PeterdeB
asked on
Questions about an infection
Hi Folks,
Seemingly out of the blue I have some questions regarding a trojan that keeps popping up on our servers. For quite some weeks now, we have to deal with Trojan Downloader JS IFrame.acm. Virtually all index.php and index.html files are infected with it.
And yes all these files extensively use iframes and stuff. But now I noticed that the time last edited, was in fact yesterday. If it is correct to assume that the timestamp I see in total commander (FTP) reflects the last edited time.
Do I change those attributes when I'm browsing files with total commander FTP?
Could virtually any file or harmfull code, change those files? And more important, that stamp reflects the exact time of infection. So my guess would be that someone was doing something either uploading or modifying or whatever.
See Im trying to discover the source of the problem, and one lead is to check when the files were last edited, more particular it could tell us who was doing what at that time on the server. Only 3 of us have FTP accesss to the server and use it extensively. However we didnt and dont modify all index files we stumble upon ofcourse ;)
If you need more info please ask. Currently my employer is all too busy with other things, but I'm more than concerned about this matter. My collegue is granted the task of handling all this and currently he seems to rename the php files to txt. Download them, cuts out the harmfull piece of javascript and uploads them again.
We could very well be talking about a few hundred files here. I'm not sure how well things are handled on the server itself. I can access it via FTP but that is aobut it.
Thanks for any responses and if you need info please ask. I'm eager to learn and understand.
Regards Peter
Seemingly out of the blue I have some questions regarding a trojan that keeps popping up on our servers. For quite some weeks now, we have to deal with Trojan Downloader JS IFrame.acm. Virtually all index.php and index.html files are infected with it.
And yes all these files extensively use iframes and stuff. But now I noticed that the time last edited, was in fact yesterday. If it is correct to assume that the timestamp I see in total commander (FTP) reflects the last edited time.
Do I change those attributes when I'm browsing files with total commander FTP?
Could virtually any file or harmfull code, change those files? And more important, that stamp reflects the exact time of infection. So my guess would be that someone was doing something either uploading or modifying or whatever.
See Im trying to discover the source of the problem, and one lead is to check when the files were last edited, more particular it could tell us who was doing what at that time on the server. Only 3 of us have FTP accesss to the server and use it extensively. However we didnt and dont modify all index files we stumble upon ofcourse ;)
If you need more info please ask. Currently my employer is all too busy with other things, but I'm more than concerned about this matter. My collegue is granted the task of handling all this and currently he seems to rename the php files to txt. Download them, cuts out the harmfull piece of javascript and uploads them again.
We could very well be talking about a few hundred files here. I'm not sure how well things are handled on the server itself. I can access it via FTP but that is aobut it.
Thanks for any responses and if you need info please ask. I'm eager to learn and understand.
Regards Peter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Regards Peter