Hackers Keep On Planting Virus On My Homepage

[Flow]

Hackers plant virus on my homepage. My web guy deletes it and the next day again the same virus is back. My homepage is all PHP and has flash animation banners.

Anyone with a bit of advice. See below. ( I added *** in between virus name so not to accidentaly infect this site too )

Thanks

-------------

<html>

<head>

<meta http-equiv='content-type' content='text/html;charset=windows-1251' />

<title>Kaspersky Internet Security 2009</title>

<style type="text/css">

html,body{height:100%}

body{width:100%;min-height:100%;margin:0;padding:0;color:#2C2C2C;font:normal 11px tahoma;background:#FFF}

form{margin:0}

table,input,select{font:normal 100% tahoma}

img{border:0;margin:0}

table{border-collapse:collapse}

a{color:#62707D}

.t,tr.t td{vertical-align:top}

.m{vertical-align:middle}

.b,tr.b td{vertical-align:bottom}

tr.t td td,tr.b td td{vertical-align:auto}

.l{text-align:left}

.c{text-align:center}

.r{text-align:right}

.nobr{white-space:nowrap}

.rel{position:relative}

.abs{position:absolute}

.fl{float:left}

.fr{float:right}

.cl{clear:both}

.w100{width:100%}

.h100{height:100%}

big,.big{font-size:125%}

small,.small{font-size:95%}

.micro{color:#DDD;font:normal 9px tahoma}

h1{font:bold 20px arial; margin:0}

h4{font:bold 12px arial; margin:0}

p{text-align:justify;line-height:1.3;margin:0 0 0.5em 0}

.z{border:1px solid red}

.h1px{height:1px;font-size:1px;line-height:1px}

ul{margin:6px 0 6px 20px;padding:0}

ul li{margin:3px 0}

</style>

</head>

<body>

<table class="w100 h100">

<tr>

<td class="c m">

<table style="margin:0 auto;border:solid 1px #560000">

<tr>

<td class="l" style="padding:1px">

<div style="width:346px;background:#E33630">

<div style="padding:3px">

<div style="background:#BF0A0A;padding:8px;border:solid 1px #FFF;color:#FFF">

<h4>Kaspersky</h4>

<h1>Internet Security 2009</h1>

</div>

<div class="c" style="font:bold 13px arial;text-transform:uppercase;color:#FFF;padding:8px 0">Access denied</div>

<div style="background:#F7F7F7;padding:20px 30px 36px">

The requested URL could not be retrieved<br/><br/>

<b>While trying to retrieve the URL:</b> <br/><br/>

http://www.singaporedice.com/<br/>

<br/>

<b>The following error was encountered:</b><br/>

<br/>The requested object is INFECTED with the following viruses: <a href=http://www.viruslist.com/en/search?VN=HEUR:Trojan-Down***loader.Script.Ge***neric>HEU***R:Trojan-Downloader.Script.Generic</a><br/><br/><br/>

Please contact your service provider if you consider it incorrect.

</div>

<div style="background:#F7F7F7;padding:0 2px 2px">

<div style="background:#E9E9E9;padding:12px 30px 14px">

<b>Generated: </b><br/>

Thu Feb 18 21:52:39 2010

<br/>

Kaspersky Internet Security 2009<br/>

</div>

</div>

</div>

</div>

</td>

</tr>

</table>

</td>

</tr>

</table>

</body>

</html>

[astral]

Are you really sure the virus is back, and you are not just reading an old "cached" page?

Check out the security settings and change all passwords for you web server.

[welo]

No, the site is still 'infected'!!

However, your website is NOT hosting the malware but has been hacked to include (HTML/JS) code to download malware from an Indian server. The Indian server is still online but is currently not serving the download (server returns 'not found'). At least this was the behavior when I followed the download URL. (I don't know about common strategies implemented by malware like this, it might as well only respond to certain browsers or start 'attacking' at a later time).

This is the URL that is triggered in the background (but does not respond...)

http:// aebahdohpejuoghi.in:3126/download/index.php

The HTML code you've posted has been generated by Kaspersky running on your local PC. Other visitors will still see your website if their antivirus software doesn't offer a web shield or does not detect the infection. At the moment I see no visible sign of the infection on the website, and no download will be triggered since the referred website returns 'not found' (well, read my disclaimer above).

