Sunday, July 5, 2009

Iframe Virus, Malware, src Virus - How to Remove ?

Right in this moment is a new massive hacking attack on web sites. This attack targeted a lot of webhosting providers!

How to clean your web site and remove the Iframe Virus, Malware or src Virus injection?The attacker will change in mass all your index files and your home files. The format of this viruses is almost like this:


<iframe src="http://other_domain..." style="visibility: hidden;">

or

<img src="http://other_domain.../" style="visibility: hidden;">


Almost attack is based on src out of your domain, so you must find which pages have insertion with src which is not on your domain. Other possibility is in javascript, but this is encoded script which is hard to find it, in this case you must check javascript content other then yours which was added on your web site files.

Follow this steps:
1. Immediately change your FTP password

2. Login on your FTP account and order your files by date, the changed files will be on the top of list. Here is the target when you must check first iframe or src out of your domain, remove it and upload again your clean files.

3. Secures your FTP account, allow only your ip or a class of ip to can login using the firewall. In the Unix based OS if you have iptables enabled is very easy to do this using commands:

iptables -A INPUT -p tcp --dport 21 -s 80.47.84.200 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -s 80.47.84.201 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -s 81.69.58.0/255 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP

This command will allow only 80.47.84.200, 80.47.84.201 ip to login and all 81.69.58 class.

4. Make sure you have right the security features on your server to prevent server attack

5. Check your OS with antispyware or anti trojans, is a lot of viruses in Windows which stole your FTP password from Cute FTP, Total Commander etc. and send it on the Internet!

6. If Google already find your virus or malware they will block your website, you must send to Google a request to recheck your web site here http://www.google.com/webmasters/tools

Clean Web Site script can help you to make fast checking and clean your site files !

This is a php based script malware remover using backup method. Clean Web Site script can help you to keep clean and safe your site files to prevent iframe insertion, src virus injection, malware, backdoor or other attacks which change your site files content.

HOW WORK ?

after you upload a fresh and clean site files you will make a backup files from Clean Web Site

Clean Web Site will check every 6 hours in cron job (you can set the interval from your cron job) if your site files is the same with the last backup made

if your site files was changed, remove or add other Clean Web Site will send you an email with status of your files changed as date of changing, old and new size

if this files was not changed by you after the last backup mean was changed by hacker, you must restore quickly your site files from the last clean backupWhat happen if you or you change files and don't make backup after changing ?

You will receive a message from Clean Web Site with status of your files changed and you will find your changing which is not made by hacker, so is not dangerous, you must make backup to have the last version of your site files.

Visit http://soft.saschart.com/ to take the Clean Web Site.

4 comments:

Inhat said...

Sir, I remove fast my viruses using your steps, great job!
I cannot use the command iptables to allow only my ip, don't have permission... :(

What I have to do?

SaschArt said...

If you have shared web hosting is not possible to use iptables

Danopart said...

I clean my site last week and today apear again... I find this on my PC on startup rncsys32.exe

SaschArt said...

Do you have a trojan on your personal PC.