I am an editor of a fairly prominent international online journal whose website is www.jcrt.org. Since mid-May our site has been blocked by Google (and of course by Firefox browsers, which use Google information). We have reloaded the site numerous times, scanned it for viruses or malicious code, recreated the PDFs, eliminated archive content, and on multiple occasions through Google Webmaster Tools requested that the site be reviewed and recrawled. Earlier this week the tech manager for our webhosting site (www.apollohosting.com) in Austin, Texas brought in his own people to go over all the code in all the pages and found nothing malicious. He has given us written certification that the site is clean, but Google continues to block it. Since Google cannot be contacted directly, I am very frustrated, because this problem is not only causing damage to our operations, but to our reputation. Please help.
I assume that you’ve reviewed this link:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://www.jcrt.org/&client=googlechrome&hl=en-US
Have you found any evidence of the 4 domains that google has noted as hosting malicious software? Those domain names do appear to be suspicious. And what about the two domains that google says were infected by jcrt.org?
Both our own webmaster and Apollo’s tech department searched all code that could refer to the malicious software sites. And found nothing. One of the two domains supposedly affected is professionally close to our site, and we never received any query or complaint from them (they are not blocked), but to be honest I have not bothered to query them yet because it was only recent that I began to wonder whether Google’s information was accurate, or what it meant.
A quick scan with Dasient WAM identifies a number of pages as well as the code. You may want to request their full scan to identify other pages.
http://wam.dasient.com/wam/diagnose?URL=www.jcrt.org&scan_id=23084
You may want to have all parties involved, review the following articles. This one can be tricky to deal with.
A New Spin on martuz Infection
http://www.wewatchyourwebsite.com/wordpress/?p=136
Gumblar .cn Exploit – 12 Facts About This Injected Script
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
The directories and files indicated as infected on the Dasient WAM scan you reference do not exist on the website. One of them, I am certain, has never existed on the site, so the mystery deepens.
You have the newest type of infection for martuz and gumblar. It could either be a line in your htaccess file or an infectious php file.
I just hit your site as http://www.jcrt.org/fredflintstone.php and I got a gumblar redirect.
I’ll look further but we’ve been fighting this since yesterday with a few other sites.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
I’m not a supertechie, just a computer literate academic. I’ve gone into the directory from the host service control panel, and I have no idea where the files you requested are located, let alone the redirect files. Please advise.
Have you looked at your htaccess file for any redirects?
Or have you looked at any 404 error pages? Keep in mind that depending on your server software, there are many ways to handle 404’s.
(Sorry Kaleh, I think you and I were on the same track there and typing at the same time)
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Darn it … I really don’t mean to keep stepping on your toes. :-D
404 … yes … 404
That’s about the best information I’ve received. Thanks so much. I suspected there might be problems with the PDF files, based on what I read, but I wasn’t sure. We’ve got to create new PDFs I’ll see if I can get the logs. You may post whatever info I get.
If those PDFs don’t exist anymore and the code is on the 404 Not Found page, it may not be the actual PDFs??? Just the 404 page? WeWatch?
@editor_jcrt,
I removed that information as my further investigation revealed it’s more of a 404 (page not found) situation than it is with any pdfs. I believe in the efforts of appollohosting.com I believe they have a good reputation and don’t doubt for a minute that they didn’t review every web file for your site. However, I believe it’s more of a redirect for 404’s (page not found) than it is with any file that actually does exist.
I’d still like to see the log files so I can try and determine how they got in, although martuz and gumblar are tied to stolen FTP credentials, but lets be sure.
Also, please provide your htaccess file and your httpd.conf if you don’t mind. This way we can isolate exactly where this infectious code is coming from.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Do you know if the [ findbigurls ] reference is related to [ gumblar / martuz ] … or is it something else in addition to the [ gumblar / martuz ] stuff?
Edit: the [ findbigurls ] reference is in the SafeBrowsing Diagnostic Report.
I didn’t see any [ findbigurls ] stuff.
I’ll bet it might be what gumblar was redirecting to???
I’ll look further.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
I’m not a supertechie, just a computer literate academic. I’ve looked in the control panel of our webhosting account, and can’t find the files you say you want to look at. Where would I find them?
What control panel do you use? cPanel?
Let me know. Or see if apollohosting.com would get them for you and send them. I’m anxious to see and to help you get this cleaned up.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
I’m contacting Apollo about the logs. How far back do you want them? The original breach appears to have happened around May 20.
Then to mid-May would be awesome. I will analyze them as soon as I get them and let you know either directly or through this forum, what is found.
Thank you.
This will not only help you, but help many others as well.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Tom,
Sorry, When is “then” in “then to mid-May”? You mean mid-May to the 20th? I have those. Please give me a second.
Here is the chat transcript with Apollo on May 25.
<hr />-
Carl Raschke: What were the dates of the logins last week?
Carl Raschke: Can you copy me here those dates?
Carl Raschke: If there is malware on the site that is flagged by google, and the index page is missing, could it be at any level in the site? Is there some way to find out where it is? There are a lot of files on the site.
Seena: I could see that most of your files are modified on May 14,May22
Seena: May 22 07:25:25 secure11 proftpd4624: secure11.apollohosting.com (88.250.164.83[88.250.164.83]) – USER craschke: Login successful.
Seena: You can find the IP in the log
Carl Raschke: Thank you. Now my question about finding the malware.
Seena: Carl , If you have a local back of your site you can just replace the current content
Carl Raschke: Can you also give me the login for May 14, so I can identify the IP at that date too. The malware was apparently installed between the 14th and the 22nd.
Seena: You have to check the code of your site , this may of several links or java script
Carl Raschke: What do you mean by this statement? Sorry, I don’t understand.
Seena: >>Now my question about finding the malware. . Malway may be some java script or serveral unwanted links
Carl Raschke: Okay. I understand. But can you give me the FTP log for May 14 also, so I can get the IP for that date too?
Seena: 88.250.164.83, 78.160.184.223
Carl Raschke: Thank you very much. I think that is all for now.
Seena: You can re upload the content and verify using www.google.com/webmasters/
Seena: once this is done, you can go to http://www.google.com/addurl/?continue=/addurl and request that google re-crawl the site
Seena: No problem
Carl Raschke: Thank you also for the extra tips.
Seena: its my pleasure . Please go through FTP security links I have given to make your connection secure
Carl Raschke: I have one more question. Can you check logs to see when the password for that domain was last reset?
Seena: Carl, I was checking the rotated logs and can see so many FTP access from MAy6 and may10
Carl Raschke: That must mean someone hacked in. Do you mean someone changed the password as well?
Seena: Normally if more than three incorrect login attempt result in the password lock for more security . Probably your FTP password might have because of this attempt . You can change the password from the control panel
Seena: For more security you can change the control panel password
Carl Raschke: I understand now how to increase security. What I’m trying to establish is from the log record whether it looked as if on May 6 and May 10 someone was trying to hack in with multiple password tries. Can you tell me what the log shows? Thank you.
Seena: May 6 04:07:57 secure11 proftpd7762: secure11.apollohosting.com (78.189.24.130[78.189.24.130]) – USER craschke (Login failed): Incorrect password.May 6 04:13:57 secure11 proftpd24133: secure11.apollohosting.com (72.51.147.81[72.51.147.81]) – USER craschke (Login failed): Incorrect password.May 6 04:20:57 secure11 proftpd28768: secure11.apollohosting.com (121.200.78.131[121.200.78.131]) – USER craschke (Login failed): Incorrect password.May 6 04:21:00 secure11 proftpd30418: secure11.apollohosting.com (122.161.89.158[122.161.89.158]) – USER craschke (Login failed): Incorrect password.
Carl Raschke: Thank you. When was the last login for the control panel, other than this evening?
Seena: Carl , I am unable to find out this correct from this log and your username of the fTP and plesk seems to be same
Carl Raschke: Okay. Thank you. That’s all for now. I appreciate it very much.
The IP address 122.161.89.158 is known to be from India and is known to be a spambot. The IP address 88.250.164.83 is known to be from Turkey and is also known to be a spambot. The IP address 78.160.184.223 is also from Turkey but is not currently on any blacklists.
My guess is that this is more of a typical martuz/gumblar and someone has stolen your FTP login credentials.
Were your FTP passwords changed during this time? It appears they got in on May 22 successfully then after that they were trying different passwords and being unsuccessful.
Scan all PCs that have FTP access to your site, even developers outside the company. Use an anti-virus that you currently aren’t using. For instance, if you’re using AVG, use Avast or Avira. We’ve found that these PC infections know how to hide from your existing anti-virus so use something different and you’ll find it and clean it.
Then change all your FTP usernames and passwords.
Then check your htaccess files. Normally the FTP log files will also show what was uploaded. Not always. So if you can find the files they uploaded, you’ll know what to clean. Unless they uploaded a remote shell which gives them remote access to your site.
Scan your PCs, and see if you can send me the htaccess file(s) (it may be more than one)
Let me know…
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
It can be uncrackable, but if they steal it from your PC with either a virus, that’s undetectable by your current anti-virus software, or with a keyboard logger or with a FTP sniffing virus, they can still get it.
I’m just trying to piece together the timing of things so we can nail down how your site was hacked.
That’s all.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com