Of course you should fix your server ASAP.

If your webmaster removes the infected code and the infection/hack keeps coming back, then I assume that

• the server has been hacked and the process is automated by some script that still runs on the server
  
• and/or the vulnerability (security hole) that was used to infect the server in the first place is still 'open' (not patched) so the server gets reinfected from the outside again and again.
  

In any case your webmaster (or any other professional) should fix the server that is hosting the website. Which means installing latest software updates to fix security holes, clean the infection itself thoroughly and change all passwords etc that might have been compromised.

welo

Edited February 18, 2010 by welo

[Phil Conners]

Get a better "web guy" who understands basic computer security.

[Jdietz]

Typical case of 'pay peanuts, get monkeys.' Get a professional who knows what he's doing. Still using PHP4 or < ?

[Nio]

Are you using a shared server?

Who is your hosting ISP?

If you are using your own server, the other posters are right

Your web guy should get canned

[Phil Conners]

Any hosting company worth anything these days uses chrooted environments where the problem with cross contamination is remote. Most likely a vulnerability in a php script allowing someone to inject their virus into the pages. Again, the solution is to have a web guy who understands basic computer security. Unfortunately most Thai's don't.

[cdnvic]

Again, the solution is to have a web guy who understands basic computer security. Unfortunately most Thai's don't.

The password is probably the webmaster's birthday.

[Crushdepth]

What are you using to build your website - is it some kind of CMS? If so, worth checking that the security patches are up to date.

[dave111223]

Recently it has become increasingly popular for hackers to write virus' which send out your FTP passwords (if you have save them on your computer in your FTP client).

They then use the FTP password to connect to your site using an automated script to write iframes and malicious javascript into your files.

Steps to take:

1) Change your FTP password, if you have multiple FTP accounts delete them all

2) Remove the embedded virus codes from your files.

3) If possible create different FTP accounts for anyone who needs FTP access for your (so that no one is using the master password). This will help you determine who's account got hacked if it happens again.

4) Scan your computer for virus (using several virus scanners) Your computer could be transmitting all your passwords right now

This only applies if the files were written via FTP.

Edited February 19, 2010 by dave111223

[elcent]

you need also to check mysql admin and look if they have changed email, that's how they can retrieve your login info at any time. You need also to change your passwords from there.

[welo]

Recently it has become increasingly popular for hackers to write virus' which send out your FTP passwords (if you have save them on your computer in your FTP client).

Glad you brought that up, I was too lazy to mention this possibility.

However, I agree with most posts that the OP should obviously get some professional help. We just offer some background information so Flow can check whether his webadmin is skilled enough to handle this problem or find another person who is.

Bringing a server running outdated software up2date can be a lengthy process, since it might bring up incompatibilities between software packages etc.

[welo]

The malicious code is definitely 'active' now. Download URL changed to

**removed**

Do NOT browse that URL if you don't know what you are doing.

The URL redirects to a PDF (inline) download which probably tries to exploit a vulnerability in Acrobat Reader reported a couple of days ago. Well, I'm using Foxit Reader for this and other reasons..

The script definitely works - on my virtual machine a Foxit Reader process fired up, might try with IE and Acrobat and see what Santa brings

Flow, fix your website ASAP before Google blacklists your site - once blacklisted it might take a couple of days or more to have it unlisted (of course they will do only AFTER your server has been secured and cleaned)

welo

Edited February 19, 2010 by cdnvic
We do not want any links to malicious code here

[RickFarang]

I had the same problem from May through August last year. My hosting service kept telling me that my computer was infected, of that my password was not secure enough. Finally when I showed them that the server logs did not show anybody logging in by any method during the time an infection occurred, they admitted that it was possible the hackers were using a backdoor in their system.

Chaning hosting services seems to have cured the problem. I suggest you consider the same.

[Richard-BKK]

Likely your web host provider is using an older version of cPanel, which allowed people with the right knowhow to scan for obvious files, like index.htm, index.html, or index.php, and inject code to this pages.

[jdinasia]

hmmm and I thought this thread was just a subtle attempt to promote a site about gambling

[thaibkk]

my 2 cents : your pc is infected (or from your webguy) that sends passwords to the indian

and therefor can continue to 're-hack' your ftp server over and over

not real hacking has he got your info