Icy Phoenix

Hello All,

some of you may noticed that on my site ( http://www.caromguild.de | http://www.caromonline.de )was an error with an Virus Trojan Downloader.

As the first user reported this error to me, i checked all files on the server -> didnt found anything, so i deleted all and reuploaded all files. Before, i checked with winmerge with the latest IP version and didnt found any evil code.

I never got such a message if i visit my forum... and so i thought that this could be related to a banner script code. So i first deactivated all banners -> no success, after that i deleted all banner -> no success.

Today i found the error. It comes from a folder where i didnt pay much attention on it. it was from the _uc folder. which i use for/if i´m updating my site.
I this folder there is only a index.htm, logo, and style_sheet file.

The evil code was included in the index.htm dont know how the hacker could inject this.

It was a VBScript code (if someone would have tht code to check it i can send it) which includes a file called lsass.exe . I wrote a email to the hoster where the file is located (is a normal board) and told him that he should delete this file

I just want to inform you that, if you are using also the folder (which is included in the IP contribut folder) with the upgrading .htaccess file, that you should delete this folder from your server, if this is not used!!!

Also i want to say sorry for the problem that the users may have be visiting my site.

greetz

Now I spoke with MG and he told me that those kind of viruses usually infect files locally on the pc and when you upload them, the files are already infected...

hello hpl,

i also thought this first. but i was wondering because the file local on my PC was not infected

this also explains that local my forum works well but not online.

KugeLSichA wrote: [View Post]

hello hpl,

i also thought this first. but i was wondering because the file local on my PC was not infected

this also explains that local my forum works well but not online.

Long time ago I had the same problem:
an hacker, using a bug, has downloaded on my server a "backdoor" and with this program he gained full access to my ftp space, editing some file adding a malicious code.

The problem was related to some cross site scripting (so it is possible that the backdoor is not related to ICY but to some other script on another site).

Do you have register_globals set to on?

I used to have a similar virus on my PC which has infected all php and html files... that's why I thought you could get the virus locally... anyway what Antonio is saying it is true, the virus can infect your site via some not secured script. If you could determine what is causing the issue, please notify it here.

Thanks

Hi KugeLSichA,

I wrote kaspersky a Email before your first post...

The answer

Quote:

No malicious software was found on the link you have sent.
Maybe, malware code was removed from server.

But I think it wasn't right.

By the way, because of this I disabled your Logo under LINKS

You can enable it, if everything will be fine.

TheSteffen wrote: [View Post]

Hi KugeLSichA,

I wrote kaspersky a Email before your first post...

The answer

Quote:

No malicious software was found on the link you have sent.
Maybe, malware code was removed from server.

But I think it wasn't right.

Thx Steffen.

TheSteffen wrote: [View Post]

By the way, because of this I disabled your Logo under LINKS

You disabled my logo? you think the error come from there?

greetz

KugeLSichA wrote: [View Post]

TheSteffen wrote: [View Post]

By the way, because of this I disabled your Logo under LINKS

You disabled my logo? you think the error come from there?

No, but I also got a virus hint on the icyphoenix site because of this. And thats not so nice for other users