Announcement

Collapse
No announcement yet.

Need some help with possible virus infected web site

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need some help with possible virus infected web site

    I am at my wits end.
    one of the sites on my server, www.cappeu.com, keeps being flagged by Google as a potential distributor of malware.

    I have changed all passwords (admin, database, user) and even done a restore from over 2 weeks ago.
    I have scanned with Sophos, Eset (online), Malwarebytes. All found nothing.

    I'm scanning all my machines with several tools and finding nothing.

    Any suggestions on what to do next gratefully received.

    BTW, I've never found a hint of the problem myself. My restore was all the files and the database files for the site.

    Thanks

    T.
    Last edited by Fat Tone; 18 August 2010, 02:56.
    FT.

  • #2
    Is the DB of MySQL or similar flavour? If so, it is probably on a different server. I've occasionally had problems due to the constant switching between servers and losing packets, especially if the DB is large (order of Mbs).

    Suggestion: temporarily disconnect the DB and reconnect with a small dummy one: If the problem persists, you will know that a small combination of bits looks like part of a known malware. Tracing it is not necessarily easy, especially if scripted in PHP or similar.
    Brian (the devil incarnate)

    Comment


    • #3
      Yes it is mysql. The website uses the modx cms.

      Google claims various pages have hidden iframes with links to various malware sites. I have never seen them in Page View Source, nor in the JS, nor have I found any changes file dates apart from cached pages.
      FT.

      Comment


      • #4
        That's what Firefox told me:
        What happened when Google visited this site?

        Of the 101 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-08-17, and the last time suspicious content was found on this site was on 2010-08-17.

        Malicious software includes 4 exploit(s), 3 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

        Malicious software is hosted on 12 domain(s), including dsdtsdz.co.cc/, flash-service.in/, 1099hsd.co.cc/.

        2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including bsdmvideo.ru/, sexandvideo.ru/.

        This site was hosted on 1 network(s) including AS15395 (UK).

        Has this site acted as an intermediary resulting in further distribution of malware?

        Over the past 90 days, www.cappeu.com did not appear to function as an intermediary for the infection of any sites.

        Has this site hosted malware?

        No, this site has not hosted malicious software over the past 90 days.

        How did this happen?

        In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

        Next steps:

        * Return to the previous page.
        * If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
        "For every action, there is an equal and opposite criticism."

        Comment


        • #5
          Me too, but whenever I look I can't see it myself!
          FT.

          Comment


          • #6
            At the moment I'm praying it was a scan from before I did a restore and password change early yesterday pm, but since I've never actually found the source that's probably wishful thinking.
            FT.

            Comment


            • #7
              I'd go with Brian on this one... Could be something in th database.... Is it possible to scan the database for suspicious content?

              I get the same google report as TransformX, claiming that the last suspcious data was found on the 17th (yesterday). What surprises me is the report also lists some domains on which the malware is hosted, shouldn't there be traces of this in the database or source then?

              The AVG Web page scanner finds nothing: http://www.avg.com.au/resources/web-page-scanner/
              The unmaskparasites lists the google result: http://www.UnmaskParasites.com/secur...www.cappeu.com
              It can also search for hidden links on the website, but more interestingly they provide more suggestions on how to resolve it and on how to request a malware review on Google (it schedules your site to be scanned again within a couple of hours).


              edit1: can't file times/dates be altered? I don't think the timestamp is sufficient to say the file has not been tampered with.

              edit2: Symantec rates it as safe now: http://safeweb.norton.com/report/sho...com%2F&x=0&y=0

              Jörg
              Last edited by VJ; 18 August 2010, 05:33.
              pixar
              Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

              Comment


              • #8
                Maybe you were spoofed?
                "For every action, there is an equal and opposite criticism."

                Comment


                • #9
                  Thanks guys.

                  The server is dedicated. The database is on the same machine.

                  I have just dicovered there is an update to the cms which fixes, amongst other things, a XSS vulnerability.
                  FT.

                  Comment


                  • #10
                    Is there such a thing as a self-deleting virus? Something that could keep attacking and remove itself each time?
                    FT.

                    Comment


                    • #11
                      Don't know on the virus question... but shouldn't it leave traces?
                      One possible scenario could be that other machines keep trying to infect a machine which was infected before. So if you replace the software with an (unpatched) image, it would get infected quickly again...

                      Could something have gone wrong in an update (so your machine got infected during an update of one of the components)?

                      Also, you can try if it is possible to browse to other parts of the site, or if google blocks those (or gives e.g. a different number of malwares); it may help you to narrow down on which pages it occurs. From there on you can check the content of those pages and databases...

                      Our sysadmin always says: if a machine has been infected, don't trust anything on it...
                      pixar
                      Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

                      Comment


                      • #12
                        Update:

                        At the moment Google likes me again. Phew.
                        the concensus appears to be it is probably an infected php file and the db should be untouched. This would make sense and explain the random nature of the infected pages and why I could never see anything in the source for each page.

                        This pm I updated from 1.0.2 to 1.0.4 which closes some vulnerabilities, and in the process I probably wiped the infection away.

                        I've throoughly scanned all my client machines and locked down the firewall even tighter so reinfection from machines with firewall privileges should be very unlikely.

                        My developer has found mention of HEUR: TROJAN.Script.Iframer on the 22/7/2010 in his Kaspersky logs. I wonder if it had chance to start all this before Kaspersky found it.
                        FT.

                        Comment


                        • #13
                          might it be related to this?

                          Comment


                          • #14
                            I see crap like this all the time. You probably don't have a virus, you probably got hit by a cross-site scripting attack or SQL injection attack.




                            The cross-site script attack uses a mix of vulnerabilities in PHP, ASP.NET, javascript, CGI, etc. to attach links inside your actual physical files to sites that try to infect computers with trojans. The Google webmaster tools should help identify which pages, if any, got hit. An iFrame attack, or virus, is a type of cross-site script attack.



                            SQL Injection is the other possibility. Instead of attaching malicious code into your files it implants the links/information into SQL. This takes advantage of registration and URL vulnerabilities to get the data into the database, so when certain pages/link/content is served the malicious code is injected by bad SQL data into your dynamic pages. These are especially hard to clean, because you either have to roll back your database from backup, or spend a lot of time cleaning it, and then figure out where your security holes are and then fix the code.

                            If updating your code fixed the issue then it was probably a cross-site script attack. Replacing the files would clear out any malicious code that got injected.
                            “Inside every sane person there’s a madman struggling to get out”
                            –The Light Fantastic, Terry Pratchett

                            Comment


                            • #15
                              On every thread which mentions SQL injection, there should be the Bobby Tables cartoon...
                              pixar
                              Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

                              Comment

                              Working...
                              X