TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Everlasting Death on March 12, 2009, 08:07:19 PM

Title: Website
Post by: Everlasting Death on March 12, 2009, 08:07:19 PM

So, I am the webmaster of my church's website, kinda neway...and I had put in a forum but never really implemented it into the actual website and one day I decide to do that and I visit the forum and Avast comes up with a Trojan, it says 'JS:Redirector-D [Trj]' and then the only option is the abort connection. I currently don't have access to the SQL database and from what I've read the malware is in the database, I don't really know. Any help would be appreciated.

the website is hxxp://life.firstintheheart.com/forum

Thanks

Title: Website
Post by: guestolo on March 12, 2009, 09:28:45 PM

It looks from the source of the page you have a "Yahoo counter" hack

Ensure your website software is up to date
Remove the code from your pages
Here's what you should be looking for

Code: [Select]

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('#%2F`..........................I didn't include the whole code, but that gives you an idea

I would scan the computer to ensure it has no infection
Change all passwords
Including online sites (change your FTP password from within your web hosting
control panel.)

Run a complete AntiVirus scan and I would also run a scan with Malwarebytes AntiMalware, ensure both are updated

There's a lot of info on google about it
"Yahoo counter" attack

It looks like the main site itself is OK, just the links to all the pages on the forums

Title: Website
Post by: Everlasting Death on March 13, 2009, 09:28:40 AM

So the yahoo counter is saved in the site description field on the database and I currently don't have access to the database but I will get rid of it ASAP. Also, when I first put up the forum some random jumble showed up in the header and when I viewed the source I noticed the yahoo counter in the same place but it didn't come up as a trojan on Avast, my guess was it was done incorrectly. I deleted the data from the database and didn't think anything of it, now it's back. I'm wondering if there is a way I can further protect myself from this. After googleing the yahoo counter thing I found that a couple people had this problem with IXHosting which is the host used by my church. Could it be the hosts security problem? Because I use the same forum script on my personal website, jaswin.net, and I use 1and1 and have never had this issue with that site.


EDIT: I deleted the data from the database but the script kept coming back. I then decided to delete the site description placeholder from the template and it seems to have fixed the issue.

Title: Website
Post by: guestolo on March 13, 2009, 05:05:09 PM

Avast doesn't alert me about your forum now

I found a very interesting blog about this hack and IX Web Hosting
Some good reading, also note the links she posts
http://miekiemoes.blogspot.com/2009/01/ix-...g-reliable.html (http://\"http://miekiemoes.blogspot.com/2009/01/ix-web-hosting-reliable.html\")

Title: Website
Post by: Everlasting Death on March 13, 2009, 08:56:41 PM

thanks again questolo, I still have no way of getting rid of the infection, I guess that's IX's issue...I'll have to speak with the church about switching hosts, but for now what I did should take care of it