• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
akaklike

Malware on our website, Avst and HID can't stop it

4 posts in this topic

We have AVAST server and McAfee HID and none of them stop this malwareor even bump when it modifies our pages.

The malware periodically change our pages (footer.php or header.php) with an iframe.

Here is my HiJackThis logs, any help will be very welcome:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:47:58 AM, on 12/9/2009

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\bmss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\aswServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe

c:\Program Files\Microsoft ADS\bin\saagent.exe

C:\WINDOWS\system32\cisvc.exe

c:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\FileZilla Server\FileZilla Server.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Merak\calendar.exe

C:\Program Files\Merak\im.exe

C:\Program Files\Merak\pop3.exe

C:\Program Files\Merak\smtp.exe

C:\MYSQL\bin\mysqld-nt.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\SUPERMICRO\SDIII\NTService.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\totalcmd\TOTALCMD.EXE

C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Alwil Software\Avast4\aswWebSv.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\totalcmd\TOTALCMD.EXE

C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\System32\svchost.exe

c:\windows\system32\inetsrv\w3wp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\McAfee\Host Intrusion Prevention\McAfeeFire.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "c:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Supero Doctor III Client.lnk = ?

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O15 - ESC Trusted Zone: http://runonce.msn.com

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D23532D-7960-4B3E-B93F-24EE5FC85EBF}: NameServer = 10.0.80.11,10.0.80.12

O17 - HKLM\System\CCS\Services\Tcpip\..\{451DC4D1-9FBD-4771-8ED7-FE69950DDBA5}: NameServer = 10.0.80.11,10.0.80.12

O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe

O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - c:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe

O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - c:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: Merak Calendaring Server (MerakCalendar) - IceWarp Software - C:\Program Files\Merak\calendar.exe

O23 - Service: Merak Mail Server Control (MerakControl) - IceWarp Software - C:\Program Files\Merak\control.exe

O23 - Service: Merak Instant Messaging Server (MerakIM) - IceWarp Software - C:\Program Files\Merak\im.exe

O23 - Service: Merak Mail Server POP3/IMAP (MerakPOP3) - IceWarp Software - C:\Program Files\Merak\pop3.exe

O23 - Service: Merak Mail Server SMTP (MerakSMTP) - IceWarp Software - C:\Program Files\Merak\smtp.exe

O23 - Service: MySQL - Unknown owner - C:\MYSQL\bin\mysqld-nt (file missing)

O23 - Service: SuperMicro Health Assistant - Unknown owner - C:\Program Files\SUPERMICRO\SDIII\NTService.exe

 

--

End of file - 8624 bytes

Edited by akaklike

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi akaklike, and Welcome to SWI.

 

We have AVAST server and McAfee HID and none of them stop this malwareor even bump when it modifies our pages.

The malware periodically change our pages (footer.php or header.php) with an iframe.

Well, the problem is well known, however, a platform is a little problem here:

 

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

 

as I'm not familiar with it... Anyway, let's try to get rid of the problem...

 

Firstly, you need to get to know about this threat and how to deal with it... Some links can be found below, I suggest you investigate further...

SQL injection attack claims 132,000+

HTML-script injection (cross-site scripting)

More on Hidden Malicious iframe Injections

Website Protection and Security

Another mass compromise - IFRAME redirects

Hundreds of thousands of SQL injections

 

There is a possibilty this server is/was infected... If yes, malware could simply replace (or inject a code into) the php files and steal ftp server credentials... A HijackThis logfile looks clean to me, but it doesn't mean this server is clean (we'll investigate further if the steps below don't change anything)...

That being said, please do the following:

- change all passwords used to access the server or FTP... Passwords need to be hard to guess - see Create strong passwords and Password checker

Make sure these passwords cannot be easily read - if you use programs which can upload a file on the server for you (like HTML editors or Total Commander), a manual input of the password is recommended for every access to the FTP server... This is important as malware present on your computer/server can easily read that password if it's not encypted (note: versions of Total Commander below 7.5 don't protect passwords well) - more to read here Password stealing trojan with dash of FTP and a hint of parasite and here: FTP Reloaded: My Website has been hacked!

 

- then, remove malicious iFrames from html and php files on the server... Update Avast! and perform a full system scan...

 

- update all programs on the server to their latest versions... Secunia's Vulnerability Scanning may be of help here...

 

- review all scripts on the server (on the pages) - update them to the latest versions, if possible... Remove or re-write Java-script or PHP scripts which you're unsure they are safe...

 

Let me know how it goes and if you need more help...

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0