09-17-2009, 12:56 PM
|
|
|
Confirmed User
Join Date: Sep 2003
Posts: 2,255
|
Found this from Webhostingtalk.com
Quote:
It is a series of viruses implanted on various PCs (and some Macs we've seen) that does little more than steal FTP credentials.
It works in a variety of ways.
First, it knows the files and their default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.
The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password. Which is why strong passwords aren't a defense in this case.
Second, the virus installs a keyboard logger. This variant is relatively new because earlier this year the hackers saw that everyone was telling people not to save their FTP username and passwords, so the hackers started installing keyboard loggers for those who type their passwords in each time. Same follow-through, the stolen information is sent to a server that infects the web site.
Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, send it to a server and ... (you get the idea).
Fourth, and is the most recent, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This latest variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.
The best way I've found to combat this is by following these steps:
Step 1: Install a new anti-virus program. Obviously this virus knows how to evade detection of the current anti-virus. It doesn't matter what's being used currently, you have to install something different.
Step 2: Login to your control panel at your web hosting provider's site and change your FTP password. Write it down at this point DO NOT ACCESS YOUR SITE with FTP until you finish all of these steps.
Step 3: Scan and clean every PC that has FTP access to your site. This is also a must. Otherwise you have no idea who's PC it is. Do not give the new FTP passwords to anyone until after you have finished all of these steps.
Step 4: Remove the malicious code from your webpages. If you have a known good back-up, use that. If not, download your site (yes you'll have to type in the new password, but hopefully you're already scanned and cleaned your PC). Then open each file in your HTML editor and find the infectious code. This particular malscript usually hides immediately after the opening body tag, but we've also seen it at the end of files. You'll have to check every file on your website not just index files or just html files. Check every file on your website even .js and .css files.
Step 5: Change your FTP passwords again.
Step 6: If you've been blacklisted by Google, login to your Google Webmaster Tools and verify your site if you haven't already, then request a review. You'll have to click on your site, then across the top you'll see in your dashboard a label in dark background that says, "This site may be distributing malware. More Details (which is a link). Click on that and request a review. If your site is clean, Google should bless you with removing that warning from SERPs.
Then you should have that issue again.
This is not the result of a faulty script or weak FTP passwords. It's the result of a virus on PC with FTP access to the infected website.
|
It a solution for malware injection attack.
Then again, It' not recommended to install unreliable php scripts anyway..
__________________
254-282-542
|
|
|