Posted on
Dec 14, 2008 in
News |
7 comments
| If this article doesn't have images and download links please read this to see WHY and HOW you can help me resolve the issue. |
This is the second time when someone asks me “Hey do you have a virus on your site?” and I always answer with NO, and NO, there was nothing here on Garcya.us/blog everything happened on the main domain Garcya.us in the main index.html file.
The index.html was injected with a script that was recognized by Antiviruses as a Threat JS/TrojanDownloader.Small.NBF trojan! See screenshot here.
When I downloaded index.html and edited locally there was nothing suspicious, but when I arrived at the end of the code, where the website code closes, I’ve saw an enormous blank space there. Ok so I’ve started scrolling, and scrolled like over 3000 pixels and guess what! At the end of the page, the code was present. See the screenshot of the code here.
How did this happen? NO CLUE but I’m sure glad that I’ve erased all the code and re-uploaded the cleaned index file.
Be sure to check yours, who knows, maybe you’re also infected…
[[T_F]]Data Leak Prevention - Data Security Solutions - Information Theft Protection, Detection and Prevention Software Productstracefusion_signature=51774b4bdc6d07e01f6a3ec78b6a3a9c22ed43708332a5851526b4e4b9a7d9c07289f2f8ede3a21938b2a364c45a76108c308034806d98c52222c7c42065aeeddf849ffc6680738e6de24249af22fdd8b0ea97a2d9d93814b927266a21cf72d79380a11c981469d8046957ffafe599383c7011d150d42a820f5235fc5019eac50b2b72a67802adbe68e6a34cd9c238e9440e9cefc3347bef9991b11858ab75b2a1ceb1bdacd7d46264b8c6c7f3c0889b6db526e6c852a68a091ec9c25b7fe88c53db4a0fe20c7a189f2d0383779f3ec2260524b9208d3ce4b32f240203a6849e1356186e67b6859aa39e6f2595961e9dde603a38c6a8ffcf54cb4063667b6298e7f88e155b5cfb767ae8d25f575cebfe088b9189cf26ed12799af83cb8e96a2edaea5054f27eaaa243394ac9015aa942cc6a4570a119575efadc757ec183b33febce0e0b92929238c68632c9a9afb04afd95700c80975a3381775c6dada07bb54f03bb7fd9f5d85e37cc6c9be69ae3137989b20fd2634600f4f8b20cc137de5f435241755bfb2bfa2873ca03a80441f080af91955839461158e461cada8b44bc29b2fd99dc0e10cd2f7c6aa22cdceb265eb7dcc2e3fae9e1b8080594d7e439605bf74fd032411f1c05773c0705773dcb[[T_F]]
Hi there Garcya – I found your website today, and it’s amazing! I’ve already downloaded the osCommerce templates, the 306 ones, and the 42 premium hosting ones – absolutely amazing mate!
Will definitely be recommending in the future!
Sorry to hear about the trojan as well – who’d want to hack a website like this one?
James
@James thanks for the feedback.
There are a lot of people who only enjoy when they do “damage” to others so I’m a “lucky case” for now..
Been following via RSS for a long time and for the last 2-3 months I couldn’t actually visit unless I used a proxy. Tried again today when I saw this post and am happy to see than I can get here without a proxy again.
I love the resources you post to this blog, keep up the good work.
There are 2 possible causes for this infection. Either someone gained access to your host account and manually injected that code, or your host got infected with that trojan and copied itself through your files. Here’s what I recommend:
1) Reset all site related passwords. That’s your ssh, control panel and even WP admin password.
2) Check all other files for that script.
3) Make sure that file access is set correctly (no write permission where you need them.
4) Email your host.
@Sean sounds weird and I don’t think that this issues what the real problem at your end.
@Ali B. the wordpress blog wasn’t infected, only one single .html file from Garcya.us where I have my design firm website that has nothing to do with this blog.
Thanks again for your tips, will email the hosting provider and ask them to see what they have to say about this.
Is that Antiviruses trojan was pawerful for kill all the virus??
Yes, it was POWERFUL enough ! :)