Questions about an infection

Posted on 2009-02-08
Medium Priority
Last Modified: 2013-12-04
Hi Folks,

Seemingly out of the blue I have some questions regarding a trojan that keeps popping up on our servers. For quite some weeks now, we have to deal with Trojan Downloader JS IFrame.acm. Virtually all index.php and index.html files are infected with it.

And yes all these files extensively use iframes and stuff. But now I noticed that the time last edited, was in fact yesterday. If it is correct to assume that the timestamp I see in total commander (FTP) reflects the last edited time.

Do I change those attributes when I'm browsing files with total commander FTP?
Could virtually any file or harmfull code, change those files? And more important, that stamp reflects the exact time of infection. So my guess would be that someone was doing something either uploading or modifying or whatever.

See Im trying to discover the source of the problem, and one lead is to check when the files were last edited, more particular it could tell us who was doing what at that time on the server. Only 3 of us have FTP accesss to the server and use it extensively. However we didnt and dont modify all index files we stumble upon ofcourse ;)

If you need more info please ask. Currently my employer is all too busy with other things, but I'm more than concerned about this matter. My collegue is granted the task of handling all this and currently he seems to rename the php files to txt. Download them, cuts out the harmfull piece of javascript and uploads them again.

We could very well be talking about a few hundred files here. I'm not sure how well things are handled on the server itself. I can access it via FTP but that is aobut it.

Thanks for any responses and if you need info please ask. I'm eager to learn and understand.

Regards Peter

Question by:PeterdeB
LVL 14

Accepted Solution

Kaffiend earned 2000 total points
ID: 23584570

Could some nasty person be coming in through FTP?
Do you have logging on your FTP server?  
Are you sure your FTP server is secured?

Or, maybe there is some other infection/virus/malware already running on the server, that gives someone remote access/control?

Author Closing Comment

ID: 31544245
Yes it is an access problem, thanks.

Regards Peter

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question