[BNM] Infected Site

[Oliver Marshall]

http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

Does that match what you are seeing ? Just had cause to look in to the same for another client.

--
G2 Support
Network Support : Online Backups : Server Management

Web: www.g2support.com
Twitter: g2support
Newsletter: www.g2support.com/newsletter



-----Original Message-----
From: bnmlist-bounces at brightonnewmedia.org [mailto:bnmlist-bounces at brightonnewmedia.org] On Behalf Of Alan Braddish
Sent: 01 June 2009 19:23
To: 'Brighton New Media'
Subject: [BNM] Infected Site

I have a client whose web site has become infected with a virus (IFramer or
something like that).  So every time you try to visit a page, AVG pops up a
warning.

The site is written in ASP, with a MySQL back-end.  There is very little
database usage in the site, and I have checked all the data in the DB and
nothing nasty seems to have been 'injected'.

However, upon FTP'ing into the site, I can see that 2 days ago, the
filestamp on all ASP files has been updated - so the file contents must have
been re-written, with the nasty virus code.  I have tried to download
default.asp to open it in Notepad, but AVG won't let me anywhere near it.


Any advice on why this might of happened?  The site is hosted by...wait for
it... Farcehosts.  

Could their security have been compromised somehow for this to happen?  As
far as I know, the FTP passwords are pretty secure (i.e. complex), unless
someone has hacked Fasthosts again and robbed all their passwords!

Anyone else on Fasthosts have any similar issues?

Or am I overlooking another route into the site for someone to be able to
modify all files in the site?

Thanks for any help.

Alan



-- 

BNM Subscribe/Unsubscribe:
http://www.brightonnewmedia.org/options/bnmlist

BNM powered by Wessex Networks:
http://www.wessexnetworks.com