Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Redirect Virus

  1. #1
    Member
    Join Date
    Aug 2008
    Location
    Odessa
    Posts
    30

    Default Redirect Virus

    The purpose of this post is to get more information on what is happening with my website. It is hard to get any information from live chat or in ticket responses.

    Yesterday, several site visitors e-mailed me asking why they were being blocked. They were getting a 403 Not Authorized error when visiting the site. I checked and found that I got the same error.

    I contacted WestHost by livechat and they quickly identified the htaccess file as the problem and renamed it as a safe deletion method. So without an htaccess file in place, the site was immediately available again. This was a good quick fix but I wanted to be able to use an htaccess file for various reasons and experimented with removing portions of it until I figured out that the only portion of the htaccess file that caused problems was the first line, order allow,deny.

    If I deleted that line containing the words "order allow,deny" I could put the htaccess file back in place and my site would continue to be available. So that's what I did. And in the meantime I opened a ticket asking if there had been a server reconfiguration that prevented the use of controlling access via htaccess. No response to that ticket yet after 48 hours. The reason I want to know is that I had not edited any files on that site for at least two days and everything was fine and then, out of the blue, somehow my htaccess file caused the site (and my sub sites) to be blocked.

    So far it has just been a routine problem but today it turned into an emergency when I received several e-mails from the Air Force telling me that my visitors were being infected by a redirect virus and my site has been officially blocked from my target audience.

    I immediately opened a ticket with the title virus and for some reason that one received immediate attention. And I simultaneously live-chatted with a support rep. She confirmed that my site had been infected and said it could be restored to its condition a couple of days ago which is acceptable.

    I am just wondering if anyone else is having problems. I am wondering if the server was reconfigured in response to some kind of virus and that's what caused my site to be blocked yesterday. Or is it all just a coincidence?

    For the record, I have Cloud VPS, Burst level.
    Last edited by Lucky; 09-04-2013 at 06:34 PM.

  2. #2
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    Recently some of my accounts where compromised because of dictionary attack on FTP accounts. Two php files where uploaded and then used to modify and change other files. The php files had different names on each of my accounts. One of them was a real word and the other just a string of random numbers and letters. What these files did was allow the hackers to add malware JavaScript code to files on my site.

    If WH restored you to a back up then you should be ok but you do need to change your password for the account. You might also want to sign up for https://www.google.com/webmasters/tools and check to make sure you did not get tagged as a malware site. I had to clean things up and then submit the sites for a re-scan to get them off the list. These list are used by browsers like Chrome and Firefox to protect users and if you are listed your users may still be getting blocked.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  3. #3
    Member
    Join Date
    Aug 2008
    Location
    Odessa
    Posts
    30

    Default

    Quote Originally Posted by wildjokerdesign View Post
    Recently some of my accounts where compromised because of dictionary attack on FTP accounts. Two php files where uploaded and then used to modify and change other files. The php files had different names on each of my accounts. One of them was a real word and the other just a string of random numbers and letters. What these files did was allow the hackers to add malware JavaScript code to files on my site.

    If WH restored you to a back up then you should be ok but you do need to change your password for the account. You might also want to sign up for https://www.google.com/webmasters/tools and check to make sure you did not get tagged as a malware site. I had to clean things up and then submit the sites for a re-scan to get them off the list. These list are used by browsers like Chrome and Firefox to protect users and if you are listed your users may still be getting blocked.
    Sorry to hear that. It's pretty frustrating, eh? I sort of think a dictionary attack wasn't used for me because I always keep the default passwords issued no matter how convoluted. And, of my six hosts, this is the only one that got infected.

    I just checked and the site is still infected. I am getting an education on how this works. One of my most popular pages has jscript gibberish all over it. Despite asking to have it restored to an uninfected date over 24 hours ago.

  4. #4
    Member
    Join Date
    Aug 2008
    Location
    Odessa
    Posts
    30

    Default Update

    Quote Originally Posted by Lucky View Post
    The purpose of this post is to get more information on what is happening with my website. It is hard to get any information from live chat or in ticket responses.

    Yesterday, several site visitors e-mailed me asking why they were being blocked. They were getting a 403 Not Authorized error when visiting the site. I checked and found that I got the same error.

