We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Virus that I can't get rid of!

March 29, 2012 7:55am

Subscribe [2]

  • #1 / Mar 29, 2012 7:55am

    tswdesign

    2 posts

    Hi,

    One of my sites has been infected by a virus which, from searching arround various forums, appears to be a “favicon.ico” virus and generates links off to russian .ru websites.

    In particular the index.php and admin.php files in the root of the directory had been over written with enctypted text.

    I upgraded the instalation of EE but the virus came back almost imediately. Eventually I read something that said the virus was esentially “hiding” in the .htaccess file. Even though everything look ok in there I re-wrote a completely new .htaccess file, uploaded it and replaced all the damaged files again with a clean version of EE.

    Now the site is back up, and apparently virus free but there are still some odd things happening. In the control panel the pages are taking ages to load, and all the links on the page are inactive until it does load. The url being loaded as displayed in the bottom left of the browser (firefox) often seems to be an odd, non EE type url, and neither I nore my client are able to upload files via the CMS even though we were prior to the virus hitting.

    Any help and advise you can give on this would be most greatful. My client loves EE but is slowly loosing patience and I’m running out of ideas in terms of fixes.

    Thanks in advance

    Tim
    Site: http://www.geoffreyvanorden.com/

  • #2 / Mar 29, 2012 8:08am

    tswdesign

    2 posts

    So the site is definitely not clean. At the foot of every page (including the control panel pages) there is a link which you can see via “view source”

    [removed][removed]

    The url changes on every fresh load, but I can’t find where it is generated from.

    T

  • #3 / Mar 29, 2012 10:06am

    glenndavisgroup

    436 posts

    Hi tswdesign,

    These types of viruses/malware are not just affecting your site. It’s probably affecting the whole server. If you are on a shared hosting server you should notify your hosting company right away since this might be affecting every one on your shared server. If and when your hosting company resolves this issue you should check your database tables to see if this virus/malware is hiding it self in one of the tables. This is a new technique that some hackers are using these days to hide their virus/malware and most people don’t think of checking for it. But I would recommend just deleting everything and reinstalling the EE site and db again to guarantee you don’t have anything hiding in your database tables.

    If you are on a dedicated server I would recommend just reinstalling the server from scratch if you can. Unless you are confident and know how to remove this type of virus/malware I wouldn’t even bother. This thing could be hiding copies of it self anywhere on the server and it’s not worth the trouble. This is the only way to guarantee that what ever got on your server is gone for good. Otherwise you risk the chance of it coming back.

    A few things you should consider if you haven’t done already ONLY after getting this virus/malware off your server:

    1) Rename your EE system folder to something else. This will make it a lot harder for someone to do something like this again.

    2) Remove execute permissions on folders that have write permissions on them such as the upload folder. This is where most of these issues start from. All it takes is someone to upload a perl script to one of these folders then calling the script from the browser to execute it and problems start from there.

    I hope that helps and good luck with the recovery.

    Mike

     

  • #4 / Mar 30, 2012 1:37pm

    Shane Eckert

    7174 posts

    Hey tswdesign,

    I am sorry to hear you are running into this problem.

    I feel your pain. I want you to know that we take security very seriously and will do our best to work with you on figuring out what’s going on.

    Please call your hosting provider and let them know about your situation. They need to know this in order to help stop it. Typically the only way to get rid of this is to find out how the exploit is being made and to repair that. This could be an operating system level fix or it could be another application installed in your web root. Do you have anything else installed, like phpBB, WordPress, or the like?

    As you have mentioned, these are the most commonly infected files.

    * index.php

* admin.php

* system/index.php

* system/expressionengine/config/config.php

    Search the above files to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

    You may also wish to refresh your files by following the update instructions.

    Sorry to repeat myself, but I want to make sure this point comes across. You will be fighting a losing battle until you get rid of the exploit. Make sure no other apps are installed and if they are, list them here. If you are not using them, delete them. And please be sure to let you hosting service know. You might not be the only one with this frustration.

    Again, I am sorry you are dealing with this.

    Please keep me posted!

    Cheers,

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register