Author Topic: Downloader-LP??  (Read 10215 times)

0 Members and 1 Guest are viewing this topic.

spg SCOTT

  • Guest
Re: Downloader-LP??
« Reply #15 on: May 14, 2010, 08:41:35 PM »
Hi PamJ,

It is the script that is causing the alert on the pages... (the first thing that Alan has in the code box) The links to taybac...are not causing the alert but should still be removed.

The Home page contains this script and the links, but also the favicon (normally the little logo in the address bar) and also bullet.gif in the theme section of the site.

The owner needs to remove the scripts, links and replace the favicon, and bullet.gif with their originals.

Quote
How does someone hack a website anyway, is it through the host?  Couldn't she just go in and delete the offending code or is it not that easy.
Usually through a vulnerability in the software used (e.g outdated wordpress...)

Deleting is not often just enough, you have to remove the possibilty of it happening again...if it is just deleted, it can happen again. The vulnerabilities need to be closed.

@ Alan,

Can you remove the code and make it an image. I am surprised that it has caused an alert for me yet, but it is actually exactly what is causing the alert and could end up triggering the web shield...

-Scott-




Alan Baxter

  • Guest
Re: Downloader-LP??
« Reply #16 on: May 15, 2010, 06:24:24 AM »
Thanks, Pam.  Apparently the two people who looked at it and say they "could not find a virus on my site" are technologically challenged.  All they (or she) had to do was look at the source code for the home page, unless she intends to have all those hidden links to taybac there.  In any event, I wouldn't advise anyone to use that site anymore, even if it's eventually fixed.  The site has either poor principles or poor security and incompetent maintainers.  IMHO.

spg SCOTT seems to have given a good explanation of what needs to be done to correct the problem.

Quote
Edit:  Call me uneducated in this area--because I am!--but how did you get the offending code from her site?  Was it not blocking you at that point?

I accessed the site from a sandboxed browser after stopping the Web Shield.  I was able to immediately see the problem by looking at the source code for the site.  View > Page Source in Firefox or View > Source in Internet Explorer.

I also scanned the sandbox with Avast.  It found the offending files and moved them into the virus chest.

@Scott
Thank you for giving Pam such a good explanation of the problem and what to do about it.  I see it still hasn't been fixed.  Perhaps the site is like that on purpose.  Looks like most other AVs don't catch the problematic code.

@ Alan,

Can you remove the code and make it an image. I am surprised that it has caused an alert for me yet, but it is actually exactly what is causing the alert and could end up triggering the web shield...

Since it doesn't trigger the Web Shield, I'd rather leave it there as plain text so Pam or the site's maintainers can copy it if necessary.

PamJ

  • Guest
Re: Downloader-LP??
« Reply #17 on: May 15, 2010, 09:23:10 AM »
Hi, all,

Although I know about a page's source code, I couldn't figure out how to do it with avast blocking the site.   ;)

She responded again and said someone else created the site. She seemed genuinely thankful for the info I provided and said she was going to look at it over the weekend.  To be honest, she seems to be a caring person, so I'm assuming it's just lack of knowledge regarding how much damage it could do to someone visiting the site rather than her not caring.

I don't personally know her, just someone I "know" on the VA forum.  When I had the problem when visiting her site, I wanted to try to help her out, but I was also concerned about others who might visit her site.  Hopefully she'll start taking this a little more seriously and fix it.

Alan Baxter

  • Guest
Re: Downloader-LP??
« Reply #18 on: May 15, 2010, 09:36:06 AM »
Thank you for your reply, Pam, and your efforts to help someone clean up her web site.  It can be discouraging at times, so I especially appreciate you helping her straighten things out.  Good luck!

By the way, kudos to Avast 5 for catching this!

spg SCOTT

  • Guest
Re: Downloader-LP??
« Reply #19 on: May 15, 2010, 01:49:40 PM »
...
Since it doesn't trigger the Web Shield, I'd rather leave it there as plain text so Pam or the site's maintainers can copy it if necessary.

To be honest, I am slightly surprised that it doesn't cause an alert...if I copy it and try to save it myself, it causes an alert...normally this would cause an alert...

PamJ

  • Guest
Re: Downloader-LP??
« Reply #20 on: May 17, 2010, 12:02:46 AM »
I just went to her site. Did not receive any type warning and wasn't blocked, so, seems her problem has been fixed. Thanks everyone!

Pam

Alan Baxter

  • Guest
Re: Downloader-LP??
« Reply #21 on: May 17, 2010, 12:15:10 AM »
You're welcome.

I just verified that the offending code has been removed from the site's home page.  Thank you for letting us know it's fixed.

PamJ

  • Guest
Re: Downloader-LP??
« Reply #22 on: May 17, 2010, 01:49:53 AM »
I let the site owner know the site was fine when I went to visit it this afternoon.  I thought I would share her response below:

Thank you so much Pam! I found 223 pages (not an exaggeration) of unwanted script, a virus, located in my footer. I appreciate you asking your techie friends. They were right on point. Thanks for taking the time to help me out. Please let me know if I can ever return the favor. God bless you.

Thanks again for helping me help her!

Pam

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87082
  • No support PMs thanks
Re: Downloader-LP??
« Reply #23 on: May 17, 2010, 03:00:52 AM »
Now that it is clean (wow 233 pages), they need to consider how this happened, since the word, footer is mentioned I would guess that they are suing some sort of content management software or template software to create pages.

####
-- HACKED SITES - This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rogue" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.


Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ardvark

  • Guest
Re: Downloader-LP??
« Reply #24 on: May 17, 2010, 08:26:26 AM »
Hi all...

Nice job to everyone involved! :)

Regards...