    I contacted WestHost by livechat and they quickly identified the htaccess file as the problem and renamed it as a safe deletion method. So without an htaccess file in place, the site was immediately available again. This was a good quick fix but I wanted to be able to use an htaccess file for various reasons and experimented with removing portions of it until I figured out that the only portion of the htaccess file that caused problems was the first line, order allow,deny.

    If I deleted that line containing the words "order allow,deny" I could put the htaccess file back in place and my site would continue to be available. So that's what I did. And in the meantime I opened a ticket asking if there had been a server reconfiguration that prevented the use of controlling access via htaccess. No response to that ticket yet after 48 hours. The reason I want to know is that I had not edited any files on that site for at least two days and everything was fine and then, out of the blue, somehow my htaccess file caused the site (and my sub sites) to be blocked.

    So far it has just been a routine problem but today it turned into an emergency when I received several e-mails from the Air Force telling me that my visitors were being infected by a redirect virus and my site has been officially blocked from my target audience.

    I immediately opened a ticket with the title virus and for some reason that one received immediate attention. And I simultaneously live-chatted with a support rep. She confirmed that my site had been infected and said it could be restored to its condition a couple of days ago which is acceptable.

    I am just wondering if anyone else is having problems. I am wondering if the server was reconfigured in response to some kind of virus and that's what caused my site to be blocked yesterday. Or is it all just a coincidence?

    For the record, I have Cloud VPS, Burst level.
    UPDATE: Westhost restored my site to an uninfected version (I think). Everything seems back to normal. The temporary index file I had put in place to prevent anyone from accessing and getting infected was replaced by the original so I guess that means the site has been restored. There is nothing written on the ticket and the status hasn't changed. They must be really busy.

    In addition, the original htaccess file was restored and my site continues to be available just as it was before all this started. Even with the "order allow,deny" line. Thanks Westhost for fixing my site. I just wish I could get more information. Was the infection my fault? Was the server hacked? I would certainly like to take steps to prevent it from happening again. I changed my account password as suggested by Wild Joker Design but I wonder if there's anything else I can do.
    Last edited by Lucky; 09-06-2013 at 04:27 AM.

  5. #5
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    No it was a dictionary attack. Think of it this way the same computer logic that is used for generating the complex password for you account would be used to cycle through and come up with passwords that are tested against your FTP account. At some point it might just hit on the correct one. I had quite a few accounts also that it did not get into. Luck of the draw so to speak. Nothing you can really do on your end. I am sure that WestHost is looking into ways to combat this on their end. Spammers and hackers are really smart and constantly change their plans of attack so while you can try and be vigilant often they still get in and then all you can really do is learn from it and try and see if there is something you can do to block it.

    On your end the best thing you can do is be vigilant in checking your sites. Make sure you are visiting them daily at the very least to see that they are still running ok. I do use Google Webmaster Tools to monitor sites. While it may not prevent an attack it would notify you if it detects something wrong. In fact if the site is listed now on their servers as being compromised you are going to need to use this to get it delisted. Or at least that is the easiest way to do it. Also did you know that WestHost has a sister site that provides backups of your site? It is called Comcure and the basic no frills service for a single domain is free. The free service keeps backups for 60 days. I am not sure if WH themselves keeps 60 days or not. Even if they do this service puts the control in your hands. It would allow you to restore to an earlier date without having to contact WH and wait for an admin to get to it. While WH is pretty fast at getting things done as you know often they can have a heavy load of work and might not be able to get to a backup as fast as you could.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  6. #6
    Member
    Join Date
    Aug 2008
    Location
    Odessa
    Posts
    30

    Default

    Quote Originally Posted by wildjokerdesign View Post
    No it was a dictionary attack.
    What was a dictionary attack? Are you saying my site problems were due to a dictionary attack? Meaning it was caused (indirectly) by me (and not Westhost)?

    I have my sites monitored by SiteUptime and I normally visit them every day but my best defense is visitors' complaints. They don't hesitate.

  7. #7
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    No it was by no means caused by anything you did! I think maybe I am not explaining thing well. I've asked to have a WH representative chime in on this discussion so hopefully they will soon and can explain things better.

