Someone reported a Virus when visiting my site

[hac2500]

My clients site is http://homelessactioncenter.org/

A user to the site reported a js.cryptic.afa trojan virus that "started an automatic download" when they visited the site. I looked over all of the files on the server and synchronised them with my local copies to see if any had been changes or added and I did not see any. I Updated Wordpress and removed a few orphaned files from the Media Library and asked the user to visit the site again and see if they got the virus warning. They did not.

I ran the site thru http://www.avgthreatlabs.com/sitereport ... avg.com.au and they found 0 threats.

All of the passwords for the site a very strong so I doubt they were hacked. What should I do next?

[toast0]

Something is inserting iframes into your site. I too got the warning when i visited the site, view source showed a javascript iframe insertion, but not when reloading or from a fresh browser. So I hit the page 100 times with wget (from a different IP, with a fake Firefox user agent). The first request also got a javascript iframe insertion, but the other 99 times were clean.

Fetching the iframe url doesn't work unless a user agent and referer header are sent; when it is fetched there's a java applet load as well as some severely obfuscated javascript. After I downloaded it once, the iframe url is giving me 500's again; these guys are sneaky (or their servers are very unreliable).

This looks similar to this https://www.securelist.com/en/blog/2081 ... Injections, but there have also been some wordpress vulnerabilities lately too. You probably should contact support@sonic.net; this is Sonic hosting right?

[toast0]

I captured the altered html and the iframe html if you want to take a look; the applet I got was 0 bytes long, I'm not sure if that's the intent and the long ugly javascript does the dirty work or what. http://ruka.org/~toast/iframes.zip zipfile password is dangerous (because the files are dangerous... i did save them as .txt though)

[gack]

I also attempted to issue a wget but the iframe's domain changed from yours:

instead of lovehiilda85.us.to it now goes to bllackthere89.us.to. lovehiilda85.us.to is no longer valid.

Name: bllackthere89.us.to
Address: 173.236.50.234

http://whois.arin.net/rest/net/NET-173-236-0-0-1/pft

Code: Select all

Network
NetRange	173.236.0.0 - 173.236.127.255
CIDR	173.236.0.0/17
Name	SINGLEHOP
Handle	NET-173-236-0-0-1
Parent	NET173 (NET-173-0-0-0-0)
Net Type	Direct Allocation
Origin AS	AS32475
Organization	SingleHop, Inc. (SINGL-8)
Registration Date	2010-03-23
Last Updated	2012-03-02
Comments	
RESTful Link	http://whois.arin.net/rest/net/NET-173-236-0-0-1
Function	Point of Contact
Tech	NETWO1546-ARIN (NETWO1546-ARIN)
NOC	NETWO1546-ARIN (NETWO1546-ARIN)
Abuse	ABUSE2492-ARIN (ABUSE2492-ARIN)
See Also	Related organization's POC records.
See Also	Related delegations.


Organization
Name	SingleHop, Inc.
Handle	SINGL-8
Street	215 W. Ohio St.
5th Floor
City	Chicago
State/Province	IL
Postal Code	60654
Country	US
Registration Date	2007-03-07
Last Updated	2012-11-19
Comments	http://www.singlehop.com/
RESTful Link	http://whois.arin.net/rest/org/SINGL-8
Referral Server	rwhois://rwhois.singlehop.net:4321
Function	Point of Contact
NOC	NETWO1546-ARIN (NETWO1546-ARIN)
Admin	ZDB1-ARIN (ZDB1-ARIN)
Abuse	ABUSE2492-ARIN (ABUSE2492-ARIN)
Tech	NETWO1546-ARIN (NETWO1546-ARIN)


Point of Contact
Name	Network Operations
Handle	NETWO1546-ARIN
Company	SingleHop LLC
Street	215 W Ohio St Flr 5
City	Chicago
State/Province	IL
Postal Code	60654
Country	US
Registration Date	2007-02-15
Last Updated	2012-11-19
Comments	
Phone	+1-866-817-2811 (Office)
Email	netops@singlehop.com
RESTful Link	http://whois.arin.net/rest/poc/NETWO1546-ARIN


Point of Contact
Note	ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2010-12-03
Name	Boca , Zachary D
Handle	ZDB1-ARIN
Company	midPhase, Inc
Street	223 West Jackson Suite 600
City	Chicago
State/Province	IL
Postal Code	60606
Country	US
Registration Date	2006-10-10
Last Updated	2009-12-03
Comments	
Phone	+1-312-386-1640 (Office)
Email	zboca@singlehop.com
RESTful Link	http://whois.arin.net/rest/poc/ZDB1-ARIN


Point of Contact
Name	Abuse Department
Handle	ABUSE2492-ARIN
Company	SingleHop, Inc.
Street	621 W. Randolph
3rd Floor
City	Chicago
State/Province	IL
Postal Code	60661
Country	US
Registration Date	2009-12-03
Last Updated	2011-12-06
Comments	
Phone	+1-866-817-2811 (Office)
Email	abuse@singlehop.com
RESTful Link	http://whois.arin.net/rest/poc/ABUSE2492-ARIN

[hac2500]

I actually contacted Sonic support first and they referred me here. How would I go about removing this?

[hac2500]

Thanks allot for the help BTW!!

[williamt]

Hi hac2500,

I have removed the infected code from your site. I'm not 100% sure on how it got there in the first place but I suspect the current theme you are using is vulnerable to attacks.

I would recommend switching or upgrading your theme to one that instant vulnerable.

[hac2500]

Thanks William! It is a customized twentyten theme which was the default theme back in 2010 when the site was built. Just the CSS has been altered. Do you think I need to use a different theme?

[williamt]

I would check if there is an update to it. First. If not I would probably switch themes.

[virtualmike]

From Google's Webmaster Central Blog...

New first stop for hacked site recovery

We certainly hope you never have to use our new Help for hacked sites informational series. It's a dozen articles and over an hour of videos dedicated to helping webmasters in the unfortunate event that their site is compromised.