website virus attack on js files info and warning

[xmanhattan]

FYI - for your information

I have a client that did not know that their workstations were compromised by viruses.  Apparently the viruses affected javascript and php files on their Internet website.

Additional files that were affected include root directory:
index.php
index2.php
configuration.php was also modified.
a new file named default.php was created but I have not finished reviewing what this file actually does.

Additionally files in the templates directory:
index.php
index2.php
index.html

Regarding the js files, I have found that the iosdvmenu .php and .js files were affected.

Restoring from backups was not possible because I found that even the oldest backup dated in January 2012 was infected.

I am also unsure as yet whether the virus transfers login information to a third party.

After restoring files from the latest 2009.3 download I thought that I managed to stop the virus but apparently some files elsewhere on their website managed to re-clone and corrupt other .php and .js files.

The lesson so far is that it is better to delete every file from the root directory on the website and re-install.

Clients must use anti-virus and must keep them up to date.

How does one learn that their website has a virus or that it maybe transmitting viruses?
You will see a warning like the one that follows and possibly an email from google if the website is listed under google webmaster.

[xmanhattan]

This was not a virus but a trojan that transferred from workstations to the website.
The worse aspect about this virus is that website visitors can become infected with this trojan and spread it.
The suspected website must be placed offline until all files have been analyzed and verified as cleaned.

More information on this can be found here:  http://www.symantec.com/security_response/writeup.jsp?docid=2003-102718-1528-99

[datahell]

Peter in an email you sent me there was a virus and I deleted it without reading it. I forgotten to tell you...

[xmanhattan]

That's okay.  Sorry that I sent it to you but I thought at first that the files had code that a hacker had placed in them and that you might need to see them.  After studying the code further I checked it with my antivirus and it immediately deleted it.
That is when I realized that it was using php and js to clone itself into different php programs in elxis on the client web server.

From what I have seen, the trojan used any javascript that it could to place itself into php files and into the index.html files so that any files being served to visitors would also infect those who do not have anti-virus updated.

This is a lesson for implementers, clients, and visitors.