FTP Exploit Trojan?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by CityTiger, Sep 8, 2010.

  1. CityTiger

    CityTiger Private E-2

    Having a bit of trouble at the moment with a virus which keeps on embedding itself in to a few sites I manage (I am a full-time online marketer so having full, safe access to my websites is essential to my business).

    First happened on 28th/29th July when 3 seperate sites, on 2 different servers, each with different ftp details got hacked.

    Basically a malicious script was inserted to the bottom of all files called index, header, or main. When someone loaded the infected site the script generated an iFrame which then seemed to connected to some weird .in site and IE notified my of a trojan on the site. In addition if you tried to login to the Wordpress backend you just got stuck in a redirect loop and couldnt access anything.

    Anyway, I cleaned it off the 3 sites and updated the security and everything - assuming it was a Wordpress vunerability that had been compromised.

    All was well until Monday when I discovered that once again 3 sites had been infected (2 were the same sites that were infected last time), again on 2 different servers with different access details.

    One of the sites I had actually taken Wordpress off completely which suggests it may not be a Wordpress specific attack....although so far it has only effected sites that either are, or used to be Wordpress so I am not sure.

    Anyway, it got me thinking that perhaps I had a virus on my PC which could be controlled externally to reinfect on demand without me knowing a thing about it. Some further reading, specifically on botnets and rootkits, suggests to me that this is quite likely to be the case and I have a Trojan on my PC that is taking FTP details everytime I connect to my sites via FTP and then at the owners demand infecting the files on my server.

    In fact a friend has had a similar problem and he was able to find a Trojan and remove it.

    Problem is, I have done the Malware removal process on your sticky thread (logs attached) and so far I havent found anything I dont think. Super Anti Spyware found a few things but I believe all are legit. Malware Bytes found one thing which I deleted but on reflection I think that was fine too.

    In addition I also tried the following scanners without success:

    McAfee
    Avast!
    Ad-Aware
    GMER (although dont think that worked properly as I am on a 64 bit system)

    It seems whatever it is is very good at hiding so any help would be much appreciated.

    Obviously its worrying because not only can these people infect my sites at any time (which could potentially lead to Google bans) but they also have all the details they need to access my sites and do whatever they want to them! Plus my concern is that there are other elements to the virus I may not know about yet.

    I have updated passwords but obviously if I have a trojan then the next time I need to update my site the Trojan gets the new password so it is only a very temporary fix.

    Any help would be massively appreciated!
     

    Attached Files:

  2. evilfantasy

    evilfantasy Malware Fighter

    Welcome to MajorGeeks!

    If your website or websites have been exploited then you need to contact your ISP, or whoever owns the servers, and have them help you find the exploit and remove it. We are really only equipped to deal with home users PC's in these forums.

    Those look like files that you may want to keep? If so then you can restore them from within the scanners. If not then just leave them where they are.



    There is one entry to remove with HJT but other than that your logs are clean.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    After clicking Fix checked, exit HijackThis.




    If you are not having any other malware problems (on the computer), it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
     
  3. CityTiger

    CityTiger Private E-2

    Yeah I understand this but my belief is that my local PC may be infected with a trojan which is then pulling in my website access details. Both hosts have scanned all files on their servers and have checked FTP logs....everything appears in order with the servers.

    Therefore I am thinking that like a friend of mine, my PC has been infected with a Trojan that is controlling all of this.



    Ok I have done this....what was that? Anything to worry about?
     
  4. evilfantasy

    evilfantasy Malware Fighter

    It was just a dead registry key. A leftover from Click-to-Call BHO from Windows Live Messenger. More info here. Some software is not very efficient when uninstalling itself. I always use Revo Uninstaller. It get's a lot of the junk that built in uninstallers leave behind. And it's free.


    Since the scanners we use in the READ ME are mainly looking for certain types of malware it may be a good idea to get a "second opinion" from a reliable online virus scanner. Using ESET's Online Scanner


    You mentioned Wordpress a few times. Do you have the latest version of Wordpress? I know they deal with malicious attempts at their software on a regular basis. Keeping that software up-to-date is crucial. They also have a Exploit Scanner that you might find useful.
     
  5. CityTiger

    CityTiger Private E-2

    Thanks mate, I think I may just have to change my passwords and sit and wait to see if that solves the issue.

    Yes Wordpress is fully up to date and is kept like that (including all plugins, etc). In fact one of the sites that got infected had Wordpress removed completely after the first infection but still got infected this second time too.

    I have ran the Exploit Scanner plugin and that found nothing that looked suspicious to me.

    Also ran the ESET scanner as directed. What an annoying tool that is! Took over 3 hours to do the scan but the annoying part is it said it was 99% complete after an hour!!

    Anyway after all that it only found one threat which looks like it was just part of the MGTools program I ran yesterday. I have attached the report but doesnt look like it will tell you anything.
     

    Attached Files:

  6. evilfantasy

    evilfantasy Malware Fighter

    No that was nothing to worry about from ESET.

    I'm 99.99% sure your computer is clean.
     
  7. CityTiger

    CityTiger Private E-2

    Ok thanks for your help mate - I hope you are right!

    If I ever get to the bottom of the problem I will let you know in case anyone else ever needs to know :)
     
  8. evilfantasy

    evilfantasy Malware Fighter

    Thanks and safe surfing... ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds