HTML and CSS

How to get out malware from website

Please support our HTML and CSS advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: Jan 2007

Posts: 3,210

Reputation: MidiMagic has a spectacular aura about

Solved Threads: 164

MidiMagic

Offline

Nearly a Senior Poster

Re: How to get out malware from website

#11

Aug 14th, 2008

Report it to the ISP administrator.

If the ISP won't or can't stop it, change ISP services.

Daylight-saving time uses more gasoline

•

Join Date: Aug 2008

Posts: 37

Reputation: 123468743867143 is an unknown quantity at this point

Solved Threads: 0

123468743867143 123468743867143 is offline

Offline

Light Poster

Answer: How to get out malware from website

#12

Aug 24th, 2008

(<script src=http://www.uhwc.ru/js.js></script>)

Hi,
I have had the same problem and was even tagged by Google.

The only way to do it is open your entire web site (I mean all of the files) in whatever software you use, do a search and replace. Change all of your passwords (Server, database, email, etc ...).

Mine has not come back since.

My problem started around Mid August 2008 ... Is Godaddy you hosting company by any chance?

•

Join Date: Jul 2004

Posts: 95

Reputation: omol is an unknown quantity at this point

Solved Threads: 4

omol

Offline

Junior Poster in Training

Re: How to get out malware from website

#13

Aug 26th, 2008

You have a form on your website that has been exploited. It's part of a very big botnet that automatically finds vunribiltys for asp and injects source into one of your fields. Fix the problem with correct error checking and then edit your database and remove the javascript links.

If you want to find out more infomation about this botnet it's been given the alias asprox.

asm
{ "\x04f\x06d\x06f\x06c" }

•

Join Date: Aug 2008

Posts: 37

Reputation: 123468743867143 is an unknown quantity at this point

Solved Threads: 0

123468743867143 123468743867143 is offline

Offline

Light Poster

Re: How to get out malware from website

#14

Aug 26th, 2008

I am looking into it right now. I thought my problem was over with. This is scary. I have had inconsistent behavior from MySQL and your input might help me pint point the issue. Thank you.

•

Join Date: Jul 2004

Posts: 95

Reputation: omol is an unknown quantity at this point

Solved Threads: 4

omol

Offline

Junior Poster in Training

Re: How to get out malware from website

#15

Aug 26th, 2008

Good luck, if you get stuck let me know and i will help further.

asm
{ "\x04f\x06d\x06f\x06c" }

•

Join Date: Aug 2008

Posts: 37

Reputation: 123468743867143 is an unknown quantity at this point

Solved Threads: 0

123468743867143 123468743867143 is offline

Offline

Light Poster

Re: How to get out malware from website

#16

Aug 26th, 2008

Hi Omol,

Since you asked ... I have been looking into my db (not very good at it though) ... what exactly am I looking for? In the web pages, it was easy to find the intrusive url and delete. What do I search for? I tried asprox, ect ... nothing found.

Thank you.

Rachel

•

Join Date: Jul 2004

Posts: 95

Reputation: omol is an unknown quantity at this point

Solved Threads: 4

omol

Offline

Junior Poster in Training

Re: How to get out malware from website

#17

Aug 26th, 2008

I would start with the string "js.js". What database tech are you using? MsSql?

Ok i have found some good metrial now.

http://www.networkcloaking.com/ASPROX_Toolkit.pdf

Last edited by omol; Aug 26th, 2008 at 12:55 pm. Reason: Found some info on removal. Too fast for my edit.

asm
{ "\x04f\x06d\x06f\x06c" }

•

Join Date: Aug 2008

Posts: 37

Reputation: 123468743867143 is an unknown quantity at this point

Solved Threads: 0

123468743867143 123468743867143 is offline

Offline

Light Poster

Re: How to get out malware from website

#18

Aug 26th, 2008

Yes, MySQL. I looked for js.js. in db, not there.

I did remove js.js from the website pages a while back. I checked again, it has not come back.

Something is making my database inconsistent ... Users able to register a new listing one minute but not the other (while the database is still taking their info but not publishing it back to the site).

Last edited by 123468743867143; Aug 26th, 2008 at 12:51 pm.

•

Join Date: Jul 2004

Posts: 95

Reputation: omol is an unknown quantity at this point

Solved Threads: 4

omol

Offline

Junior Poster in Training

Re: How to get out malware from website

#19

Aug 26th, 2008

Sorry i should not edit posts.

Heres the fix. Replace infected_table with the table name that is infected on your site.

 Help with Code Tags 
 HTML and CSS Syntax (Toggle Plain Text) 
use <infected_table>
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 –
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
use <infected_table>
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 –
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;