google and other search providers. You are responsible for proving that you have removed all badware and plugged all insecure points of entry in scripts, the OS, or via keyloggers on a PC.

Readers; you may visit the buddyemmons.com website, but I recommend only doing so with Firefox, with the NoScript! add-on installed and set to block scripting for the website. You will have to click on "Ignore this warning" to see any of the web pages on the site. Once Ernie has gotten the site delisted by the above mentioned entities, you will be able to view it normally.

Internet Explorer users should place the website into the Restricted Sites Zone, until the matter has been completely resolved. This turns off "active scripting," which is Microsoft's definition of JavaScript. It also disables iframe domain redirects, which is the means of infection used in the attacks.

[Ernie Renn]

Thanks, Wiz! I did request that it be re-reviewed. Hopefully, it won't take too long.

Sorry for any inconvenience...

[Wiz Feinberg]

No problem here, as I use Firefox, with the NoScript! add-on. I'm happy to have been able to alert you to this and to provide some assistance with the investigation.

Let us know when the all-clear can be sounded (when the source of the infection has been secured).

[Ernie Renn]

I'm still not sure where it came from. It's been a hair pulling ordeal. It seems fine for a time and then there it is again. For now, it's under control.

[Cal Sharp]

Ernie Cup wrote:

It seems fine for a time and then there it is again.

If that's the case, either your account on your server has been hacked (FrontPage extensions are real insecure) or there's some malware on your computer that's getting your FTP/password info. Your ISP should be able to scan your site for bad stuff, and Wiz knows what to do for your comp.

"What came first, the egg or Ernie?" - Roadhog

[Ernie Renn]

The server said there was no problems. I've scanned and rescanned my computers with several "anti" programs. (Virus, Malware, Adware, etc.) What else can I try?

C-U-P-P. "C is for country. U is for united and PP is for peace and prosper-i-etty!"

[Wiz Feinberg]

It seems fine for a time and then there it is again.

Ernie;
If the GoDaddy server itself has not been compromised, and if your computer does not have a hidden keylogger installed, and if nobody else has access to your website control panel, the problem must be in a script you are using. It could be the shopping cart, or your photo gallery software. PHP scripts are notorious for exploitability.

You should do an audit of every brand and version of a third part script that is being used on the website. Then check with the makers to see if there are known vulnerabilities that have been fixed with updates.

Did you scan your personal computer using MalwareBytes Anti-Malware? If not, download from my product page. Read the usage instructions, install it, update it, then scan. You may need to reboot into safe mode and scan from there. It will remove any threat it can detect. I want to make certain you do not have a keylogger on your PC. Many websites have been compromised repeatedly because of keyloggers.

MBAM definition updates are issued multiple times daily, so check (manually) for updates before every scan. Registering the program turns on schedule-able automatic updates and real time monitoring for malware trying to install (which it blocks).

[Ernie Renn]

The site is hosted on Softcom in Canada.

I have run MalwareBytes Anti-Malware and not found anything. However, I'm running it as I type this and it's already found three things. As it's running Kasperski is popping up alerts, as well, so I'm guessing something is there and it will be dealt with.

Cross your fingers! thanks for your help, Wiz!

[Wiz Feinberg]

Ernie;
Today's malware threats may not be detected with yesterday's definitions for MalwareBytes Anti-Malware. Malware authors are constantly repacking their executables to fool virus and spyware scanners. The average lifespan for each current threat definition is now under 24 hours. Unless you register MBAM (for $24.95 for life) you must update it manually every time you are going to scan your PC. Once registered, you can set the scheduler to check for and install updates every hour. This also turns on a real time monitor that will prevent known malware from installing in the first place.

[Ernie Renn]

I have a registered copy. Earlier I ran a quick scan. Now it's doing a full scan.

Hopefully this will take care of the problems.

Any tips to the settings on the program?

[Wiz Feinberg]

Ernie;
Set the update checks to occur every hour, on the hour. You should also setup scheduled quick scans at least every 12 hours. Make sure the real time module is enabled, as it will block malware from installing, or at least warn you before hand.

[Ernie Renn]

It allows me one time to update each day. Scan setting is also once a day.

It is turned on.

I just ran the quick scan again and if found nothing. That might be a good sign.

Happy holidays to all!

[John McClung]

Ernie, I just got the same malware warnings, using front door and the backdoor you suggested. This on latest Safari on the Mac. Also on latest Firefox on Mac. Ugh.

[Ernie Renn]

I asked for a re-review. Hopefully, they'll get around to it soon... Malicious code was removed.

Sorry for the inconvenience...

[John Cipriano]

Did you figure out how the code got in, though?

The only thing I see in there that resembles a script is the counter. But I can't imagine that the counter accepts any sort of user input (trusting user input is usually the root cause of these issues). But Cal says the FP extensions are insecure so maybe it's that.

It sounds like you already fixed things but I wanted to add that if you know the copy on your machine is clean then you should just delete everything on the server under /www or /htdocs (or wherever the document root is) and then re-upload.

[Wiz Feinberg]

I would recommend contacting your hosting company for assistance with securing your Front Page Extensions against rogue uploads and edits. I am hosted on an Apache web server and am able to create custom directives in my .htaccess file to block all FrontPage attacks. Unfortunately, Ernie's website is hosted on a Microsoft IIS server and cannot use .htaccess at all. His host will need to ensure the security of FP Extensions and other scripts running on the website.

[Ernie Renn]

I'm fairly sure it was a Trojan on my computer. Three different sites of mine were hit. I've used a bunch of different anti-virus, adware and anti-malicious code programs, including the one Wiz suggested. Additionally I've changed passwords on various computers, so as not to leave a keystroke trail. AND I bought a new laptop to work on pages.
Thanks to all of you for you concern and help! I really appreciate it all!
Happy holidays to you all!