Beware Virus In Your Server

GoSee-Design › lifestory of a freelance team » Tips » Beware Virus In Your Server
// Jun 16th, 2009 // Tips » Comments RSS Feed

HTML/Crypted.Gen

Description from avira.com:

To avoid detection by antivirus software, authors of HTML malware use browser features like Java and VisualBasic Script. These scripts are small and very often quite simple encryption routines hiding the malicious parts of the script. Encrypted malware is detected as HTML/Crypted.Gen.

One of our customer’s websites suffered from this virus, the effect to their website is:

  • Their visitor antivirus blocks their website.
  • Google marked their website as a harm website.
  • Antivirus also blocked their CPanel
  • Even if you backup your database, it’s detected as virus (only by avira)
  • To be exact, your website is malfunction

We’ve deal with the web hosting company and they said it’s linux based server, the virus will not harm the server. They said, this virus embedded an iframe to the website files and only triggered when peoples view the website. So they help us overwrite the entire website with the previous backup files.

We thought it’s over, but suddenly the next day, the same customer call again said the same thing happen. So we did the same thing again, but it’s still not clean. So that time I wondered, if it’s just affected the files all php and html, why my avira detected the backup sql also as virus and delete it. And only Avira anti virus can detect it. So this time I ignore the avira warning and open the sql file.

The first time I saw, it’s just normal sql syntax nothing unusual.  No additional table, no iframe script detected. Then I saw something weird.

sql statement

sql statement

The picture show you the sql statement inserting data into table news, sure you don’t find anything wrong in the picture, but if you look closely you can find that from id 7-12 it use single insert statement but id 13 it use different insert statement. I then delete the id 13 row and run the website. Everything fine now, the website is now virus free.

But wait! The id 13 news is actually real news, only that it is embedded with the virus code. To add this news back to the server, just simply add it manually using the phpmyadmin insert data function or use your CMS.

How these viruses get attached into the database?

Easy actually, it’s accidentally inserted when you use your CMS. CMS nowadays have TinyMCE or others javascript editor, when you copy any statement or even a word from infected MSWords document and paste it into the editor, it will automatically change the data into html codes and that is how it got attached.

So guys, beware when you copy and paste your files, scared it already got infected.

If any of you have the same experience, come share it here.

Reblog this post [with Zemanta]

Related posts:

  1. Keep Your Traffic with htaccess
    How to change your filename without losing any traffic? Lets see the solution and discuss it togethe...


Save to delicious Digg this facebook twitter

2 responses so far, want to say something?

  1. Mac | Beware Virus In Your Server | Download Free Software says:
    June 17, 2009 at 1:56 am

    [...] the original post: Beware &#86&#105&#114us In Your Server Nessun tag per questo [...]

    Reply
  2. diamontina says:
    June 1, 2010 at 5:03 pm

    societies president extinctions running issue impact beginning

    Reply

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv Enabled

Back to top