HTML:IFrame-EJ [Trj] Found on my website( It's back!)

Hey Everyone!

I went on my website today that I am the owner and web designer of, hxxp://www.valskidsline.com and AVAST came on and said that it had the HTML:IFrame-EJ [trj] located on xxx.valskidsline.com then seconds later it comes up again saying its located in my firefox cache. If I do this on IE, it says its in the Temporary folder, obviously.

Now, I went on my FTP Control Panel, and it the pop-up shows up there aswell. I also went on Gensap.com my website hosting service, and of course the pop-up is there aswell. These are the only sites that it is showing up on, I can go on everything else.

I’ve tried to log into my Control panel, to check that out and find the virus, but once the Avast popup comes on, it prevents me from logging in.

I’ve sent an email to my tec support, and if being Sunday, doesn’t help. They are also quite slow are replying.

I have Avast Virus running right now, as well as Spybot and Adware.

Don’t click on the link, unless you know what you are doing.

Any help I can get would be fantastic.

Edit: Avast Home Scan, Through Disk Scan was completed and no viruses were found. Or so it said anyways.

Happy Mothers Day to your moms!

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?

There is a large chunk of obfuscated script on the same single line, directly after the opening Body tag (two inserted script tags), so it looks like your site has been hacked.

Thank’s alot for your help guys. This is so disappointing, I’m good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before. What should I do next? The thing that would make sense to me is log into my cpanel, delete the files or clean them, then re-upload everything right? Change my password info and all of that if it hasn’t been already changed by the hacker. I try and go onto the cpanel but when the Avast comes up, I can’t log into it, obviously. What else should I do?

Thanks very much everyone

Can you overwrite the files uploading the new ones (maybe by ftp transfer) and without having to log the site hosts?

You’re welcome.

Commonly this happens because of vulnerabilities in the site content management software (PHP,SQL, WordPress, etc.) being exploited, usually because of old versions of the software. So you will need to talk to your Host for advice in that regard if it is them that provide this and ask about how they/you can secure your site to prevent future occurrences.

If avast gets in on the act when you open control panel, I take it this is server hosted ?
If so then you would need Host help in resolving that. However, if you aren’t actually running the file and the alert is the web shield then you could pause it. You would have to be extra careful and only be on-line as short a time as possible and enable the web shield again.

If as suggested you just upload and overwrite existing files by ftp, it is entirely possible they end up infected too as has happened in at least one topic that I remember.

This is by no means easy but the first thing is to change passwords for any area to do with uploading/modifying or controlling content, etc.

Sorry. Out of my knowledge limits :-[

David R hit the nail right on the end! Your very good at this haha, but I’m sure you already know that. :wink:

I emailed the host first thing when I found out that this had happened, telling them everything and this was the response. I was stunned to get a reply, I’ve had issues before and waited weeks for a response. Prompt isn’t there forte.
I actually got a response!

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into
    their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers
    into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess
    files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password,
    the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and
    NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any
resurfacing of the hackers efforts. In some cases you may still have
coding which allows for injection. All user input fields hidden or not
should be hard coded, filtered, and sanitized before being handed off
to php or a database which will prevent coding characters from being
submitted and run through your software.

Thanks,

So I grabbed my guts and tried to log into the host server, so I could see the files. I was quite nervous that the trogan would start to download as soon as I signed in, the pop-up warnings from Avast and AdAware were a site to see. I went on real quickly, searched for any of the files that he had reccomended, and did not see any. There was no files added, BUT my files were altered and the javascript was injected. I went in and editted the index.php & index.html and found the HUGE long injections. The one on index.php was loaded with links and all this crazy stuff, I deleted it and reloaded it. The index.html was all crazy with foreign letter and number combos of a java script. I deleted that and re uploaded it. I then went and looked on the site, and I nolonger recieved any notifications on Avast or Adaware and it looks perfectly normal. I am still looking through all of my pages and making sure nothing has been added. I will then change my passwords, and clear out my computer, run avast again, just to be safe.

I’ve always been kinda paranoid/ better safe then sorry with everything, so I was shocked to say the least that this has happened. But it was a releif to know that this wasn’t at my end, and more so the hosts end.

Thank you everyone for your help, your really awesome! I appreciate David showing me exactly where the problem was when he uploaded the picture. That was a big help for me.

Now that the pop-ups are all clear, is it safe to say the website has been taken care of?

Also, I just noticed this as I was typing this message. I went on my log in-page for the host, and the exact same pop-up is there! hxxp://cpanel2.page14.com and on hxxp://www.gensap.com - my hosts site.

