It instals it's self in my index.htm file on my website

[kris]

Hi again,probably you didn't find nothing because I was in a hurry to delete that Lware.class file and then erase the <iframe line from both places and since then (last night 14.6.(about 22:00 ) nothing new has appeared.I also scanned my computer with a few different antivirus programs and cleaned everything that was found even suspicious.Speaking of spyware - could you recomend me some good reliable and not too expensive ( or why not a free one -even I doubt that:-) for a privat person ( I mean I do not own a company with many computers).I find so many on the net but you probably are aware( from experience) of some really efective ones .
I thank you very much for your time and effort!You're of great help to me and obviously many other people.God bless you!!!

[MysteryFCM]

The 2 best antimalware programs are;

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

For additional information, please see;

http://mysteryfcm.co.uk/?mode=Articles&date=12-08-2008

[kris]

Thanks again !

[MysteryFCM]

No problem

[kris]

Hi again,
it might be POSSIBLE  that all this comes from my machine.I scanned it with the Malwarebyte's program and it showed me 96 infected files in the HKU registry- I click the program to remove them but next time they are there again and I can't access my regedit.exe  - I go to start->run->regedit and nothing -then I did change the settings enable disable as I read on the net for to make it work and still nothing.Looks  like my machine is very ill.
I just wonder if there was nothing malicious on my site how did google and firefox marked it as attacking site - now whenever someone searches for my name it shows a line next to my URL -this site is  dangerous for your computer.

[MysteryFCM]

Google etc, would have picked it up when the malicious code was there (i.e. prior to your removing it).

I'd strongly advise you stop by the Malwarebytes forums as they'll be able to help you clean out the infections.

[Serg]

nice. when u will find a malware please post it's md5 here. I want to find admin page for that... 

[kris]

Hi again the frame code that appears on my "index.htm" and may "main.htm" pages is here  it  starts with a "<iframe " tag and then goes ----src=(Quotes")http : // nyfilmlife.cn:8080/index.php"  width=185 height=191 style="visibility: hidden">" -----and then it ends up with </iframe> " tag --I have posted it also before on my previous postings.I cleaned my site and Google and Firefox are not blocking anymore my site and they don't show the warning when someone searches for kriss viconte on Google.
But only ( not even)2 days was my site clean !!! I changed my password and cleaned all the <frame codes from my telefon with my wlan wifi connection.Last night I found that frame again and I haven't accessed my account at least 36hours since it was clean.Before I fixed it -the last time -there were also some *.class files missing from my java anfy applet and I have never erased any of them.Now I have renamed my index.htm and main.htm files because I don't want google to report my site as malicious again and will look for a new host.I think that host is not stron enough to protect me from someone getting in my account and modifyin my files.   am I right.

[MysteryFCM]

When you changed your password last time, did you do so from a non-compromised machine?

You MUST ensure;

1. Passwords are changed from a non-infected machine
2. No shells were placed on the server by the attacker, to let them back into the site even if they can't get the current FTP password
3. Any files on your server that allow user input (e.g. via forms), are using proper sanitization to prevent injection and the like, for example, if you currently use;

Code: [Select]

$email = $_GET['mail']
Where GET is either GET for querystrings, or POST for post method strings

Is Changed to;

Code: [Select]

$email = $_GET['mail']; $email = addslashes(htmlentities($email, ENT_QUOTES));
And ensure use of mysql_real_escape_string if you're using MySQL.

/edit

Just a note, the best way of ensuring #2 is to delete all files currently on the server, and uploading a clean copy from a backup (assuming you have one), and again, uploading them from a clean computer (otherwise all they'll need to do is wait for you to connect to your sites FTP again, and sniff the password again).

You should also ensure ALL passwords are alpha numeric with special characters, and do NOT use full words (e.g. "m$98'$"kjh£$KJ" instead of "mydoggy8ate0my2breakfast"). Password crackers will crack passwords with full words in them, in a matter of seconds/minutes usually.

[MysteryFCM]

Please also ensure you pop over to either of the following, to ensure your machine is properly cleaned up;

http://malwarebytes.org/forums

or;

http://malwarecrypt.com/forumdisplay.php?f=4

[kris]

Hi Stven if I give you my username and password would you go to my account -base directory and look at all the files there-when you have time.I don't really know what is a "shell " and where to look for it -is it a separete file or is it "implementes" in some of thje other files and sort of hidden.I have looked at all my files there and exept for the "Lwarere.class " I removed all the others are my own.
I changed my pass word last time from my phone internet conection -it's supposed to be clean-I hope - and didn't visit my account delibaretly just to see if it's gona happen again.I'm about to change to a new server to a new host but I'm afraid it will happen there too -that's why I'm so eager to find out how this exactly happens and how to prevent it.As it looks like it's not so  much my server's fold.But still when I did my last backup with filezilla I had to use my oldest password ,which means my ftp pass doesn't change automaticaly when I change my account pass word.On the other hand the host doesn't give me a option to change my ftp pass separately.They say connect to the ftp server using your account pass word,but if I connect with filezilla it works only with my old password.
One other thing gives me a BIG QUESTION MARK??? -who would want to do this to me -I 2wonder who wants to scrue up my website?!?I have no such enemies...
And last but not less important - Steven,I can't thank you enough for what you're doing for me.Thanks for all your time and good heart.Kriss

P/S and now I remember that I have this function of windows rememberring my passwords ,enabled - but of course not for the last ones of my website host account -should i disable this function as well -completely?

[MysteryFCM]

Hi Stven if I give you my username and password would you go to my account -base directory and look at all the files there-when you have time.I don't really know what is a "shell " and where to look for it -is it a separete file or is it "implementes" in some of thje other files and sort of hidden.I have looked at all my files there and exept for the "Lwarere.class " I removed all the others are my own.

I'll be more than happy to do so, yes, but please don't post them here. Instead either PM the account details (I'll need the FTP hostname, username and password) to me, or send them to me via e-mail (mdl_users @ it-mate.co.uk)

But still when I did my last backup with filezilla I had to use my oldest password ,which means my ftp pass doesn't change automaticaly when I change my account pass word.On the other hand the host doesn't give me a option to change my ftp pass separately.They say connect to the ftp server using your account pass word,but if I connect with filezilla it works only with my old password.

If changing your account password did not change your FTP password aswell, then that will be how they got back in, which means, until the FTP password itself is changed, they'll be able to keep doing this (your host should be providing a facility to change the FTP password). If your host is telling you to connect to FTP using the account password, but you are only able to do such using the old password, you MUST inform them of this as soon as possible as they are the only ones that have the relevant facilities to look into and resolve this for you.

One other thing gives me a BIG QUESTION MARK??? -who would want to do this to me -I 2wonder who wants to scrue up my website?!?I have no such enemies...

The good thing, and not much comfort, is that this is not personal - they aren't targetting you directly or personally. They do this specificaly to make more money for themselves, that is their ultimate goal, they don't care who they step on to do such.

And last but not less important - Steven,I can't thank you enough for what you're doing for me.Thanks for all your time and good heart.Kriss

It's a pleasure

P/S and now I remember that I have this function of windows rememberring my passwords ,enabled - but of course not for the last ones of my website host account -should i disable this function as well -completely?

I'd very strongly recommend disabling that, yes.