|
||
|
16th April 2007, 19:41 | #11 |
Loves to post
MG ZT Join Date: Jan 2007
Location: Kendal, Cumbria
Posts: 456
Thanks: 0
Thanked 0 Times in 0 Posts
|
The problem i seem to have is when you view the source on say the home page its made up of various files and folders ie
default.htm menu.htm stylesheet.css etc so could the virus be in each folder which makes up the pages? (assume it is as the line refering to goldunix is repeated several times over) As im a website butcher rather than designer not 100% which folders make up each page, when look at site via FTP access there are old files no longer needed, files never touched so dont know whats needed and whats not, or whats safe to delete etc. |
16th April 2007, 19:47 | #12 |
Banned
180+ Sport Auto Join Date: Oct 2006
Location: Bedford Middle Level
Posts: 17,787
Thanks: 0
Thanked 18 Times in 5 Posts
|
When viewing the source code for say the home page you will see several instances of the offending lines always as a pair. Delete all instances then that page is clean.
Repeat for all .html pages. I don't think that you will find them on your CSS sheets or anywhere else. |
16th April 2007, 19:54 | #13 |
Loves to post
MG ZT Join Date: Jan 2007
Location: Kendal, Cumbria
Posts: 456
Thanks: 0
Thanked 0 Times in 0 Posts
|
Looking at the files via FTP ive got them in asp pages aswell
Also seems to be a few gifs i dont recognise like a1.gif b1.gif etc If i trawl through every folder and file via FTP and delete the code and reload the file is that a safe way to solve it? Then once solved back up those folders to disk? |
16th April 2007, 20:01 | #14 | ||
Posted a thing or two
http://Roadca.ms - Letting you see what they see! Join Date: Nov 2006
Location: Yup
Posts: 1,786
Thanks: 0
Thanked 7 Times in 1 Post
|
Ok, from what I can make out, Exploit.JS.ADODB.Stream.y is part of the VBS/Psyme family of trojans. There are literally hundreds of variants but basically they download .exe files from web sites (such as the goldunix one) and each exe will do different things like open a back door on the victims pc and allow it to be used as part of a botnet or used for relaying spam emails. The possibilities are endless.
Quote:
Quote:
SQL Injection is a vulnerability in ASP coding. Sorry if you coded the site yourself, but it is a vulnerability of "poor" ASP coding. If someone else coded the site for you then use these smilies on them and get them to fix it Without revealing too much (you never know whos reading!?), you have a web page or url like so showpropertygoose.asp?PropertyID=447176 the porperty id I'll hazard a guess at is an ID field in an SQL database. I'd also say that showpropertygoose.asp simply does "select field1, field2, field3, etc from tablename where propertyid = 447176" The poor coding part (sorry again if you did it) is that the querystring is not being checked for validity before being sent to the database as an sql query. I can insert certain characters in your web site url / querystring (again I won't go into specifics on a public forum) which will alter the SQL query sent to the database so I can manipulate the data going to and from your sql db. The risks here are very VERY high. I can do minor things like log in to the admin area of the site or rather dramatically, I can add to your SQL query being sent to the sql db and issue a site-killing command such as "drop table" which will basically mean instant death to your site. I can go one step further and upload malware code to the db too. If you want to have a chat on the phone (might be easier?) send me a PM, but as above, if you didn't do the site, go and have words with the person/people who did. One last thing, don't feel this was a personal attack on your web site, these "script kiddies" have programs that run round the internet looking for sql injectable sites and infect them automatically. They will simply have a list of urls to show their class mates the next day and say "how cool" they are... I hope this information is of some use Last edited by Rich; 16th April 2007 at 20:06.. Reason: Horrific spelling!! |
||
16th April 2007, 20:05 | #15 | |
Posted a thing or two
http://Roadca.ms - Letting you see what they see! Join Date: Nov 2006
Location: Yup
Posts: 1,786
Thanks: 0
Thanked 7 Times in 1 Post
|
Quote:
I was looking at the source code for the malware in question earlier and it (quite cleverly) avoids detection by the web server / host itself by splitting itself into random "chunks" of data/files. When someone goes to goldunix.com (via your site!), it pulls a1.gif and b1.gif and c1.gif and so on and "streams" them to the victims pc. It streams each individual file in a continuous stream, so when it arrives on the victims pc, it is one file, not chunks and the one file is the dodgy exe! That said, those file names aren't uncommon with an imagemap so they could be completely legitimate. Welcome to the very confusing world of internet security |
|
16th April 2007, 20:08 | #16 |
Banned
180+ Sport Auto Join Date: Oct 2006
Location: Bedford Middle Level
Posts: 17,787
Thanks: 0
Thanked 18 Times in 5 Posts
|
Thanks Rich, that's all the nerdy clever stuff that I know naff all about. I do know how to spot that sort of problem and fix it but not how to prevent it occurring in the first instance.
Well done that man. |
16th April 2007, 20:10 | #17 | |
Posted a thing or two
http://Roadca.ms - Letting you see what they see! Join Date: Nov 2006
Location: Yup
Posts: 1,786
Thanks: 0
Thanked 7 Times in 1 Post
|
Quote:
For once, and much as it pains me to admit it (and I never will again so make the most of it ) it is times like this that I envy Mac owners |
|
16th April 2007, 20:13 | #18 |
Loves to post
MG ZT Join Date: Jan 2007
Location: Kendal, Cumbria
Posts: 456
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Rich
Thanks for the help (that goes to all of you, more than just a source of info for when the ZT is poorly or needs a gee gee tweak) I didnt design the site it was a company called netizen, then a few years back a lad from Switzerland who got chatting to on a new beetle forum funnily enough offered to tweak the site as when google re-jigged the way it ranked sites it suddenly went from appearing several times on the first two pages of most search results to disappearing over night. Not sure which is his work, whats tweaked and whats original. Since then ive had a play with the site so may alter text and images on the various pages, add a link to a special offer page, change phone number thats about it. Dont tweak the layout, stylesheets etc. At the moment im going through every folder via FTP, downloading the files to desktop, removing the nasties and once all thats done will upload. One problem is the cottage pages propertyid1281982.asp which are pulled from a database are not accessed via FTP, i paid Netizen silly money to have access to their TMS travel management system, you log in and make alterations like date, pricing, cottage photos online via this system. If this part of the site contains the virus its out of my hands. Have emailed netizen anyway, but as i dont put a lot of business their way or pay their rip of prices they dont tend to bend over backwards very quickly (they used to charge £75 to add a new cottage, i emailed text, photos etc, i can cut and paste a new cottage page via TMS and upload photos in 3 minutes if that, the time consuming bit is putting all the various dates in) Is it still worth a phonecall or will you soon have me out of my depth? |
16th April 2007, 20:17 | #19 |
Banned
180+ Sport Auto Join Date: Oct 2006
Location: Bedford Middle Level
Posts: 17,787
Thanks: 0
Thanked 18 Times in 5 Posts
|
|
16th April 2007, 20:20 | #20 |
This is my second home
Rover 75 V8 Join Date: Oct 2006
Posts: 3,448
Thanks: 0
Thanked 206 Times in 32 Posts
|
'scuse this as cheeky but why not ask Rich for a quote to get it sorted? He is v good and it is his livelihood. That way it's a win win
__________________
Mike [SIGPIC][/SIGPIC] |
|
|