Malicious Site - hotican.com & bitsinfoware.net ???

Hello Everyone,

I run multiple sites with Joomla CMS and yesterday evertime I go to my website I get a popup that says:

"Network Shield: Blocked Access to Malicious site hotican.com/
"Network Shield: Blocked Access to Malicious site bitsinfoware.net/

No matter which page loads I still get the popup. I have been unsuccessful finding a remedy. I called GoDaddy.com and they told me that they do not use Avast and cannot replicate the error therefore they can not help. :-[ . I would appreciate any advice that can point me in some direction on how to fix this or why it is happening.

Please note all of my friends use Avast and they all see the pop-up also. Everyone that I know that does not use Avast does not see anything at all. I just want to make the “malicious site” warning not appear when my family goes to my website.

Thank you again

BuddyCHill :stuck_out_tongue:

Google Report For Website 1: http://google.com/safebrowsing/diagnostic?site=hotican.com
Google Report For Website 2: http://google.com/safebrowsing/diagnostic?site=bitsinfoware.net

Hi Donovansrb10,

The threats involved here are: Backdoors

Threats found: 1
Here is a complete list:
Threat Name: Backdoor.Tidserv
Location: hxtp://bitsinfoware.net/1/stats.php

and

Suspicious Applications (what’s this?)

Threats found: 1
Here is a complete list:
Threat Name: Suspicious Process
Process name: C:\Documents and Settings\user\Local Settings\Temp\install.exe
Location: hxtp://hotican.com/image/oute.php

So the user was protected against this malware,
The type of malware can be found via this for instance: http://safeweb.norton.com/report/show?name=hotican.com
And the current safety status of the site can be found through this online scanner:
http://www.unmaskparasites.com/security-report/

polonus

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?

Just an FYI guys, This website is for my family to view pictures of my son. There are a whole (4) registered members on the site. I have not updated the website in 4 weeks and that is why I am so confused. Does anybody know if this is due to the fact that people are targeting Joomla? If that is the case I will turn my back and start making static webpages again. Thank you guys for your responses!!! I am in that boat we have all heard of “without the paddle”

Buddy Chill :o

You own the site? if so, that means your site was hacked. Try editing the code to see if you can find something like and remove it. Also, if there is any obfused javascript coding, delete it, it might be part of the virus. After that, please change your password to an even stronger password to prevent hackers to hack your website.

In my experience it is an obfuscated JavaScript. Look for the string “eval” or “fromCharCode” in the html of your pages. Usually it is right after the BODY tag.

Here is a sample of what I found on these pages. (I removed whole bunch of numbers from the sample here, just to make sure this doesn’t translate into some executable script by accident)

[b][/b]

BTW, my site is also hosted on GoDaddy and I am not using Joomla, just a static pages that we edit and upload.

I beleive this is the result of the site being hacked or GoDaddy servers have been compomised otherwise. Either way GoDaddy should have been on top this, but they are not. I first noticed this back in March, at that time I thought it was somebody from our end uploaded infected webpages. I cleaned all the pages at that time, now I see only the home page getting modified to include this javascript once every fewdays. I have asked my site admin to contact GoDaddy to find out what’s happening.

Please share your experience, if you contact GoDaddy or if you find the source of this page change

Please modify your post as it is possible that avast could alert on this script quote or better yet use images for code examples…

e.g. ^body marginheight=“1” marginwidth=“1” topmargin=“1”^^script type=“text/javascript”>eval(String.fromCharCode(118,97,48,48,50,49,48))^/script^

By changing the < and > html tag start and end characters to ^ ^ it shouldn’t possibly be detected as a script command.

Very interesting.

I am dealing with the same issue and ALSO use godaddy.

First we were hacked by gumblar.cn - we uploaded clean code and clean database, and were clean for about 12 hours.

We were then hacked again - this time refering to hotican.com

We uploaded clean code, clean database, we were clean for about 20 hours.

We were then hacked again!

Godaddy claims that someone has our username and password to the ftp.

I format my computer. I reinstall windows. The ONLY applications I have installed on my machine are avast (which picks up this virus, avg doesnt) and coreftp.

I change ALL the passwords to LONG strings that no one could guess - 15 charecters long with capitols and numbers - computer is clean for sure - code is clean for sure - I upload the code, I upload the database, website is clean, online for about 30 hours

and then we get hacked AGAIN!

I dont even know what to do at this point - we are bringing in an outside security consultant.

I just do not see how someone could keep getting our usernames / passwords, especially because I just formatted the only machine with the login information, so it defnitily does not have a trojan.

Godaddy, of course, has not been much help at all.

For me that is just too many co-incidences, for it to be isolated to someone having your FTP user name & password, which you presumably changed after the first hack. Because that would imply that all those sites that have been hacked which are also hosted by godaddy would have had their user names & passwords captured too.

When you get multiple sites being hacked you have to look at common issues and user names & passwords being guessed/stolen is only one, godaddy being another and any content management software being another.

Many of the hacks can be as a result of old versions of content management software (a Host responsibility) such as PHP, WordPress, SQL, etc. so if you use something this it could be that which is being exploited.

Presumably you have set the CHMod permissions to restrict changes other than by the owner.

Personally I would be speaking to another Host provider and asking them the questions, how can or what measures they/you can take to prevent your site being hacked as it has in the past. This not only gives you an idea by their responses if they have a clue about the problem and how to prevent it and gives an idea of their customer support service potential. It is also cheaper than bringing in a security consultant, who may just repeat what a good Host would tell you.

My site has this problem to, my domain is from Godaddy at the moment.

We change passwords and we get this script every few days getting added.

It adds the script to pages called index like index.php and index.html sometimes in all folders it finds.

Interesting we have had several from GoDaddy now and they still appear to be in denial when users have gone to them as above, they say don’t give anyone your password.