    Basically a dictionary attack means that a hacker sets up their computer to try and log into something (in this case your FTP account) it enters a username and then cycles through a bunch of passwords hoping to hit the correct one. Really the only thing you could do to combat this would be to change your passwords faster then they can cycle through them. I don't know about you but I don't want to change my password every day or more. Even then not sure it would help bet their computer can cycle faster then you can change the password. I don't know if you have noticed but WH does force a password change on accounts from time to time. This is an effort to prevent such attacks. In fact I think maybe they going a step further with this since at the moment I am locked out of one of my accounts. On chat to try and figure out what the new process for resetting the password is right now.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  8. #8

    Default Another compromisee

    Quote Originally Posted by wildjokerdesign View Post
    Recently some of my accounts where compromised because of dictionary attack on FTP accounts. Two php files where uploaded and then used to modify and change other files. ... What these files did was allow the hackers to add malware JavaScript code to files on my site. ...
    Yes, we had a similar event, early on August 27. My own antivirus detected the malicious javascript when I browsed a page I'd just updated/uploaded (which bumped into my cognitive dissonance filter. The changes I'd made to the file were intact, but the malware had been inserted in a referenced INCLUDE file). When a 2nd user called to say he'd gotten a warning (from his a/v) a short while later, I realized "this was not a drill." Westhost's response to our support ticket made it sound like gee, we must have screwed up with not updating software, and we did have a version of Joomla that had a known exploit. That's gone, and the altered PHP and HTML files cleaned up from the separate source files we maintain. By the weekend, Sept. 1, everything seemed copacetic.

    Then today, I found that I could not connect w/ftp - authentication failure. Called Westhost straightaway and was told they're resetting the passwords on some accounts because of ongoing trouble. They were supposed to have sent some sort of notice by email... but we didn't see it.

    Neither the previous password, nor what we changed it to last week would have been susceptible to a dictionary attack. So yes, please, let us hear from some Westhost folks about WHAT THE HELL IS GOING ON.
    Last edited by alien; 09-07-2013 at 07:26 PM.
    Tom von Alten
    fortboise.org

  9. #9
    Member
    Join Date
    Aug 2008
    Location
    Odessa
    Posts
    30

    Default

    Quote Originally Posted by wildjokerdesign View Post
    No it was by no means caused by anything you did! I think maybe I am not explaining thing well. I've asked to have a WH representative chime in on this discussion so hopefully they will soon and can explain things better.

    Basically a dictionary attack means that a hacker sets up their computer to try and log into something (in this case your FTP account) it enters a username and then cycles through a bunch of passwords hoping to hit the correct one. Really the only thing you could do to combat this would be to change your passwords faster then they can cycle through them. I don't know about you but I don't want to change my password every day or more. Even then not sure it would help bet their computer can cycle faster then you can change the password. I don't know if you have noticed but WH does force a password change on accounts from time to time. This is an effort to prevent such attacks. In fact I think maybe they going a step further with this since at the moment I am locked out of one of my accounts. On chat to try and figure out what the new process for resetting the password is right now.
    Thanks for the explanation. I have changed my passwords as you suggested. Cross your fingers.

    Hope you got your access issue resolved.

  10. #10
    Member
    Join Date
    Sep 2003
    Location
    Spokane WA
    Posts
    38

    Default

    I had a client inform me of a warning message on their website on the 4th so I called WH and they said a hacker got access to their servers and (unless I misunderstood) he said it was the server password that was the problem, and not the individual site passwords (which were very secure). He said WH had already reloaded affected sites with a backup to get rid of the virus/malware and told me to change the Cpanel password for the whole site and reload all pages (when you first loginto cpanel the 2nd row of buttons have a link to change passwords which changes Cpanel, FTP and Mysql). I changed the above passwords then reloaded the pages and requested a rescan via GWT.

    I then had another client inform me with the same problem. Then I checked all clients (I have 40 on WH) and found 10 that were affected however it was only those on SL-507 or SL-508 servers (no letter from Westhost until today). So what the first support person said might be true, re only some servers were affected, unless this problem is spreading.

    I have another problem now -- a site on one of those servers was not affected but she got a letter this morning to change PW so I changed the passwords but then can't login via FTP (Site appears to be fine). I'm on the phone with support -- started out with 10 callers ahead of me. Never experienced this many before.
    Lori

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •