Trojan removal HELP needed

[frankthetank]

I just got the information that some (maybe all) of my sites seem to be infected with a trojan:

http://www.heathersboobs.com/
http://www.teeny-facials.com/
http://www.pissdrinkingchicks.com/
http://www.backsideteens.com/

Generic Downloader.z trojan

How can I remove it and any idea where it comes from?

[cd34]

that particular exploit is uploaded through FTP. Your FTP account has been compromised.

Change your FTP password, remove the script at the bottom of the page that runs the iframe:

[code=trojan stuff on your pages]
<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%
blah blah blah
</script>
[/code]

You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

Login, Get File, Put File, Get File, Put File, Logout

usually no failed password attempts.

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

When you give out passwords to people to install software or fix something on your site, set a temporary password, let them do the work, reset the password when they are done. Don't use the same password everywhere. Tommy keeps a black book of his passwords for each different site and sponsor login so that any one that is compromised won't be a security problem for other sites.

[frankthetank]

Quote:

Originally Posted by cd34

that particular exploit is uploaded through FTP. Your FTP account has been compromised.

Change your FTP password, remove the script at the bottom of the page that runs the iframe:

[code=trojan stuff on your pages]
<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%
blah blah blah
</script>
[/code]

You might have your host run a check to see what other files were modified at the same time. Pattern to look for is:

Login, Get File, Put File, Get File, Put File, Logout

usually no failed password attempts.

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

When you give out passwords to people to install software or fix something on your site, set a temporary password, let them do the work, reset the password when they are done. Don't use the same password everywhere. Tommy keeps a black book of his passwords for each different site and sponsor login so that any one that is compromised won't be a security problem for other sites.

Thank´s. i already contacted webair to have a look at it. It seems to be a password which I used at sponsor programs and missed to change.

Could this trojan be responsible for dropping sales? My sales crashed at the beginning of May and I didn´t figure out why.

[cd34]

its possible. There are a number of trojans out there that see sites and replace codes in urls so that they get credit. So, yes, that is within the realm of possibility.

Its also possible that surfers running any antivirus got the warning and backed out of the site.

the last modified time on the first site is May 5th, so, its been there a while and I would consider that a very good possibility that it affected sales.

you can check the dates

[frankthetank]

Quote:

Originally Posted by cd34

its possible. There are a number of trojans out there that see sites and replace codes in urls so that they get credit. So, yes, that is within the realm of possibility.

Its also possible that surfers running any antivirus got the warning and backed out of the site.

the last modified time on the first site is May 5th, so, its been there a while and I would consider that a very good possibility that it affected sales.

you can check the dates

First of all many thank´s for helping me out. I just called webair who changed the passwords for ftp accounts immediately. Now I´m killing the script code from nearly all my sites. I hope that only the index.html are infected.

When it´s done webair will check it and I hope it´s clean again.

[Tommy]

Quote:

Originally Posted by cd34

Sources for your password leak: People that have installed software for you in the past, anyone that has had FTP access to your machine, possibly any keylogger on your system.

A lot of webmasters have been getting hacked like this

I would bet the source of the password leak is a sponsor

[tickler]

Quote:

Originally Posted by Tommy

I would bet the source of the password leak is a sponsor

Timing is about the same as all these spam emails??? And all the ones that I have been getting are for an address that I setup for a sponsor.
eg. ThatSponsor @ MyDomain.com

[frankthetank]

Quote:

Originally Posted by Tommy

A lot of webmasters have been getting hacked like this

I would bet the source of the password leak is a sponsor

Yes, you are right. I used the same login / password combination at some sponsors. OK, now I learned that was pretty stupid, but on the other hand I didn´t expect it.

I´m now using unique login / password combinations, changing the password regularly and my passwords are now complicated and much more difficult to guess.

Not all my sites were infected. Not sure enough to accuse him publicly, though.

Fortunately not even one gallery was modified with the script. The script forced the installation of an "start.exe" which connected to a site hosted at "inhoster.com". I don´t think it´s worth to contact them if you have a look at their site.

The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IP´s from the sites and from the hosting company are pretty much the same.

I´d like to close down that hoting company for sure. Those behaviour easily ruins the reputation of persons involved.