Urgent help regarding malware virus on website

[martin1973]

The problem i seem to have is when you view the source on say the home page its made up of various files and folders ie

default.htm menu.htm stylesheet.css etc so could the virus be in each folder which makes up the pages? (assume it is as the line refering to goldunix is repeated several times over)

As im a website butcher rather than designer not 100% which folders make up each page, when look at site via FTP access there are old files no longer needed, files never touched so dont know whats needed and whats not, or whats safe to delete etc.

[GreyGhost]

When viewing the source code for say the home page you will see several instances of the offending lines always as a pair. Delete all instances then that page is clean.
Repeat for all .html pages. I don't think that you will find them on your CSS sheets or anywhere else.

[martin1973]

Looking at the files via FTP ive got them in asp pages aswell

Also seems to be a few gifs i dont recognise like a1.gif b1.gif etc

If i trawl through every folder and file via FTP and delete the code and reload the file is that a safe way to solve it? Then once solved back up those folders to disk?

[Rich]

Quote:

Originally Posted by martin1973

Rich again :lol: What exactly are the files trying to do?

Ok, from what I can make out, Exploit.JS.ADODB.Stream.y is part of the VBS/Psyme family of trojans. There are literally hundreds of variants but basically they download .exe files from web sites (such as the goldunix one) and each exe will do different things like open a back door on the victims pc and allow it to be used as part of a botnet or used for relaying spam emails. The possibilities are endless.

Quote:

Originally Posted by martin1973

Ok so any idea guys how i remove the nasties and also any idea how they got on the site in the first place and how can it be made more secure?

It depends on how the site is built (I'd need to see the include files) but for starters, do as Grey Ghost suggests, either download the site, manually edit each file and remove the two lines of malware code then upload "clean" files. I'd still say they got there through the use of a SQL Injection attack, but if multiple web sites are running on the same web server, one of them could have been the victim of attack and it has then infected each site on the server (possibly hundreds). Again the options are endless, it could have got on there any number of ways.

Quote:

Originally Posted by martin1973

Rich - what is SQL injection and how do you secure the site from this?

How long have you got?

SQL Injection is a vulnerability in ASP coding. Sorry if you coded the site yourself, but it is a vulnerability of "poor" ASP coding. If someone else coded the site for you then use these smilies on them and get them to fix it

Without revealing too much (you never know whos reading!?), you have a web page or url like so showpropertygoose.asp?PropertyID=447176 the porperty id I'll hazard a guess at is an ID field in an SQL database. I'd also say that showpropertygoose.asp simply does "select field1, field2, field3, etc from tablename where propertyid = 447176"

The poor coding part (sorry again if you did it) is that the querystring is not being checked for validity before being sent to the database as an sql query.

I can insert certain characters in your web site url / querystring (again I won't go into specifics on a public forum) which will alter the SQL query sent to the database so I can manipulate the data going to and from your sql db.

The risks here are very VERY high. I can do minor things like log in to the admin area of the site or rather dramatically, I can add to your SQL query being sent to the sql db and issue a site-killing command such as "drop table" which will basically mean instant death to your site.

I can go one step further and upload malware code to the db too.

If you want to have a chat on the phone (might be easier?) send me a PM, but as above, if you didn't do the site, go and have words with the person/people who did.

One last thing, don't feel this was a personal attack on your web site, these "script kiddies" have programs that run round the internet looking for sql injectable sites and infect them automatically. They will simply have a list of urls to show their class mates the next day and say "how cool" they are...

I hope this information is of some use

[Rich]

Quote:

Originally Posted by martin1973

Also seems to be a few gifs i don't recognise like a1.gif b1.gif etc

This is where you need to be REALLY careful.

I was looking at the source code for the malware in question earlier and it (quite cleverly) avoids detection by the web server / host itself by splitting itself into random "chunks" of data/files.

When someone goes to goldunix.com (via your site!), it pulls a1.gif and b1.gif and c1.gif and so on and "streams" them to the victims pc. It streams each individual file in a continuous stream, so when it arrives on the victims pc, it is one file, not chunks and the one file is the dodgy exe!

That said, those file names aren't uncommon with an imagemap so they could be completely legitimate.

Welcome to the very confusing world of internet security

[GreyGhost]

Thanks Rich, that's all the nerdy clever stuff that I know naff all about. I do know how to spot that sort of problem and fix it but not how to prevent it occurring in the first instance.

Well done that man.

[Rich]

Quote:

Originally Posted by Grey Ghost

Thanks Rich, that's all the nerdy clever stuff that I know naff all about. I do know how to spot that sort of problem and fix it but not how to prevent it occurring in the first instance.

Well done that man.

Cheers

For once, and much as it pains me to admit it (and I never will again so make the most of it ) it is times like this that I envy Mac owners

[martin1973]

Hi Rich

Thanks for the help (that goes to all of you, more than just a source of info for when the ZT is poorly or needs a gee gee tweak)

I didnt design the site it was a company called netizen, then a few years back a lad from Switzerland who got chatting to on a new beetle forum funnily enough offered to tweak the site as when google re-jigged the way it ranked sites it suddenly went from appearing several times on the first two pages of most search results to disappearing over night.

Not sure which is his work, whats tweaked and whats original.

Since then ive had a play with the site so may alter text and images on the various pages, add a link to a special offer page, change phone number thats about it. Dont tweak the layout, stylesheets etc.

At the moment im going through every folder via FTP, downloading the files to desktop, removing the nasties and once all thats done will upload.

One problem is the cottage pages propertyid1281982.asp which are pulled from a database are not accessed via FTP, i paid Netizen silly money to have access to their TMS travel management system, you log in and make alterations like date, pricing, cottage photos online via this system. If this part of the site contains the virus its out of my hands.

Have emailed netizen anyway, but as i dont put a lot of business their way or pay their rip of prices they dont tend to bend over backwards very quickly (they used to charge £75 to add a new cottage, i emailed text, photos etc, i can cut and paste a new cottage page via TMS and upload photos in 3 minutes if that, the time consuming bit is putting all the various dates in)

Is it still worth a phonecall or will you soon have me out of my depth?

[GreyGhost]

Quote:

Originally Posted by Rich

Cheers

For once, and much as it pains me to admit it (and I never will again so make the most of it ) it is times like this that I envy Mac owners

They'll get us one day, then you can all say "told you so "

[Mike]

'scuse this as cheeky but why not ask Rich for a quote to get it sorted? He is v good and it is his livelihood. That way it's a win win