Jump to content


Photo

Malware on our website, Avst and HID can't stop it


  • This topic is locked This topic is locked
3 replies to this topic

#1 akaklike

akaklike

    Member

  • New Member
  • Pip
  • 1 posts

Posted 09 December 2009 - 12:01 PM

We have AVAST server and McAfee HID and none of them stop this malwareor even bump when it modifies our pages.
The malware periodically change our pages (footer.php or header.php) with an iframe.
Here is my HiJackThis logs, any help will be very welcome:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:58 AM, on 12/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\bmss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
c:\Program Files\Microsoft ADS\bin\saagent.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Merak\calendar.exe
C:\Program Files\Merak\im.exe
C:\Program Files\Merak\pop3.exe
C:\Program Files\Merak\smtp.exe
C:\MYSQL\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SUPERMICRO\SDIII\NTService.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\Host Intrusion Prevention\McAfeeFire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Supero Doctor III Client.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D23532D-7960-4B3E-B93F-24EE5FC85EBF}: NameServer = 10.0.80.11,10.0.80.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{451DC4D1-9FBD-4771-8ED7-FE69950DDBA5}: NameServer = 10.0.80.11,10.0.80.12
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - c:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - c:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Merak Calendaring Server (MerakCalendar) - IceWarp Software - C:\Program Files\Merak\calendar.exe
O23 - Service: Merak Mail Server Control (MerakControl) - IceWarp Software - C:\Program Files\Merak\control.exe
O23 - Service: Merak Instant Messaging Server (MerakIM) - IceWarp Software - C:\Program Files\Merak\im.exe
O23 - Service: Merak Mail Server POP3/IMAP (MerakPOP3) - IceWarp Software - C:\Program Files\Merak\pop3.exe
O23 - Service: Merak Mail Server SMTP (MerakSMTP) - IceWarp Software - C:\Program Files\Merak\smtp.exe
O23 - Service: MySQL - Unknown owner - C:\MYSQL\bin\mysqld-nt (file missing)
O23 - Service: SuperMicro Health Assistant - Unknown owner - C:\Program Files\SUPERMICRO\SDIII\NTService.exe

--
End of file - 8624 bytes

Edited by akaklike, 09 December 2009 - 12:32 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 12 December 2009 - 05:00 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 12 December 2009 - 08:46 AM

Hi akaklike, and Welcome to SWI.

We have AVAST server and McAfee HID and none of them stop this malwareor even bump when it modifies our pages.
The malware periodically change our pages (footer.php or header.php) with an iframe.

Well, the problem is well known, however, a platform is a little problem here:

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

as I'm not familiar with it... Anyway, let's try to get rid of the problem...

Firstly, you need to get to know about this threat and how to deal with it... Some links can be found below, I suggest you investigate further...
SQL injection attack claims 132,000+
HTML-script injection (cross-site scripting)
More on Hidden Malicious iframe Injections
Website Protection and Security
Another mass compromise - IFRAME redirects
Hundreds of thousands of SQL injections

There is a possibilty this server is/was infected... If yes, malware could simply replace (or inject a code into) the php files and steal ftp server credentials... A HijackThis logfile looks clean to me, but it doesn't mean this server is clean (we'll investigate further if the steps below don't change anything)...
That being said, please do the following:
- change all passwords used to access the server or FTP... Passwords need to be hard to guess - see Create strong passwords and Password checker
Make sure these passwords cannot be easily read - if you use programs which can upload a file on the server for you (like HTML editors or Total Commander), a manual input of the password is recommended for every access to the FTP server... This is important as malware present on your computer/server can easily read that password if it's not encypted (note: versions of Total Commander below 7.5 don't protect passwords well) - more to read here Password stealing trojan with dash of FTP and a hint of parasite and here: FTP Reloaded: My Website has been hacked!

- then, remove malicious iFrames from html and php files on the server... Update Avast! and perform a full system scan...

- update all programs on the server to their latest versions... Secunia's Vulnerability Scanning may be of help here...

- review all scripts on the server (on the pages) - update them to the latest versions, if possible... Remove or re-write Java-script or PHP scripts which you're unsure they are safe...

Let me know how it goes and if you need more help...
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 27 December 2009 - 04:23 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button