malware - Virus on my Webserver: How to get rid of it?

07
2014-07
  • Matt

    I did a website for my clients and recently stumbled upon a lot of issues with it - i guess it got hacked. (It's based on the latest wordpress version, and for a while the index.php file always got replaced by an empty file - so the page was blank)

    After resetting everything and uploading all files back up to the server I today stumble upon this … 

    enter image description here

    What is this? And why do I see this on my mac, but not on my iPhone? I can only explain it, that the Wifi I'm currently in has this Fortiguard Filter on and the site has Malware on it. My iPhone is on 3G and probably doesn't block it therefore. What can I do to get rid of it?

    So essentially I have a virus/malware on my server and don't know how to get rid of it.

    1. I already changed all passwords (FTP, MySQL, Wordpress Users)
    2. I uploaded the latest version of fresh wordpress files on my server, just left ´uploads` untouched
    3. My hosting provider already ran a malware script on the server, didn't find anything.

    What else can I do?

    Update:

    enter image description here

    • Answers
  • Dave Rook

    The issue you are showing I think doesn't indicate there is a virus, just that there has been one or a similar issue. At that point, it's most likely been blacklisted (or similar) by Fortiguard.

    You need to find out how to remove the website but, as per my comments, this is the potential issue of using plugins which are vulnerable and it could potentially have damaged the URL if you can't remove it from Fortiguard (Fior example, can you guarantee the third party plug in won't become comprised again). Do consider this for the future updates/websites you make.


    • Related Question

    windows - How did what appears to be a virus get on my computer? (explanation of situation enclosed)
  • Massimo

    My system is Windows XP SP3, updated with the latest patches.

    The PC is connected to a Cisco 877 ADSL router, which does NAT from the internal network to its single static public IP address. There are no forwarded ports, and the router's management console can only be accessed from the inside.

    I was doing two things: working on a remote office machine via VPN and browsing some web pages on the Cisco web site.

    The remote network is absolutely safe (it's a lab network, four virtual servers, no publicly accessible services and no users at all; also, none of what I'm going to describe ever happened there).

    The Cisco web site... well, I suppose is quite safe, too.

    Suddenly, something happened.

    Strange popups appears anywhere; programs claiming they're "antimalware", "antispyware" et so on begins autoinstalling; fake Windows Update and Security Center icons pop up in the system tray. svchost.exe began crashing repeatedly. Then, finally, after some minutes of this... BSOD.

    And, upon rebooting, BSOD again. Even in safe mode.

    Ok, that was obviously some virus/trojan/whatever. I had to install a new copy of Windows on another partition to clean things up. I found strange executables, services and DLLs almost anywhere. Amongst the other things, user32.dll and ndis.sys had been replaced. A fake software called "Antimalware Doctor" had been installed. There were services with completely random names or even GUIDs (!), and also ones called "IpSect" and "Darkness". There were executable files without an .exe extension. There were even two boot-class drivers, which I'm quite sure are the ones that finally caused the system to crash.

    A true massacre.

    Ok, now the questions:

    • What the hell was that?!? It was something more than a simple virus!
    • How did it manage to attack my computer, as I am behind a firewall and was not doing anything even only potentially harmful on the web at the time?

    • Related Answers
  • raw_noob

    This sounds very like a problem I had recently with XP Antispyware, a Java-based exploit that turns off your firewall and antivirus, claims to have detected hundreds of virus infections, adds fake security centre icons to the taskbar, and prevents the launch of .exe programs so that you can't run antimalware software.

    There is a fix, but you have to know what you're doing - not obvious - and run a little script on the registry to kill the .exe blocker, or it just keeps coming back. Then you have to get rid of the bad Java plugin in your browser.

    Read all about it at: http://lifehacker.com/5499124/how-to-remove-xp-antispyware . This was a lifesaver for me. I am very careful about viruses etc. and have been lucky so far, but this one was on the machine before I realised what had happened. I still don't know where I picked it up.

  • Massimo

    Looks like it was "Neprodoor": http://www.prevx.com/blog/115/Neprodoor-flies-beyond-the-radar.html

    I managed to clean almost everything by working from a fresh Windows installation on another disk... but that beast installed literally tens of malwares on the system, and I still had a broken Windows Update (like a hosts redirect, but the hosts file was empty) and some ad sites popping up now and then.

    I ended up formatting and reinstalling... couldn't trust the system anymore. Oh, well, it was time to move to Windows 7 :-)

    But I still don't know how did it get in... ?!?