HTML IFRAME-EX (trj) help !! plus now also HTM IFRAME - inf

Hi
I have been alerted to having this virus in almost all my files in my hosting FTP files -
sorry soo no very clued up on this stuff and do not know where to begin? Had a serious virus last year so this system
is quite new had bank a/c emptied twice via a hacker and I have a sinking feeling this could happen again :frowning: I have all broken up
lines across scree and cannot open word docā€™s properly due to these lines although I am not too sure if this is due to the Trojanā€™s
or not but kinda guess it maybe? Can anyone please give me some kind of clue what to do in simple terms as I just read some
forum bits on line and my goodness I did not know hardly any of the terminology php etc ??
I have run the Avast virus cleaner and nothing and a full scan nothing there too? 41 files were not scanned and the results said
Password protected and decompression bombs ??? I also checked through some f the infected files sources and there seems to be allot
of numbers and % and is on every single page of both of my websites ! I have already lost 3 years work due to the last virus and I have a website out there flying around that i cannot access in my host site to pull off/edit and republish, as all the files have vanished from the BLueFTP !

SOOO hope that someone can help me
Muchly thanks in advance

Karen[/color]
The problem also is due t the last virus and being able to back up al files the pages for website that I need to access are no longer with me and I ahve asked for support on this from host and the BV forum but nothing working no replies or help coming into me what soever :frowning:

Afeter spending most of the night on this it appears that the virus is only in the FTP files, there is no alerts coming up when I actualy go into the website or preview any webpages in the webbuilder section! So my hubby now tells me that the only way to clear this is to delete all the files in the FTP which means no websites no business !! PLEASE someon help What the heck can I do? Is this right do I need to totally delete all files in FTP and loose 2 websites and 3 years of work r is there any other miraclers out there???

Is this your website urbancouturepaperweddingstuff.com, without information it is impossible to check.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx or URL) ?
Check the avast! Log Viewer (right click the avast ā€˜aā€™ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

When posting URLs to suspect sites, change the http to hXXp so the link isnā€™t active (clickable) avoiding accidental exposure.

However, avast is very hot on these hacked site alerts, not to mention very accurate in its alerts.

See http://forum.avast.com/index.php?topic=35347.msg297170#msg297170 this topic for more information on why files canā€™t be scanned.

Files that canā€™t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213.

The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

On attempting to open the collection1 link I get an avast alert and that contains an iframe on that packed (compressed code) page, it is trying to connect to this site hXXp://illusionfest.ru/hgndadri.html a Russian domain (see link below). So I somehow doubt that since this is a UK site is a legit access that you intended.

So it looks like your site has been hacked, http://google.com/safebrowsing/diagnostic?site=illusionfest.ru/&hl=ru-ru.

You will need to contact your Host.

  • This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any ā€œdefault.aspxā€ or
    ā€œdefault.cfmā€ pages as those are popular targets too.

  2. Remove any ā€œrougeā€ files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    ā€œstrongā€ password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Hi

Thanks ever so for all the replies but being a Techophob as hubby calls me I shall forward all this to
him to have a look over as its all gibberish to me sadly and I cannot make sense of it :frowning:
I have 2 sites

and they are both infected! I have contacted hosts hours ago and still waiting to hear something
back ! The BV forum is telling me to delete all my FTP files then that means no websites - no business
no income!
So this looks like we could have actually added the virus to the new PC as we had the same last year 3 - 4 times
and they emptied our bank a/c twice as that was a hacker but we thought Nigerian ?

Thanks again will pass info on and see what happens
:slight_smile:

Karen

Youā€™re welcome.

Please modify your post:

When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.

OK, so now we have tried all sorts ! and have a new virus
HTML IFRAME - inf this time :frowning:
we have run computer diags and Can ups and nothing has been found at all?
Why is this ? why can nothing find the virus because its in the FTP files?
looks like gonna have to live with it t keep business going and keep an income
I have again emailed host support team thats 3 in 6 hours and still no replies!
Anyone else have any pointers or step by step guidance?

Thanks
Karen

Hi urbancouture,

This was checked recently:
Check took 3.07 seconds

(Level: 0) Url checked:
hxtp://urbancouturepaperweddingstuff.com
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.activemeter.com/counter.js
Zeroiframes detected on this site: 0
No ad codes identified not currently listed as suspicious* (details)
Generator: Fog Creek CityDesk 2.0.25

(Level: 1) Url checked: (script source)
hxtp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://urbancouturepaperweddingstuff.com/https://livechat.volusion.com/script.aspx?id=123533
Blank page / could not connect This could have been it*
No ad codes identified

polonus

Hey Polonus

Whats does all this mean exactly sorry this is all new to me !

So is a bad problem here ?

Level: 1) Url checked: (script source)
hxtp://www.activemeter.com/counter.js
Zeroiframes detected on this site: 0
No ad codes identified not currently listed as suspicious* (details)
Generator: Fog Creek CityDesk 2.0.25

Did you mean you think the root of the virus is here ? as I hardly have time anymore
to go on livechat, so if peple need products they email me through this, so if this is the problem I can
remove no probs !

Level: 1) Url checked: (script source)
hxtp://urbancouturepaperweddingstuff.com/https://livechat.volusion.com/script.aspx?id=123533
Blank page / could not connect This could have been it*
No ad codes identified

Sorry to be such a div !

