Virus alert trying to access FTP site

[Ipconfig]

This alert began after copying two .jpg files to my FTP site. You can see these two files here: http://forums.logitech.com/logitech/board/message?board.id=quickcam_software&thread.id=69016

I received a private message from a forum moderator confirming that he also received a virus alert when he tried to access my FTP site directly: HTTP Malicious Javascript Encoder 5 (NAV 2009).

Have I accidently stumbled onto a virus lurking on my computer? I am running a full scan and will report on the results. But in the meantime, if this is a false positive how can get Avast to let me access my FTP site?

[spg SCOTT]

Hi Ipconfig,

Using the image location on the forum you posted a link to, I believe have found the link to your FTP site:

hXXp://nflp.net/

If this is right, then your FTP site has been hacked. There is a long line of obfuscated script at the bottom, just before the closing HTML tags, I have attached a screenshot of the image.

I believe this is what avast! is alerting to and is not a false positive, so I wouldn't advise ignoring this.

This will have to be removed, before you will be able to visit the site safely again.


A very good post to read by DavidR:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn't clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

-- HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

-Scott-

EDIT:Image

[DavidR]

It is more likely to be that your ftp site, or the main site has been hacked (very common now).

What was the malware name given by avast ?

What is the URL you get the alert on if Scott's guess isn't correct ?
Change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

[Ipconfig]

In answer to your questions, Avast! reported this as: HTML:IFrame-BW [Trj]. I get the alert whenever I attempt to access hxxp://nflp.net. The Logitech forum moderator said when he tried to access nflp.net directly, NAV 2009 reported that the name was: HTTP Malicious Javascript Encoder 5 virus.

Notable: I had no problem accessing my site prior to uploading the two .jpg files to it. Shorty thereafter I went to access the site again and that's when I received the alert described above. Is it conceivable that the Chinese-like characters these files contain have something to do with the malicious, encoded content which was detected?  

Not sure how to respond to the hXXp or the wxw suggestion. If the obfuscated script at the bottom was crafted to exploit my web browser vulnerabilities, why don't we just have my hosting provider remove it? With this thinking in mind I have escalated this with Godaddy engineers who have looked at this script and find it interesting. In the meantime I welcome any additional thoughts.

[spg SCOTT]

Hi Ipconfig,

The hXXp suggestion is to break the link in your post, to prevent others clicking it out of curiosity, and then potentially becoming infected, like I have done in my post above:

hXXp://nflp.net/

Just click on modify, near the top right of your post.


This kind of detection is very common these days, with many 'legitimate sites' becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

-Scott-

[DavidR]

Strangely enough if you do a search for godaddy in the forums you will see more of this type of thing. Many of them report godaddy as saying there is nothing wrong, at least in this case they at least confirm things aren't as they should be...

All you can do is change what is within your control, closing any exploit due to old content managements software supplied by your Host is down to them. So re-read the quoted text that Scott posted and change any passwords (stronger, at least 8 characters and a mix of upper/lower case and numeric characters), etc. which are in your control.

[YoKenny]

Lots of complaints about Godaddy's inaction and permitting sites hosting malware in Malwarebytes forum:
http://www.malwarebytes.org/forums/index.php?act=Search&CODE=show&searchid=8f59e3034097900209e0b2c41a82f38f&search_in=posts&result_type=topics&highlite=%2Bgodaddy

[DavidR]

Its at times like this that you find out what you are paying your Host for and support should be very high up the list.