cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malware Warning on my Plusnet Space

orbrey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 10,540
Registered: ‎18-07-2007

Re: Malware Warning on my Plusnet Space

‎06-07-2010 9:20 AM

I have to say I'm very sorry I missed that - lesson learned. It'd probably be worth changing the password on your account, that will also change the webspace password and should stop it from happening again.
Message 16 of 28
(746 Views)
0 Thanks
Gabe
Grafter
Posts: 767
Registered: ‎29-10-2008

Re: Malware Warning on my Plusnet Space

‎06-07-2010 10:32 AM

Doh!!!  Crazy
I'd tried that and seen nothing. Just asked Chris if the .htaccess contained a
RewriteCond %{HTTP_USER_AGENT} .*Windows.*
line. It did. That explains it.
The exploit looks very much like the recent hijacked-subdomains scareware thing. Is the OP's PC definitely trojan free?
Gabe
Message 17 of 28
(746 Views)
0 Thanks
Badders
Dabbler
Posts: 13
Registered: ‎02-07-2010

Re: Malware Warning on my Plusnet Space

‎06-07-2010 10:49 AM

Thanks for clearing that Chris. Any idea where it came from?
I can confirm that my computer is clean.
Thanks again,
Pete.
Message 18 of 28
(746 Views)
0 Thanks
Badders
Dabbler
Posts: 13
Registered: ‎02-07-2010

Re: Malware Warning on my Plusnet Space

‎06-07-2010 10:50 AM

Quote from: Matt
I have to say I'm very sorry I missed that - lesson learned. It'd probably be worth changing the password on your account, that will also change the webspace password and should stop it from happening again.

Will do. Thanks.
Pete.
Message 19 of 28
(746 Views)
0 Thanks
Gabe
Grafter
Posts: 767
Registered: ‎29-10-2008

Re: Malware Warning on my Plusnet Space

‎06-07-2010 11:22 AM

Quote from: Badders
Any idea where it came from?

Ultimately, probably Russia  >:(. The upload could have come from anywhere. The login details typically come from a compromised PC or local network. Have you logged into Plusnet away from home recently-ish?
Gabe
Message 20 of 28
(746 Views)
0 Thanks
Badders
Dabbler
Posts: 13
Registered: ‎02-07-2010

Re: Malware Warning on my Plusnet Space

‎06-07-2010 12:23 PM

Quote from: Matt
I have to say I'm very sorry I missed that - lesson learned. It'd probably be worth changing the password on your account, that will also change the webspace password and should stop it from happening again.

1 last question, Matt. I've done as you suggested and changed my account password. However, Email is still working on the old password. Should that not have changed automatically? If I try to log in using the new password, it fails.
Pete.
Message 21 of 28
(746 Views)
0 Thanks
avatastic
Grafter
Posts: 1,136
Thanks: 2
Registered: ‎30-07-2007

Re: Malware Warning on my Plusnet Space

‎06-07-2010 12:55 PM

If this is PN webspace then the htaccess file must have been uploaded from PN, as the FTP server doesn't allow non PN connections.
Or did that change recently?
F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)
Message 22 of 28
(746 Views)
0 Thanks
jojopillo
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 9,786
Registered: ‎16-06-2010

Re: Malware Warning on my Plusnet Space

‎06-07-2010 1:08 PM

Hi Badders. It will only have changed the default mailbox password but not the password for your other mailboxes. I have tried logging in to the default email address via webmail and I can get in ok on that.
Jojo:)
Message 23 of 28
(746 Views)
0 Thanks
Badders
Dabbler
Posts: 13
Registered: ‎02-07-2010

Re: Malware Warning on my Plusnet Space

‎06-07-2010 1:59 PM

Thanks Jo,
I'll eventually wake up and the blindingly obvious will hit me right between the eyes  Crazy
Pete.
Message 24 of 28
(746 Views)
0 Thanks
Gabe
Grafter
Posts: 767
Registered: ‎29-10-2008

Re: Malware Warning on my Plusnet Space

‎06-07-2010 2:07 PM

Quote from: avatastic
If this is PN webspace then the htaccess file must have been uploaded from PN, as the FTP server doesn't allow non PN connections.

True for ccgi, but not for homepages (or PAYH). Wonder how they got the login.
Gabe
Message 25 of 28
(746 Views)
0 Thanks
zubel
Community Veteran
Posts: 3,793
Thanks: 4
Registered: ‎08-06-2007

Re: Malware Warning on my Plusnet Space

‎06-07-2010 4:42 PM

The rogue .htaccess could have been dropped by a drive-by attack on a script on the site.
Would have been interesting to grab the 'last modified' date off it, but I suspect it's now long gone.
B.
Message 26 of 28
(746 Views)
0 Thanks
Gabe
Grafter
Posts: 767
Registered: ‎29-10-2008

Re: Malware Warning on my Plusnet Space

‎06-07-2010 5:40 PM

Just to be clear, a drive-by attack usually means involuntarily picking up a nasty from a script on a site, not an attack on a script on a site. The OP's PC could have been botted by a drive-by but need not have been - could just have been harvested for credentials. I agree, it could be revealing to search the server logs.
Gabe
Message 27 of 28
(746 Views)
0 Thanks
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Malware Warning on my Plusnet Space

‎06-07-2010 6:02 PM

Quote from: Barry
The rogue .htaccess could have been dropped by a drive-by attack on a script on the site.

On homepages?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Message 28 of 28
(746 Views)
0 Thanks