I have been told that BV will have to totally reset my account guess that means I am now
going to loose both of my businesses ?

Thanks Polonus
Karen

Hi Karen,

No off course not, your site has to be cleansed by the web admin, and you have to log on after you have changed your password for a stronger one, and if the web hosting firm has cleansed the problems, you can go on there without a care in the world, send them an e-mail and see that they clean up their act,

polonus

The two malware names are essentially related to the same hacking.

Besides what I mentioned in the quoted text from another Host, you should change your FTP passwords and any password used in say a control panel for content management or your account.

However Iā€™m afraid your site is still infected a visit to the collection1 link and viewing the page source code and there is a very large block of obfuscated javascript (in a script tag) on the same line as the opening Body tag. This is all on a single line, see image extract of the code, which I have word wrapped to make it easier to view.

So it doesnā€™t look like they have done anything yet, I donā€™t know if they would even consider clearing out the injected code on your pages that Iā€™m afraid most Hosts would consider your job (as is keeping back-ups of your site so you can recover from disasters (this and other issues).

Edit: I also checked the collection 2 page and the same script tag is present after the opening Body tag, so if this follows a pattern it is likely to be in the same location in other infected pages, so this may make finding it and cleaning it more easy.

Thanks Polonus I just had visions of 3 years hard slog and endless sleeepless nights working
on sites going down the pan ! and NO income !
which is bad enough as it is ! lol
Although hubby is still working on the new website as he feels mine looks too dodgy for the
thelittlefavourboxcompany thats why we get countless hits ont he stats but not many sales ! :frowning:
This site touch wood online does not give off any alerts so I am hoping its still safe !

Muchly thanks again :slight_smile:
Karen

Hi DavidR,

Donā€™t get that code now as I look at the source, shields do not object going there, nor does AVG Link Scanner (standalone) that I installed next to avast. By the way are they compatible avast resident and the AVG Link Scanner standalone?
Furthermore I see nothing compromising there at the mo. Can you second that?

polonus

I get no alerts on the home page it occurs on the opening of other pages as I mentioned the collection 1 & 2 being the ones I checked (no alert with firefox, even with noscript allowed in the home domain) but I did with avant.

Even though I donā€™t get alerts in firefox, the code is present on the two pages I mentioned.

Try browsing with IE or a clone.

See NoScript reporting the Script for the malware distribution site mentioned in my earlier posts, illusionfest.ru.

Hi David

I have just gone through the whole website with mozila and basically getting alerts on all pages bar home page
and pages that I had kind of stopped temporarily !
I do run with IE currently. I did try the links advised and this one illusionfest.ru but sorry could not head nor tail
of it :frowning:

Thanks again

You donā€™t want to try the illusionfest.ru one as that is the target and a source of malware distribution, as in the google safe browsing link I gave.

Hi David

Sorry it was this one that I went to

http://google.com/safebrowsing/diagnostic?site=illusionfest.ru/&hl=ru-ru

was jsut being lazy and used that to save on typing been doing this since twelve thirthy last
night and struggling to coordinate my hands with the keys !! ll

Good work, urbancouture, investigating. This is not a site you would like to click nor been redirected to
for the following reasons.

The current status of illusionfest.ru.
This site has been marked suspicious - visiting this site can damage your computer.

What happened when Google visited this site. Not much, the last time the site was active and downloaded and installed malware without the userā€™s consent was on 2009-06-13.
Malicious software includes 11 exploit(s).

This site was hosted on 2 network(s) including AS43321 (AS43321), AS3327 (LINXTELECOM).

Yes apparently this site functioned as a download site to further spread malware to infect 78 site(s), e.g.: tempopiatto.com/, yourhomebusinessplans.com/, sara-mara.by.ru/.

Has this site been hosting malware?
Yep, the malicious software has been infecting 55 domain(s) e.g. tempopiatto.com/, sara-mara.by.ru/, qasimtfaily.com/.

How?
In certain circumstances third party can add malcode to real sites, so we warn accordingly,

That was it in a nutshell,

polonus

Going over my avast warning log reveals that the actual issue is with the liiusionfest.ru site in the same way as mentioned in the

13/06/2009 15:57:01 1244905021 SYSTEM 1444 Sign of "HTML:Iframe-inf" has been found in "hXXp://illusionfest.ru/hgndadri.html\{gzip}" file. 13/06/2009 16:05:21 1244905521 SYSTEM 1444 Sign of "HTML:Iframe-inf" has been found in "hXXp://illusionfest.ru/hgndadri.html\{gzip}" file. 13/06/2009 20:05:26 1244919926 SYSTEM 1444 Sign of "HTML:Iframe-inf" has been found in "hXXp://illusionfest.ru/hgndadri.html\{gzip}" file. 13/06/2009 20:06:55 1244920015 SYSTEM 1444 Sign of "HTML:Iframe-inf" has been found in "hXXp://illusionfest.ru/hgndadri.html\{gzip}" file.

So if you remove the obfuscated javascript, script tag, which is pointing to that site.

Yes the one I gave in reply #1, that is where the true problem lies, but you have to remove that script tag I have been banging on about as that is what points to that malicious .ru site.