VBS:Malwarre-Gen false alarm?

[mefite]

Hi,

  A virus has been reported at our site, hXXp://www.greenbeanery.ca from avast.  VPS version 090801-0, 08/01/2009. Malware name: VBS:Malware-gen, Malware type: Virus/Worm.

I've spent a good deal of time trying to track down the cause, and was wondering is it is perhaps a false alarm?

Thank you!

[spg SCOTT]

Hello mefite,

Thank you...

This sort of thing is usually a correct detection as many legitimate sites are being hacked now...

The current VPS version is: 090812-0

I have tried visiting this site and I had no trouble viewing it. Is this the correct url?
Maybe a screenshot of the alert will help.

This could be for two reasons:

1) You have removed the infection
2) A detection was corrected, in the time span between VPS updates.

I would also suggest taking a look at this:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn't clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

-- HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

-Scott-

[polonus]

Hi mefite,

The site was checked 22 min ago against Malware Parasites. At the moment the site is down.
Checked there with the Bad Stuff Detektor...

No zeroiframes detected!
Check took 0.01 seconds

(Level: 0) Url checked:
hXtp://www.greenbeanery.ca
Blank page / could not connect
No ad codes identified

polonus

[mefite]

Thanks for the help so far.  I'll keep digging.  Here is the error message.  Sadly the code was vastly developed by somebody else so I'm not completely sure where the problem is arising from.

[Vlk]

Your virus defs are obviously almost 2 weeks old... maybe it was a FP that was already fixed since then (?) Why don't you update avast and see if anything is still being reported on that site.

Thanks
Vlk

[mefite]

I've updated and not been able to reproduce the error.  It was actually found by another visitor to the site.  I will keep my eyes open for if it happens again, but for now I will shelf this issue. 

Thank you all so much for you help!