Possible Infection on whibalhost.com
Trond Roaas
via web
The following file is reported as a trojan by Avast Antivirus -
you might want to check your server.
http://www.whibalhost.com/images/invisi_button.png
As Avast is blocking the page, I can't download and verify the file, but you might want to check it out. :)
Comments are currently closed for this discussion. You can start a new one.
Support Staff 2 Posted by Michael Tapes Design on 02 Aug, 2011 03:55 PM
Hi Trond,
Thanks for the heads up. I am working with my ISP to remove the problem, and institute preventative measures.
What file were you trying to download?
Thanks again.
Michael Tapes Design closed this discussion on 02 Aug, 2011 03:55 PM.
Trond Roaas re-opened this discussion on 04 Aug, 2011 03:07 PM
3 Posted by Trond Roaas on 04 Aug, 2011 03:07 PM
Hi,
I did not try to download any file - I just browsed your website - for example http://www.whibalhost.com/lensalign/purchase.html . The .png file mentioned above is an image on the web page, and Avast reports that the file is blocked, reporting it as "JS:Redirector-E [Trj]". It may be that the image itself is replaced with a hostile javascript, and/or that there is a redirect script on the server linking to a remote hostile site.
As Avast is blocking the file, I cannot download it and check if it is a suspicious javascript or not. ;)
The html from your web page referring to the image:
You could for example right click on the link to the png file above and choose "save as". If the resulting file is a javascript file and not an image, it might be a hint that the web server is compromised.
Regards,
Trond
Support Staff 4 Posted by Michael Tapes Design on 05 Aug, 2011 12:11 PM
Hi Trond,
Thanks for your help. I have deleted the .png files, but the problem remains. You do not have text here...
The html from your web page referring to the image:
Maybe that can help me. I have scanned both a download of the site, and the source for the site on my local drive with MS Security Essentials and found nothing, although it does report the trojan in my cache after I click on the purchase link as you have pointed out. I will download Avast and see if it can help track this down.
Again. Many thanks. Any further assistance is welcome :>)
Michael Tapes Design closed this discussion on 05 Aug, 2011 12:11 PM.
Trond Roaas re-opened this discussion on 05 Aug, 2011 12:20 PM
5 Posted by Trond Roaas on 05 Aug, 2011 12:20 PM
The html is almost at the top of the page:
style type="text/css"
ul.MenuBarHorizontal a#but_5 { color:#FFFFFF; background-image: url(../images/invisi_button.png); }
/style (html tags removed)
You seem to be running an Apache web server - I strongly recommend having a look at your httpd.conf file - my guess is that requests to the image described above are proxyed from a remote hostile site or retrieved from a local copy of the hostile file. I'd strongly recommend a thorough check of the entire httpd.conf file and a security audit on the server.
You probably have entries in the httpd.conf file, so that requests for the image return the hostile script instead of the intended file.
Regards,
Trond Roaas
Support Staff 6 Posted by Michael Tapes Design on 05 Aug, 2011 01:18 PM
Hi Trond,
I have deleted all of the site folders and uploaded the local versions of the main HTML pages of the site, and asked Dreamweaver to also upload the dependence. So we should have fresh, non-infected copies of everything. The local copy of the .png file, loads properly into photoshop as a blank image file (100x100 fully transparent). Interestingly that .png file, although referenced in the HTML as you have shown, is not loaded as a dependency, so it appears to be out of the equation for now. it is not on the site.
Also, I re-scanned the zipped download of the entire server and this time MS Security Essentials, found a bunch of trojan type files, although not within the LensAlign site. I have deleted all of those files as well from the server, as they are old and not used.
So , I think that IO have removed the problem. Would be very thankful if you could check from your side. I no longer get warnings when I go to the link above and view all of the pages of the LensAlign site.
Thanks again...
BTW...My friend and associate who created this site recently died, so that is why I am kind of flying blind. Thanks again.
I have to leave for the day. Hopefully this has done the trick. Thanks...Michael
Michael Tapes Design closed this discussion on 05 Aug, 2011 01:18 PM.
Trond Roaas re-opened this discussion on 10 Aug, 2011 11:58 AM
7 Posted by Trond Roaas on 10 Aug, 2011 11:58 AM
Requests for the png file still do not return an image file - now they return an empty page with the content type text/html.
There could still be a redirect somewhere on the web server, but that the offending file now is removed - deleted when you wiped all the files. You could try uploading the png file again and see if we now get the proper html file.
The problem seems to be solved, at least. :)
But - a more serious problem remain - how did the malware get there? Make sure that you update the server to the latest and greatest security patches, both for the operating system and the applications - hopefully an update will close the security hole where someone previously got in..
Regards,
Trond Roaas
Michael Tapes Design closed this discussion on 24 Apr, 2012 02:16 PM.