Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Trojan detected on initial load of site

[geekie246]

Hi.

I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean!

I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else.

Anyone have any suggestions?

[twhiting9275]

What OS, what control panel?
Are your apache/php/insertothersoftwareversionshere up to date
Is your control panel up to date

It's entirely possible that this is a 'false alert', though I have seen an increasing number of 'javascript' injections in the past few months. Go through the index page to these sites, does there appear to be some sort of unknown , encoded javascript?

[geekie246]

The host is Running cPANEL 11.16.0 (Stable) and it's running off a Linux OS with 2.6.9-42.EL Kernel.

One site runs pure HTML, no other scripts on the site ... and get this error.

The Other sites run PHP and this happens to it as well.

To my knowledge, all the modules are up-to-date, I've emailed support and they have indicated there "is no problem", but yet, every virus scan program detects problems. Like I said, first or second visit to the site and it pops up.

Subsequent visits, no virus detected.

[boonchuan]

Maybe you should try to find a security guy to help you harden and secure your system.

[geekie246]

it's a reseller account, shouldn't the host be responsible for that?

This company is saying "nothing is wrong".

LOL!

Typical stuff from them.

[ub3r]

send us a link to the page that is throwing back the trojan detection errors.

[geekie246]

Quote:

Originally Posted by ub3r

send us a link to the page that is throwing back the trojan detection errors.

I don't want to post it here, I don't want anyone not running AV software to be infected.

I can PM it to you if you like.

[ub3r]

If you can't post a link, then we can't help you.

[geekie246]

Here's the URLs ... please note, that these may cause an attempt to infect your pc with a trojan ...

http://www.affordablehosting.ca/

http://www.newfoundlandbusinesses.ca/

The support company is working to resolve these issues, when I last checked, they were still attempting to run the script. This will usually only happen the first or second time you go to the site, unless you clear your browser cache ... then it will happen again.

[ub3r]

Quote:

Originally Posted by geekie246

Here's the URLs ... please note, that these may cause an attempt to infect your pc with a trojan ...

http://www.affordablehosting.ca/

http://www.newfoundlandbusinesses.ca/

The support company is working to resolve these issues, when I last checked, they were still attempting to run the script. This will usually only happen the first or second time you go to the site, unless you clear your browser cache ... then it will happen again.

your support company are idiots, and you should not give them any more money.

Each of those files contain calls to unexistant javascript files:

newfoundlandbusiness:

Code:

<body class="bg_main"><script language='JavaScript' type='text/javascript' src='exdgk.js'></script>

affordablehosting.ca:

Code:

<body bgcolor="#fff2df" alink="#000000" link="#000000" vlink="#000000" >[b]<script language='JavaScript' type='text/javascript' src='kzcbb.js'>[b]

Look at your files, right around the opening <body> tag. If it contains a call to a javascript that doesn't exist, or is 5 characters, remove it. This is probably just getting picked up by your anti-virus because it follows a common pattern from some previous virus propagations.

[geekie246]

Thanks, I have seen those things in the source when the AV software goes off, but here's the kicker, these are not part of the source that I have uploaded or that exists there right now at all. The files themselves does NOT contain this!

It is getting injected into the source somehow. As the source is 100% clean, I have verified it many times, how does it get inserted into the code when the page loads?

It has to come from the server side correct?

[foobic]

Quote:

Originally Posted by ub3r

your support company are idiots, and you should not give them any more money.

Quote:

Each of those files contain calls to unexistant javascript files:

It seems to be a random 5 letter filename (I saw gkudw.js) and presumably a non-existent file in the OPs account, but when I requested it I got it - looks like a typical malicious script.

Have the sites just gone offline? Perhaps the host's starting to take notice at last.

[geekie246]

One of the sites has gone offline.

I'm hoping the support people are fixing whatever is wrong.

It's definitely on the server side of things. I've managed to at least convince them of that.

[geekie246]

OK, the host is still indicating that there is no problems on the servers that I'm hosted on.

I cannot seem to get it through their thick skulls that there is something wrong with the servers.

The servers are obviously compromised. I have no SSH access and don't know what to tell them to look for.

Suggestions?

[Ramprage]

Could be modifying the Apache memory in real time to load the iframe, could be they manually injected code into the web pages, could be a bunch of different things. They need to hire someone to investigate it. Seen many times before, nothing new.