Virus infected

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

Hi all,
I have successful installed and customized our website with ProductCart more than month ago. Unfortunately, last week, we got infected with virus named Trojan.Malscript B, another noted with Trojan-Downloader.JS.Agent.ewo (Kaspersky AVP) & (ZoneAlarm)

I Checked our sourrces and saw that all
of our .js, .asp and .html were infected. Those files were modified at
the same time and date. Does any body know how our site was infected?
Is it because the hacker inserted a script in one of our input fields
and this script was executed by our ProductCart software? or the hosting was
infected? Our code produced something that were noted as virus?, any possibilities and how to protect our site for the second time?

Thanks,

Edited by matle - 18-January-2010 at 8:59pm

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
matle Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 19-November-2009 Status: Offline Points: 0	Post Options Post Reply Quote matle Report Post Thanks(0) Quote Reply Topic: Virus infected Posted: 18-January-2010 at 8:53pm
	Hi all, I have successful installed and customized our website with ProductCart more than month ago. Unfortunately, last week, we got infected with virus named Trojan.Malscript B, another noted with Trojan-Downloader.JS.Agent.ewo (Kaspersky AVP) & (ZoneAlarm) I Checked our sourrces and saw that all of our .js, .asp and .html were infected. Those files were modified at the same time and date. Does any body know how our site was infected? Is it because the hacker inserted a script in one of our input fields and this script was executed by our ProductCart software? or the hosting was infected? Our code produced something that were noted as virus?, any possibilities and how to protect our site for the second time? Thanks, Edited by matle - 18-January-2010 at 8:59pm

netprofits Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 05-January-2006 Location: United States Status: Offline Points: 22	Post Options Post Reply Quote netprofits Report Post Thanks(0) Quote Reply Posted: 18-January-2010 at 9:00pm
	Hi Matle, Most likely your site was hacked by someone who "sniffed" your FTP credentials when you connected to your web site to either upload files or make additional updates to the web site. We have heard of this happening more often over the past several months. The best solution is to ask your web hosting service to restore a backup from before the date the files were hacked. Additionally you should contact you web host to see if there is a way to either access your site with Secure FTP or to restrict FTP access to your computer's IP address. Hope this helps! Dan
	NetProfits Internet Consulting Certified ProductCart Developer Our Site

Greg Dinger Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 23-September-2006 Location: United States Status: Offline Points: 238	Post Options Post Reply Quote Greg Dinger Report Post Thanks(0) Quote Reply Posted: 18-January-2010 at 9:04pm
	I second the suggestion at locking FTP to known IPs, perhaps that from both your home and office. There was an attack last year where servers were being compromised by FTP, and regardless of changing the FTP password one day, the site was successfully attached the next day. The hackers would insert IFRAME code into pages. Locking FTP to known IPs will help limit your exposure to such a re-occurrance. Good luck.

Hamish Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 12-October-2006 Location: United Kingdom Status: Offline Points: 56	Post Options Post Reply Quote Hamish Report Post Thanks(0) Quote Reply Posted: 18-January-2010 at 9:05pm
	Hi Matle, My suspicion is that the problem is server related, or another app on the same server. Either that or an FTP account with sufficient privileges has been cracked. Our own site and that of many customers are scanned regularly for vulnerabilities and there are no known vulnerabilities in the code. The hosting company should be able to examine the server logs to help ID the source/route of infection.
	Editing ProductCart Code? See WIKI Guidelines for Editing ProductCart's ASP Source Code

matle Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 19-November-2009 Status: Offline Points: 0	Post Options Post Reply Quote matle Report Post Thanks(0) Quote Reply Posted: 18-January-2010 at 9:18pm
	Thanks all for prompt reply.