The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan-Downloader.JS.Pyme.nc

Discussion in 'General Discussion' started by josesan311, Oct 30, 2007.

  1. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Does anyone know about this virus/java script injection?
    I have it on all my cPanel servers and i do not how get it off, i have been looking inside the code and using this forum search engine as reference but it seems it is not the same as the <iframe> thing that i saw on all those common posts.

    Every time that someones access my website, its like randomly, their antivirus shows up showing a warning message like my site is infected but i really dont see nothing out of there, i saw the warning myself, it looks it shows up only if you are using Kapersky AV.

    I've performed a scan with clamav on all my server, recompiled apache, everything.
    I do not know how to resolve this.

    Please advice! Thank you.



    PS: an image has been attached below.

    Regards.
     

    Attached Files:

  2. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    open a ticket with support.
     
  3. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    it is most likely javascript/frame hack. you should check at least index.* files on site where AV warn you about virus. you will most likley found frame or javascript with suspicious redirect or code.
     
  4. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    hello guys, thanks for your prompt support, but thing is, i have already checked the index/html/php files where kapersky saids the virus is on, but i do not see any redirection or http:// link, even a .com link, nothing!.


    Any other suggestions?



    Best regards.
     
  5. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Do you see ANYTHING weird, forget the specific redirections. A lot of times they will put in tiny bits of code to pull files from somewhere else by using tricks like php code or java script but it wont be obvious.
     
  6. sarhosting

    sarhosting Well-Known Member

    Joined:
    Oct 1, 2007
    Messages:
    164
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi,

    This is again a javascript inject problem. It is caused by weak FTP passwords and or The users local maching infected, I had it yesterday with a client, changed his password to a 62 character one and not happened since.

    Removed the injected code, change password all will be fine.
     
  7. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Hello guys, thank you for everything.

    I just attached my index.php, can someone see it if you find something?
    I really dont see nothing on it, it looks clean.


    Thank you very much in advance.


    Regards.
     

    Attached Files:

  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Also check top.php, footer.php, and any other php files that are included in index.php.

    If you PM me the URL to your site, I'll see if I find anything suspicious.

    Mike
     
  9. sarhosting

    sarhosting Well-Known Member

    Joined:
    Oct 1, 2007
    Messages:
    164
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Mate,

    Ive looked through the index.php and theres nothing there, so could also PM me all the files that are included in the script. Theres a few, so take your time.

    If we cant go from there - Ill happily run some tests on your server to find out the weak points.

    Regards
    Richard
     
  10. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Hi guys, i just found something interesting!

    I tried removing the site permissions (doing chmod 644 as someone recommended me, but i had a forbidden access message) and then i saw the site was loading some thing from http://bds.invitations.fr/ssp/
    http://al-williams.com/tXlwpKDL/uCfIXrUcVpycMkVj.qtl

    But the site was unaccesible on my server! so it seems its a server wide problem, not an account itself.

    Any clue?


    Regards.
     
  11. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator

    ujowo.js - that's the file on your site that contains the javascript - the javascript is encoded. You must encoded to see what it is doing. And yes, within the encoded javascript is a call to get something from al-williams.com, although that file no longer exists.

    I'm not a programmer so I can't tell you what all that javascript does - but it's more than your average kiddy javascript hack. Somebody who knows javascript and programming in general should take a look at it to see exactly what all it is doing to a windows machine that visits the site.

    Mike
     
  12. nickzoid

    nickzoid Registered

    Joined:
    Mar 10, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    i have never seen this
     
  13. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6


    thank you very much mike for your response,

    that ujowo.js file its generated randomly, its a 5 letter file (xxxxx.js) that everytime one access the site its being created but i have never caught on my server.

    i will try the javascript decoder, thank you.
    Also do you know from which java script file or directory is being called?



    Thank you very much for evertyhing!!
     
    #13 josesan311, Nov 1, 2007
    Last edited: Nov 1, 2007
  14. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Yeah its being called from the same directory. If you look at your index.html you'll see the reference in one of the lines that starts with <script>. The one I looked at shows ujowo.js. intersting that it changes. But that would explain why the original AV warning that you posted showed a different filename.

    Mike
     
  15. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    This is the index.php im using, you will see there is no script or javascript text inside it.

    This is quite annoying.


    Thank you in advance.


    Best regards.
     

    Attached Files:

  16. gernotmann

    gernotmann Registered

    Joined:
    Feb 25, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I have excact the same problem. Sometimes the trojan will write a code inside the index html file randomly like
    <script language='JavaScript' type='text/javascript' src='ecpzb.js'></script>

    Did you already find the source of this problem?
     
  17. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I did not find any solution yet, this virus seems to be very difficult to track down.


    Any suggestions are accepted guys.

    Thank you.
     
  18. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
  19. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    i just found another thing, if i change the apache port to 81, the malware does not show up!!
    It seems the malware is inside apache or inside the OS itself.

    this is frustrating me.
     
  20. lailai

    lailai Registered

    Joined:
    Nov 4, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    um, can you PM me with your :
    templates/top.php
    templates/footer.php
    thanks
     

Share This Page