I emailed the host and told them this, but is this a problem caused by my computer or is it at there end? I’m not to sure.

Thanks everyone!

You’re welcome.

Thanks for posting the response from the Host, it could help others (I have saved it as there is no identifying detail) in how they go about cleaning house. I too am presently surprised by your Hosts prompt and very helpful response, if only they were all like that instead of ignoring or blaming the user for giving out their passwords.

I don’t believe the log-in page alerting has anything to do with your computer as a) this is a server side page, b) and c) you can’t modify it because it isn’t in your control. I could be wrong (don’t think so though ;D), it has been a very long time since I did any web design and securing my site and importantly I didn’t use any content management software.

So it may be that all the control panel log-in pages are contaminated by remnants of infected pages on the server side, this is exactly as the infected pages on your site, huge chunk of obfuscated javascript (again two script tags all on one line), see image.

Can you modify the links in your last post, change http to hXXp to avoid accidental exposure to malware.

Hi MonsterKat,

Can’t you please break the links you gave, like hxtp://suspicious-link.com or www dot suspicious-link dot com, so the curious aren’t able to click these links. Why we hold this policy all over these webforums, you can read here where I have explained the reasons for this security principle: http://forum.avast.com/index.php?topic=45139.0

polonus

Links are edited and I apologize. I made a mental note to edit them, and then I just simply forgot. Stupid me, I wouldn’t want to cause any issues for anyone else, especially after receiving wonderful help.

I emailed the host and told them I have cleaned up the mess at my end, and pointed out the log in page and the main site being infected and I won’t be logging into the server until they get it cleaned up, just in case. I managed to get on long enough to clean my site up, and that was it. It’s not allowing me to log in anymore, so maybe they have started.

No problem (one down, millions more to go, sorry in joke), we avast users feel a little immune to these types of attack, but it is just good practice not to have links active to suspect sites.

You are fortunate to have a Host that is somewhat more proactive than most, hopefully they are cleaning house also. Lets us know how you get on.

MonsterKat,

The site now seems OK: http://www.blacklistdoctor.com/bld/diagnose.php?URL=www.valskidsline.com&scan_id=5830
Unmaks parasites says: This page seems to be
Exploit Prevention Labs: LinkScanner says:
Congratulations! LinkScanner Online did not find any exploits.
Scanned:
Monday, May 11, 2009

pol

Thanks alot Pol, that’s a great help. I didn’t know about that site, and I’m glad that I managed to find all the injected files. I can’t thank everyone here for the help enough!

My host still has not replied to my email regarding the log in pages and there site being infected. The prompt reply they gave me, was really a one hit wonder afterall :stuck_out_tongue: :stuck_out_tongue:

So as of now, our site is clean but I can’t log in and do anything further because they still haven’t fixed it at there end. But our site is now good, and that’s my major worry.

Thank-you everyone!

You’re welcome.

After such a promising start by your Host :stuck_out_tongue:

Thanks for the thread here guys. Others (like me) have also experienced this exploit.

For your interest, a discussion is currently underway at my host (who is always very helpful) here:
http://support.jodohost.com/showthread.php?t=16472

If you use webalizer, check that too, as I found the exploit script also appeared in /webalizer/default.html.

It also seems to add a hacked .htaccess file to your root folder and your /webalizer folder.

HTH

I’m having a very similar problem but avast is detecting HTML:IFrame-EE [trj] on 2 websites I need to work on made with cpanel. Some offending code has been found in the index pages and removed and the problem goes away but within a matter of hours this code has written itself back in. Can anyone tell me how to permanently remove this code?

^ That’s interesting… we can work out where the vulnerability is.

Firstly, do you have Frontpage extensions enabled on those sites? If so, turn it off and see how that goes.

What comes after the iframe- is just a slightly different variant on the same hack, so that isn’t really the issue, but to resolve why you were hacked, so I suggest you check out the quoted text in Reply #7 on page 1 of this topic. This is from his host on measures they ahve taken and measures he should take.

If you haven’t already contacted your Host to report this (asking advice about how they/you can prevent a recurrence) as it is likely it could be effecting other sites hosted by them.

Hi

i’ve just spotted this problem on one of my web forums (based on PhpBB). I’ve found a java script added after the closing php tag " ?>" in several php files like index.php login.php etc . There were the same dates of modifying these files. The result was the php error on the front page which said " Cannot modify header information - headers already sent … "
Of course i got rid of these scripts, but have one question - did somebody copied the content of this java script ?
Could you copy and paste this here ? (because i have archived the content of “my” scripts to compare them)