[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1337
  • Last Modified:

Most websites I have created for my clients are suddenly infected with "JS/TrojanDownloader.Agent.NRL trojan"! Need help fast!

Hello,

As I have mentioned in question title, almost all websites I have created for my clients in last years are suddenly infected with "JS/TrojanDownloader.Agent.NRL trojan"!

Before few years ago I stared my own business and have firm which main business is graphic design and creating websites. On my own web site, before few weeks I added category "clients" which contained list of my clients which I worked for (there was just list of names for example: Client 1, Client2, Client3 etc - there was no links, no URL, no additional info..)

Yesterday I tryed to enter Internet address one of my clients in address bar, but as I entered the address site was unavaliable and in firefox I get this error message:

"The connection was reset

The connection to the server was reset while the page was loading.

    *   The site could be temporarily unavailable or too busy. Try again in a few
          moments.

    *   If you are unable to load any pages, check your computer's network
          connection.

    *   If your computer or network is protected by a firewall or proxy, make sure
          that Firefox is permitted to access the Web."

and also security solution I use ("ESET Smart security") showed me this warning message in same momment:

"!ESET Smart security
Object: www.myclientswebsite.com
Threat:
JS/TrojanDownloader.Agent.NRL trojan
Information:
Connection terminated - quarantied"

That was the case with first client site, but then I also tryed to open other sites which I created for my clients and I get same error messages. When I open any other site which is not one my clients websites its working fine so its look like someone wanted to intentionally harm me/my business (probably one of my competitiors or someone just for fun). My guess is whoever done this, he probably used list of my clients names on my site under "clients".

So I need help fast, I need to know how to solve this and how to prevent not to happen ever again.

Any help is appreciated and MANY THANKS in advance for PROMT replys!  

0
adnan2004
Asked:
adnan2004
1 Solution
 
antontolentinoCommented:
you need your host help in such case.

bring the matter to your host support team
0
 
edbedbCommented:
I don't think there is much you can do but remove the viruses and change the passwords.
0
 
adnan2004Author Commented:
@edbedb
regarding changing passwords, no problem I can do that, but how to remove viruses?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
edbedbCommented:
They are usually pretty easy to spot. If you post the url I can take a look for you.
0
 
apexpertCommented:
are your websites static or dynamic - you are probably victim of an automated injection program which is infecting all your sites as it might have got links from your client portfolio. look up from cross site scripting or sql scritping depending upon whether you have a dynamic site or static ..
0
 
kart4578Commented:
u just try webroot internet security essential or G-data internet security.i am sure it will fix it...Thanks 4578
0
 
adnan2004Author Commented:
sorry for late repy, I have been real busy because I trying to repair all damage that has been done..

this is what I ahve done so far:

basically my client webistes portfolio is separated in two parts:
1. Simple html websites and
2. Joomla CMS websites

***** Regarding first ones (simple html websites) ******
I have simply delete all webiste files (which were affected by "JS/TrojanDownloader.Agent.NRL trojan") from servers, and replaced them with "healthy" backup files which I had saved on my hard disk (luckily I make backup of all my sites every month).  Interesting part is that when I done this, ESET smart security didnt show me this message anymore:

"!ESET Smart security
Object: www.myclientswebsite.com/index.html or php
Threat:
JS/TrojanDownloader.Agent.NRL trojan
Information:
Connection terminated - quarantied"

and that was OK because it looked like websites are working OK, BUT problem is not 100% solved and this is why:

if I for example enter one of my clients websites in firefox address bar www.myclientswebsiteno1.com while the site is loading, I can see this message in firefox status bar:

http://img693.imageshack.us/img693/3553/14880499.gif

so it looks like even with fact that I upload new "healthy" backup files I still didnt solve the problem. My question is same like in my first post: How can I remove this trojan completly and also how can I protect my self in future, beside setting complicated password which I already done?

0
 
adnan2004Author Commented:

******* regarding my Joomla CMS websites *******

situation with my Joomla CMS websites are little different in comparisement with my simple html sites. Here is the problem: I didnt make backup on time for my Joomla websites so all I have is backup of infected files: I have download these files on my computer, scaned them with ESET smart security and result was:

"Number of infected files: 323"
all infected with JS/TrojanDownloader.Agent.NRL trojan

also same question: How can I remove this trojan completly and also how can I protect my self in future, beside setting complicated password which I already done?

p.s. also is it possible somehow to remove trojan from these 323 infected files so I could upload these files again to server (after they are "cleared")?

also sorry for not-so-good english;))
0
 
adnan2004Author Commented:
Any help is appreciated!
Thank you
0
 
CharuJaiCommented:
0
 
adnan2004Author Commented:
@CharuJai

I checked that link and first thing I have done is disable option "save password" in my FTP client Core light - I think that this could be right solution because it look like that this virus somehoe "steals" FTP password from FTP client, specially from FIllezila, but I have to wait a little bit to test it out cause I hade one more Trojan attack before two days... I will inform you very soon. Thnx!
0
 
adnan2004Author Commented:
after full reading of thread  http://www.wjunction.com/showthread.php?p=194657  I followed instructions from user Divvy and solved problem. In my case I stop using Filezilla and switched to other FTP client Core FTP light which had easy check/uncheck  "dont save password" option, so since I done that, no problems any more;)

Thnx again CharuJai!
Cheers!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now