Website Hacked with Virus, how to find the source?

graphic_designer
graphic_designer used Ask the Experts™
on
Recently all the web page I made (index.htm only) were hacked and implanted with viruses. I have since replaced all infected pages with my backup files and they don't have virus warning anymore by the anti virus software. Then 2 days later it was infected again.

I WANT to find the hacked source.

I just replaced all the index.htm pages with all the original, non-infected files. These pages are now not infected. I want to find the source before it gets infected again. I also change all my ftp passwords.   The only thing I can think of is I downloaded "filezilla" free ftp upload software days before this happened, and I saved my ftp login on the software. Is this it? or something else? like unverified dreamweaver ?

Please help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
A desktop with access to the site could have been the virus problem.
it could have been an hosting probem

CT
Check your server that hosts your website.
what phenomenal and how do you know it infected?
I have no clues to guess the problem.
There are many possibilities, so let's start with the most obvious ones.
Attackers try to bruteforce FTP logins all the time. if your password was weak it is likely they have broke inside your FTP account at the hosting provider. You should immediately change the FTP password.
On the other hand, you computer could be infected by some automated worm which is sending back to the "owner" any and all passwords it can find on your computer. Be sure to run an up-to-date antivirus on your system to ensure it is clean. Both measures won't give you 100% certainity, but start with those and wel'll look into it deeper if needed.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Mohamed OsamaSenior IT Consultant
Commented:
To answer your question, there has been a recent increase in the rate of mass hacks that operate in a similar manner , i.e. stealing Cached FTP credentials in several FTP clients including filezilla, the most famous attack being known as Gumblar, keep in mind there is now several variants of this threat.
i have recently found and removed this particular one from a compromised server
http://vil.nai.com/vil/content/v_173829.htm
other related links

http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/

http://www.webpayments.ie/blog/Gumblar-What-is-it-How-to-I-remove-it-.html
There are also similar threats that target other vulnerabilities like SQL injection among others.



Author

Commented:
Godaddy.com is my hosting server. they are so big, I don't think it's coming from them, I could call them and ask.

I know it was infected because when I access all the website that I made,  my anti virus software detects a "malware", google search also warn against visiting my sites. (I have many different domains and pages, but only index.htm and index.htmls are infected) When I look on the server, the files' modification dates are 2 days after my upload. I never logon the day of the modification date.
Just days before this happened, my computer was infected with virus. My pc has since been cleaned and no longer have any viruses.   I have changed my ftp passwords.

What do you mean by: "stealing Cached FTP credential" ?
Do I need to change my other "non-ftp" passwords/login info?
What else do I got to do to prevend future website virus infection?

Thanks.
Senior IT Consultant
Commented:
What do you mean by: "stealing Cached FTP credential" ?
The trojan in question is of a password stealing capability, its author targets known FTP programs and steals the passwords stored by those programs,if you chose the option to save password.
the stolen password is used for modifying the website content to add an iframe redirecting to a malicious website, this can be automated entirely using another program, which works in conjunction with the initial trojan horse, other types of malware can also be downloaded & executed without user permissions.
Do I need to change my other "non-ftp" passwords/login info?
it is generally a good idea to change all other passwords, it is very likely that other passwords were also harvested by such programs, the FTP passwords routine was merely used to spread through websites.

 What else do I got to do to prevend future website virus infection?

consider implementing SFTP instead of FTP,which is more secure , regardless of the encryption method used by FTP programs to store the FTP passwords, they will still be transferred in clear text over the network, this can still be captured and collected by malicious users or programs.
- Avoid saving passwords unless you have to.
- Use an updated antivirus, antispyware ,firewall, HIPS (Host based Intrusion prevension system) on your webserver.
- Ensure the Operating system and all the running 3rd party software is patched to the latest versions.
- Harden your webserver security : for IIS 6 , this is probably all you need 
http://technet.microsoft.com/en-us/library/cc163140.aspx
- avoid using the server for web browsing or other client activities.
I am sure the list  can go on ,but I hope you get the idea.

Mohamed OsamaSenior IT Consultant
Commented:
The below link should describe the exploitation routine accurately if you wish to read more about it
http://vil.nai.com/vil/content/v_173836.htm

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial