Normally, The virus attacks following files on your server:
- index.php
- index.html
- main.php
- header.php
- footer.php
At the start or end of these files it will insert the <IFRAME>, javascript php or malicious encoded code:
What does it do?
----------------
I can only guess. The code is calling a script on online-channels.info site. It can be sending traffic information. Maybe it is the first case of Internet marketing espionage? Or it can be trying to run some malicious code.
What does it do?
-----------------------
He saves your FTP password, accesses your account, and install in your index files, (Index from all directory) an <IFRAME> code that will open a virus page in your index of the forum.
How it's done?
-------------------
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons' site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to log in. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.
After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have to start in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the Russian hacking bulletin boards are offering Mpack with 1-year support and a GUARANTEE that virus programs will not catch the keyloggers. So, keep your virus program updated, but don't depend on it completely!
This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers. During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to their tool to add the code. In some cases, Google bots pick this files and you can even find the login details of FTP accounts and Server root login details in google.
How Do I got attacked ??
---------------------------
1. Your computer or a computer you use to administrate your website gets infected with a virus or trojan.
2. That virus or trojan runs a process on the computer searching FTP applications and their databases for username and password combinations or just looking for username and passwords in files on the computer.
3. When a username and password is found, that information is e-mailed, or somehow sent to an individual or a group of individuals.
4. That individual or group of individuals then have access to your account login information. They proceed to connect to your account via FTP using the hostname, username, and password that the trojan/virus provided for them.
5. Once connected to FTP on your account, they download your index page, edit that index page, place a malicious piece of javascript code or iframe code into the index page, then re-upload it to your account.
6. Your website is now infected with malicious javascript or iframe code, which can then be used to infect or track other visitors of your website.
Your computer is infected with a virus is not a direct result of your website being infected with a virus, or vice-versa. It is because of the type of virus or trojan that is installed on your computer, that your login information was compromised. This compromised data is what led to your website is infected.
How you got infected (Step 1) is completely up in the air. Perhaps you downloaded a program that was infected. Perhaps you received an e-mail that caused the infection. Perhaps you visited a website that caused the infection. There's really no way to be absolutely certain of how this infection initially took place. The best thing you can do is preventive measures. Keep your anti-virus software up-to-date. Make sure the memory resident of the virus scanner stays running. Do routine virus scans on your computer just to be sure. Use anti-spyware software to keep tabs on possible trojans or keyloggers that might be installed on your computer. Practice overall safe web-browsing. I recommend using only Firefox for your web browser and installing the NoScript Firefox add-on to help prevent any malicious javascript from running in your browser.
All of this assumes that your account credentials were compromised due to a local virus or trojan. That may not be the case. I would bet that your credentials have been compromised in some way, but even that is not a given. Other ways for your credentials to be compromised is if you leave your username and password written down near your desk at work or at a coffee shop, if you leave it in plain view, someone else may be able to read that information and then your information is compromised. There's really no way to know exactly how the information was compromised.
It's also possible that there was no credential compromise at all. You may have an outdated script installed on your account or on your web server that allowed malicious users to gain access to your account and inject material into your website. You should always make sure that you are running the latest version of any scripts or applications you have on your website to prevent something like this from happening.
===============================================
What is solution now ?
===============================================
If you are facing this problem and your administrator says it's only your account, just change the FTP password and it will stop
You must have removed the code as soon as its attack and change the file permission to READ ONLY or CHMODE 444 to make sure it never got attack again. Please Change the FTP Password immediately. Just changing password can not complete solution but is the first step.
What's next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.
Just do the three things:
1) Change the FTP or root password of the server.
2) Clean format the PC.
3) Forum cleaning.
You can download file_check.php. Put it in your root of the forum and run it from the address http://yourforumadress.com/file_check.php.
It usually adds that IFRAME code after the "?>" of the PHP code. You`ll get some pages that you need to delete the IFRAME.
Now go to the index.template.php from Themes/your theme directory. Search where the <body> code starts, and there you`ll find another IFRAME. Delete it (WARNING! Without '; from after the </IFRAME>.).
Now the forum is "clean".
In some case, this "virus" make some modification in your database system. Make sure you checked your database and removed any suspicious code.
and take care in future, you don't visit any of the virus links made by this hack.
Also to keep your password secure I would suggest you use any password manager software.
Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.
I hope with this, I can help others! Cheers.
Support-Agent
Comments
Bellal Hossian Jony