Lots of my users were telling, our website was having a virus such as Trojan-Clicker.JS.Agent.h
My AV was not showing that, then I started to investigate a bit. Installed many different AV's on server, no luck. My worst fear was beeing a root kit, injected somewhat into server through IIS or something, entire security tests are saying negative of any threat.
I scratched my hair for entire two days. This virus changes "default.asp, default.html, index.php, default.php, index.html" (basically default pages in directories)
It adds such line:
<iframe src='http://url' width='1' height='1' etc. some function etc.
Then I asked to myself, WTF is all these php about, does it also effect Linux, not just Windows Server? There was absolutely no info about the virus and its infection ways (on servers)
Kaspersky AV, ESET NOD32, Panda, AVG had absolutely no info how it can possibly infect "server".
My final resort was to check FTP logs, I laughed so hard that one of my co-workers had that trojan in his computer, and when he connects to FTP, it changes entire FTP default pages his account can access (without his info), said to him "NO FTP CONNECTION UNLESS YOU REMOVED THAT SHIT" , he pardoned so much.
Yeah, somewhat if you are infected with such trojan (beg you pardon, source of trojan was Firefox, IE7 did not get it installed) make sure you check owner of FTP accounts :P
Just wanted to share this ugly two days ending with such simple solution.
|
Topic Locked
Posted - 11 December 2007 : 07:41:10
