Hi,

I’m running a dedicated server (windows server 2008 R2) and I have avast anti virus server edition installed running multiple websites. When I scan it picks nothing up. But I have a virus or malware somewhere that keeps injecting javascript into index.x, default.x and login.x webpages. I can restore them, remove the JS by hand and everything will be fine for a while, but during my weekly scan it will usually pick up the same files with the same JS (linking to different sites each time) and delete them to the virus chest.

Luckily none of the websites are live.

I wont lie, I often use remote desktop to access the server at work to bypass the strict firewall settings we have. But I just browse Facebook and a few forums, nothing dodgy…

Can you (or anyone else) help me out please?

The virus name is: “JS:IFrame-AC[Trj]”

See attached the OTL logs.

See below the “Malwarebytes” log.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7662

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

06/09/2011 09:17:30
mbam-log-2011-09-06 (09-17-30).txt

Scan type: Quick scan
Objects scanned: 211397
Time elapsed: 1 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

On a side note, after in stalling Malwarebytes I got a few popups saying it had blocked a potential dangerous IP. See below:

protection-log-2011-09-06.txt

09:45:37	Administrator	IP-BLOCK	95.168.190.200 (Type: incoming, Port: 445)

There are about 50 identical records in the txt file (at the time of posting), all time stamped within 7 or 8 minutes of each other.

My server starts with 95.XXX.XXX.XXX, but the blocked IP is different to any IP’s I have in my subnet…

aswMBR Log:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-06 09:34:10
-----------------------------
09:34:10.827    OS Version: Windows x64 6.1.7600 
09:34:10.827    Number of processors: 2 586 0x404
09:34:10.828    ComputerName: IS-08700  UserName: 
09:34:12.174    Initialize success
09:34:52.415    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:34:52.415    Disk 0 Vendor: ST3160815AS 4.AAA Size: 152627MB BusType: 3
09:34:54.443    Disk 0 MBR read successfully
09:34:54.443    Disk 0 MBR scan
09:34:54.459    Disk 0 Windows 7 default MBR code
09:34:54.459    Service scanning
09:34:56.268    Modules scanning
09:34:56.268    Disk 0 trace - called modules:
09:34:56.284    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 
09:34:56.299    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800316e530]
09:34:56.299    3 CLASSPNP.SYS[fffff8800176a43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002ecb680]
09:34:56.299    Scan finished successfully
09:35:57.274    Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
09:35:57.274    The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"

Thank you.

I'm running a dedicated server (windows server 2008 R2) and I have avast anti virus server edition installed running multiple websites.

How many websites ?

you can scan them here http://sitecheck.sucuri.net/scanner/

Essexboy is notified, he is usually in here around 08:00pm - 11:59pm UK time

Most of them are just holding pages. There is only one that’s under development which I keep in a beta directory.

Avast scans once a week and removes any infected files.

They’re all still in the virus chest and IIS has been disabled.

I also noticed from the report quite a lot of errors in the setup. I’m a web developer and not too great at server management, but I do have someone who is and they will be helping me out with it once I hopefully get this fixed

Okay, in the space of 5 hours I’ve had over 500 requests denied to this IP. The message that popsups seems to suggest my server is trying to access the IP and fetch data back…

I guess that is the JS-Iframe working…

95.168.190.200 = http://www.ip-adress.com/whois/95.168.190.200

Not a great deal evident there so lets now look at the drivers

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi,

Thank you for your help, but comboFix only runs on windows 2000, XP, Vista and Windows 7.

I can get it to work using compatibility mode using windows 2000, but it warns me after the scan that it’s only compatible with the 32bit version.

It won’t work under any of the other compatibility options and I’m running windows server 2008 R2 64bit.

Is there any other software I can use?

Thank you.

OK that is basically the same as a 7 64 bit. So lets use another programme which will give me an analysis log to play with

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Megaupload

Thank you so much for your help with this.

See below the zip file link:

http://www.megaupload.com/?d=8DFY30Z1

OK this is intriguing as I can find nothing amiss there - in fact the system is running very light

Is there the possibility that the web pages are infected but you are not seeing the main Java link and are just deleting just a minor portion of it but leaving the main body intact ?

Have you cleared the Java cache on your system ?

Hi,

Including Avast, I’ve tried three different ant-virus software and each one has either deleted or quarantined the infected web pages.

If I restore the infected files with clean ones from my desktop, they work fine, sometimes for over a week, then the javascript is injected.

Avast only picks them up during my weekly scan.

To remove the code, I download my entire website directory and do a “find all” in Dreamweaver for the code “var t=”

That will find all the infected files, which are index, default and login webpages.

Each time an injection is made, it loads from a different website (you can see a “loading data from xxxxxx.com” in the browser).

I’m quite good with javascript and have been able to pick it apart and see the webpage it is loading. The webpage it loads displays a 404 not found error, but within the source code it’s clearly a fake 404 page full of very complex javascript which I haven’t even attempted to pick apart.

What I find strange is that when I remove the javascript (which is always placed at the very bottom of the page, outside of any tags or code) it doesn’t instantly come back when I run the site.

But also, I’m not storing my websites in the inetpub folder. They’re in a completely different folder. So something must be interacting with IIS7 or my computer is being scanned for specific webpages with different extensions (I’ve had ASP, ASPX, HTM and HTML webpages infected).

I said before that I remote desktop on from work to browse. I was using Firefox for a long time. And after I discovered this I removed Firefox and all it’s settings and preferences. I now only have Chrome and IE installed (IE asks you to verify every webpage, which is annoying so I don’t use it).

I also occasionally used it for USENET, and would scan any download for viruses and scan any keygens with both Avast and STOPzilla. If no viruses were found I would run it (I was looking at different types of rtmp streaming software). I used newzbin.com to find the software.

I’ve since uninstalled anything I’ve downloaded, removed the USENET client (newsbin 64bit, which I have a legitimate license for, as I do for everything else except the rtmp streaming software I was experimenting with).

I’ve removed all software from the server except VMware workstation (which is legit), the anti virus software, chrome, PowerISO (offical trial version just used for mounting) FileZilla Server (freeware) and FlashFXP (again a legit install/license).

I still have Malwarebytes running and the log for blocking the IP 95.168.190.200 is now into the thousands!

windows Firewall is obviously enabled, but I’ve removed all inbound/outbound records from software I’ve removed. IIS is disabled and has been for a while, I will search how to clear the Java cache (DONE) and leave a clean copy of an aspx file in my websites directory (still offline) and see if it gets injected.

But of course any more help would be greatly appreciated!

Thank you again.

Could you remove the script as webshield was blocking this thread, I had to disable my shield

So the probability then is that it is being infected online as opposed to being on your computer., How strong are the passwords ? Have you changed them ? Is the software you are using fully patched

I’m not too sure what you mean.

But I disable the FileZilla Server unless I want to upload to it. The password is 16 characters (inc special characters) as is the admin password to login to the server remotely (different passwords).

What I find strange is that when I remove the javascript (which is always placed at the very bottom of the page, outside of any tags or code) it doesn't instantly come back when I run the site

It is this that makes me think the site has been hacked in some way. If the infection was on your system it would be there when you upload it, do you have a log of entries that show when the page was last amended ?

It’s been maybe a month since I shut down IIS. The files show when they were last amended on the server, but I can’t be sure if that was me or not.

I removed the standard windows FTP in favour of FileZilla. I will check to see if there is an IP log on there.

I will also see if the server keeps a log of everyone who has accessed it (it must do).

In the mean time I’ve changed all passwords.

Keep me informed please, but I do feel it is a hack rather than an infection