Jump to content

Recommended Posts

Beeing a new member, and this my 1st post, I would like to say a friendly "HI!" to everyone!

 

I'm in charge of  administrating a simple PHP website. No fancy e-commerce scripts, no fancy authentification methods, just your average pic and script.

 

In the last few days everytime I try to acces the website my Antivirus (Kaspersky IS 2010) returns a disturbing message :

 

Virus/Trojan found : Exploit.JS.Agent.avl , and blocks me from viewing the website.

 

After downloading some random files, of random extensions .jpg, .html, .php etc. I've discovered that this evil-keep-me-busy-from-my-daily-routines virus, infects only .HTML files and .php Files.

 

Since the antivirus can't disinfect them, and the website wasn't made by me, and I'm not familiar with the links and everything, I can't just delete the infected file and start writting the code from scratch.

 

Can you guys help me ? with a good method of removing viruses from .php files ?

 

 

From what my brain has told me, it should be an evil script injected in the .php file (probably a few lines of evil code).

 

My solution : Disable antivirus, open .PHP file, look for nasty code, delete it and copy/overwrite it back on the website (via FTP).

 

If you could help me, it would be really nice...anything, advices, tips, even better, solutions!

Thank you in advance!

 

,Adrian

The site that is infected, is it a publicly available script?  Can you provide a name of the PHP application?

 

I ask because if it got in through some exploit in your scripts, then cleaning it is kind of fruitless.  It'll likely be back, very soon.  If you can upgrade or patch the PHP application, it might prevent re-infection (and in the upgrade/patch process, might even overwrite the infected files.)

 

It's very important to remove the origin of the infection, as quickly as possible.

Nooo...it's something way simpler....jsut pics, links and a simple SQL database (that it's not working...yet).

 

I've upped some of the infected files. It's not a virus, just an evil script that gets executed after beeing parsed by the php server, so opening it with something harmless as notepad is no problem. Im 100% convinced that the evill code will spark in your eyes.

 

 

Until now everything is as I expected.

 

Step 1 : Download all .html, .php files, and scan with AV. Probably all will be infected.

 

Step 2 : open each file and remove the nasty piece of code . Would be swell if I could find a simple program that removes text from one file comparing it to another files.

 

File 1 - infected

 

File 2 - text to delete

 

Final file = File 1 - File 2; Simple in theorem, will be hard to produse.

 

Step 3 : replace all files by overwriting using the ftp client

 

[attachment deleted by admin]

Alright yeah - looking at that it definitely looks like the javascript at the bottom :P

 

What we want to find out is how that javascript is being appended at the bottom of every file.

 

There are SOOO many ways this could be happening.  My first guess is that someone got credentials into your web server, and has a process running that keeps appending the malicious code to all your JS.

 

Where are you hosting this?

be careful.

its probably <IFRAME> 1x1 pixel.

location: between <body> and </body> at most at the bottom.

 

I will say its not just change FTP log info, the server may hacked from even another site hosted at the same server, and then with shell they just uploaded php script that looping throught all server files, and inserts IFRAME in every page.

 

if you will get same infection again, you will probably need to contact server administration ASAP.

The whole application may need to be recoded and redone with security upgrades to prevent such attacks from happening again, make sure certain file types are disallowed in the future and certain code like javascript/PHP/C++/C/VB

 

it looks like it was a JavaScript based attack that fucked up most of the HTML and embedded itself within the PHP files inside of html.

 

 

 

also changing login information helps but i would check with your host to make sure they haven't had anyone hack into there servers lately and it was an isolated attack on your site.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.