Author Topic: _vti_inf.html  (Read 10913 times)

0 Members and 1 Guest are viewing this topic.

tekauzy

  • Guest
_vti_inf.html
« on: September 28, 2009, 05:57:00 PM »
Html:Iframe-inf

My host says its in my html on my website, avast finds it, gets rid of it and it comes back. I can't find it in my html.
Im using Microsoft front page.

Help?
Thanks in advance
tekauzy

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87258
  • No support PMs thanks
Re: _vti_inf.html
« Reply #1 on: September 28, 2009, 06:28:31 PM »
avast doesn't get rid of it, that is down to you or your host to remove the malicious code which has been inserted, your site has been hacked.

All that avast does is detect and alert to the detection on your site and the option is abort connection, which just stops the infected item being downloaded to your browser cache.

What is your web site URL, change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

-- Every 3.6 seconds a website is infected http://forum.avast.com/index.php?topic=47096.msg396648#msg396648.

-- HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.


Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tekauzy

  • Guest
Re: _vti_inf.html
« Reply #2 on: September 28, 2009, 06:33:15 PM »
http://teknicol-r.com

I found the infected file I thought on my first page and deleted the code. Then I saved and checked my other pages. I didnt see it on any but the links page, deleted what I found there. But when I tried to upload again, avast found it again.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33485
  • malware fighter
Re: _vti_inf.html
« Reply #3 on: September 28, 2009, 07:02:35 PM »
Hi

This is what I get at wepawet:
Analysis report for hxtp://teknicol-r.com/

Sample Overview

URL   hxtp://teknicol-r.com/
MD5   22ae8ed4dc0355d57b78df1d806d2d7f
Analysis Started   2009-09-28 10:02:01
Report Generated   2009-09-28 10:03:24
Jsand version   1.03.02
See the report for domain teknicol-r.com.

Detection results

Detector   Result
Jsand 1.03.02   benign
Exploits

No exploits were identified.
Deobfuscation results

Evals

No evals.
Writes

No writes.
Network Activity

Requests

URL   Status   Content Type
http://teknicol-r.com/   200   text/html
Redirects

No redirects.
ActiveX controls

No objects/controls.
Shellcode and Malware

No shellcode was identified.

No additional malware was retrieved,

polonus
« Last Edit: September 28, 2009, 07:04:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Re: _vti_inf.html
« Reply #4 on: September 28, 2009, 07:07:19 PM »
nope, there is no iframe links now on the main page. i also checked by visiting the site.

tekauzy

  • Guest
Re: _vti_inf.html
« Reply #5 on: September 28, 2009, 07:24:47 PM »
I just checked my site and it seems clean. But when I log into front page and pull up the puppy page I get the warning from avast. Any ideas?

tekauzy

  • Guest
Re: _vti_inf.html
« Reply #6 on: September 28, 2009, 07:27:42 PM »
well it just made a liar out of me ..lol... I tried my fp again and its gone. Thanks for all your help!! its muchly appreciated
Tekauzy

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87258
  • No support PMs thanks
Re: _vti_inf.html
« Reply #7 on: September 28, 2009, 07:42:12 PM »
Make sure that you are using the latest version of front page as it is possible that it could have a vulnerability that is being exploited.

Once you have done that, change your logon details, a stronger password at least 8 characters (10 or 12 would be better), a mix of upper and lower case and alpha numeric characters.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33485
  • malware fighter
Re: _vti_inf.html
« Reply #8 on: September 28, 2009, 09:21:08 PM »
Hi Tekauzy,

Can't you understand now why we have avast on our machines? In these respects avast is doing a unique and great job alerting webmaster and browser user alike. It also made us forum users more apt to analyze these threats, it has grown our alertness to these issues.
Main line for the site owner / webmaster etc.: fully update and patch the software you use there, weaknesses and existing exploits in software, code and script are being abused all the time to make your site redirect to malware all sorts, and if so compromised follow DavidR's advice,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

demonix00

  • Guest
Re: _vti_inf.html
« Reply #9 on: September 30, 2009, 07:37:34 PM »
I'd have to agree with what polonus has said since Avast has covered my blushes a few times in regards to compromised websites but it has only been in the last week that I've been able to get on the front line as one of the sites I frequent got hacked on Friday (I made a thread here as I was unsure, but only the fact that the added malicious part was so slow to respond was what protected me) and the next day I accessed the sites forum (which had been unaffected by the hack) on my PSP (just to be safe since at the time I didn't know if the forum had been compromised as well) and started a thread asking if the main site had been fixed which it had.
Fast forward to today just about two hours ago and upon access the same site I spotted the red, yellow and blue avast virus warning shortly followed by the full warning (which I instantly aborted the connection to the malicious purveyor) which only meant that the site had been hacked again so I went back to the sites forum (which was still unaffected) and went back to the thread I'd made before and mentioned the fact that the site had been molested again and this time the malicious code was removed within a few minutes where the hack the previous week had taken over ten hours to fix (although that was only because the sites admin was away at the time).

spg SCOTT

  • Guest
Re: _vti_inf.html
« Reply #10 on: September 30, 2009, 07:50:54 PM »
I'd have to agree with what polonus has said since Avast has covered my blushes a few times in regards to compromised websites but it has only been in the last week that I've been able to get on the front line as one of the sites I frequent got hacked on Friday (I made a thread here as I was unsure, but only the fact that the added malicious part was so slow to respond was what protected me) and the next day I accessed the sites forum (which had been unaffected by the hack) on my PSP (just to be safe since at the time I didn't know if the forum had been compromised as well) and started a thread asking if the main site had been fixed which it had.
Fast forward to today just about two hours ago and upon access the same site I spotted the red, yellow and blue avast virus warning shortly followed by the full warning (which I instantly aborted the connection to the malicious purveyor) which only meant that the site had been hacked again so I went back to the sites forum (which was still unaffected) and went back to the thread I'd made before and mentioned the fact that the site had been molested again and this time the malicious code was removed within a few minutes where the hack the previous week had taken over ten hours to fix (although that was only because the sites admin was away at the time).

Hi demonix00,

This will probably happen a number of times, as the hack is probably exploiting a weakness within their website software...
This is also the reason for the quoted part of DavidR's post above, which outlines procedures to avoid this. If precautions are not taken, it will keep happening...

-Scott-

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33485
  • malware fighter
Re: _vti_inf.html
« Reply #11 on: September 30, 2009, 10:16:10 PM »
Hi demonix00,

Have to agree with spg SCOTT here, sites are hacked by using script for exploitable website software like PHP, Joomla, etc. etc. All this software should be fully updated and fully patched, else the same hole will be exploited again sooner than one can say “Where did the summer go,”

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

demonix00

  • Guest
Re: _vti_inf.html
« Reply #12 on: October 01, 2009, 01:44:10 PM »
polonus

The sites admin did let slip that the site was using a outdated version of SQL server and after last weeks attack he decided to update to the most current version which he only just did yesterday after that second attack plus he's now going through the site with a fine tooth comb to make sure everything is secure and updated although I would've been cheeky and said "I hope this is a lesson for you in making sure the site you run is up to date and secure from hackers".