Hacked or Not?

Hey guys

Ok I havent checked the file size before / after I upload, but I doubt that such a small piece of code would make a difference in size...

What I have done now:

I uploaded a new clean index.htm file to a web server and checked the domain via my browser, it was clean. Then, after about 20 minutes, I checked the site again and voila, it was infected!

So, I then uploaded another clean index.htm file and immediately disconnected my desktop PC from where I upload these files via FTP.

Im now working on the notebook and so far, the file seems clean from my browser. I will keep you guys updated on the situation. Its not 20 minutes yet...lol

If the file now stays clean, then I would assume that I have some sort of password stealer / trojan dialer on my PC where I publish sites from. Someone in Google mentioned that there is a worm that connects to the HTTP and perhaps when I connect to the site, it "sees" where I publish the site and after a while it connects by itself to install the code.

My passwords are stored in the FTP program (duh, its easier) so perhaps thats how it connects in the background without me knowing it.

I will let you guys know what happens...

3G_
 
Yip, I think that google user has his facts straight. It's not so bad dude. Format- reload :p ;)

Just remember to backup. One more thing I could recommend. Download and install the trial version of Avast! Antivirus Professional. Even if it's a trial version, install it, if it asks to do a boot time scan of your pc, say yes and restart. It should find the little bugger and delete it. I use it as my main AV system.

www.avast.com ;)
 
Ok guys

Latest news:

While desktop still being disconnected from the internet, the file got infected while being on the web server.

It now tried to install an exe file from kleman.info. It leads to an IP address:
http://81.95.146.150/mad.exe (DO NOT DOWNLOAD THIS)

The Ip address http://81.95.146.150 just shows no index file loaded.

I could not find ANY trace of "kleman.info" or something that could trigger that file download in the HTML source code... so how its doing this I dont know. I have no idea whatsoever.

It also downloaded two other files:

tjqssfse.exe
gkynfcft.exe

To my c:\windows directory.

I opened the one (renamed it to .txt) and it has the IP address I gave at the top with some other html code.

And so the search continues...

3G_
 
I downloaded the infected index.htm file from the web server via FTP, opened in Notepad and you see nothing.

When opened in Frontpage, the code shows nothing but the WYSIWYG editor shows 4 1px x 1px blocks, which is iFrames NOT visible in the html code. These are linked to open the following URL:

http://kleman.info

In the end it seems to want to download that mad.exe file.

Somehow these iFrame scripts gets added when the file is resident on the server and somehow its NOT visible in the code. I dont know how they manage to get this right.

Continues to look for clues...

3G_
 
3G_ said:
Hey guys

Ok I havent checked the file size before / after I upload, but I doubt that such a small piece of code would make a difference in size...

What I have done now:

I uploaded a new clean index.htm file to a web server and checked the domain via my browser, it was clean. Then, after about 20 minutes, I checked the site again and voila, it was infected!

So, I then uploaded another clean index.htm file and immediately disconnected my desktop PC from where I upload these files via FTP.

Im now working on the notebook and so far, the file seems clean from my browser. I will keep you guys updated on the situation. Its not 20 minutes yet...lol

If the file now stays clean, then I would assume that I have some sort of password stealer / trojan dialer on my PC where I publish sites from. Someone in Google mentioned that there is a worm that connects to the HTTP and perhaps when I connect to the site, it "sees" where I publish the site and after a while it connects by itself to install the code.

My passwords are stored in the FTP program (duh, its easier) so perhaps thats how it connects in the background without me knowing it.

I will let you guys know what happens...

3G_
Click to expand...
Have you considered uploading the file from someone else's computer?
 
To further update on the situation...

http://kleman.info is hosted on http://www.deduct.biz - this is not a virus site it seems, but rather a site to fool anyone to think that this is their ISP.

The actual ISP is located in Malaysia. Ive just phoned them and they asked me to send an email on which they will reply. (They need the info in writing).

The ISP in Malaysia (TimeNet Central) is hosting deduct.biz which is a name server for kleman.info, from where these trojans are spread.

Lets hope this can help us find the source.

I will keep you guys updated.

3G_
 
Okay after a long journey into the mid-hours of the night it seems like I have found something on my PC - I scanned with some anti-rootkits and it found nothing, but seems like e-Scan found a trojan clicker and deleted the file.

Im not sure if this was it, but to make sure I removed my stored usernames in my FTP software.

I had to go through all the domains I had updated in the past week or so and re-publish a clean file.

I have tested and after 20 minutes the files seems to stay clean now. Im not sure if this is going to stay clean, but I'll keep you updated on this.

Also, Im not sure if the trojan was finally removed or if the removal of the stored usernames did the trick.

Anyways, I will keep you updated. It seems like we finally got some light shed on the situation - thanks a million TheREV, you helped us in the right direction! =)

3G_
 
3G_ said:
Im not sure if this was it, but to make sure I removed my stored usernames in my FTP software.
Click to expand...

But have you changed the passwords with your Host as well? Would be a very good idea to do so!
 
Hope you formatted and reinstalled.
 
Hi guys

Ok it seems to stay clean now on all the domains I updated. Must have been the trojan that eScan removed from my PC.

I have not done that format & re-install yet, but Im going to do this asap.


Thanks for all your help guys - you once again proved how amazing the MyADSL forum is!

You guys are all much appreciated! =)

Lets have a braai!!! ::LOL::
:D
 
Glad you got it fixed man ;) I never heard about E-scan, I'll have to check it out :p
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X