any Antivirus software which can detect iframe scripts??

[metthyn]

i have files infected by JS:Illredir-B trojan (i use Avast).

there is a javascript code appended to every index.php and index.html under every domain of my custmer. i have experienced that with my previous provider and i know this happened because somehow my customers ftp username and password were compromised. ( i changed passwords and i still can see unsuccessfull login attemps with that username in the logs. )

i did a scan with clamav and avg to see which files were infected but none of them could find anything. i dont know if there is a parameter i should use.

what can you suggest?

you can check one of the infected domains : http://sistre.net

(note: i couldnt install Avast on my CentOS , it depends on libexpat.so.1 and i couldnt find a way to solve it.)

 

[metthyn]

avast installed

just to inform:

i managed to install Avast on CentOS with the steps explained at this link
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17861&forum=38

here is the results of the command:
avast -c --continue=3 --report=scan.txt /home/admin/domains/sistre.net/

[root@server ~]# cat scan.txt
#-------------------------------------------------------------------
# Date: Wed Dec 30 11:03:48 2009
# Scanned areas:
# /home/admin/domains/sistre.net/
#
/home/admin/domains/sistre.net/public_html/index.html [infected by: JS:Illredir-B [Trj]] repair error: File can't be repaired
#
# Statistics:
#
# scanned files: 593
# scanned directories: 19
# infected files: 1
# total file size: 1.1 MB
# virus database: 091229-0 29.12.2009
# test elapsed: 3s 423ms
#

 

[kevster]

Is your page at all using iframes?

 

[metthyn]

no my page doesnt use frames.

a little info about the trojan/malware.
it infects all javascript files and php/html files which names start with "home" or "index".

i wrote a php script which scans all files under home folder and removes the appended code. the files are clean now, avast cant find any infected file.

 

[gemlik]

no my page doesnt use frames.

a little info about the trojan/malware.
it infects all javascript files and php/html files which names start with "home" or "index".

i wrote a php script which scans all files under home folder and removes the appended code. the files are clean now, avast cant find any infected file.

Hello,
It infects all javascript files and php/html files which names start with "home" or "index" too.
Can you share us php script that you wrote ?
Thanks...

 

[metthyn]

<?php
$i = 1;
if(!isset($_SERVER['argv'][1])) {
    echo "Specify directory to scan\n\r";
} else {
    $path = $_SERVER['argv'][1];

    $files = $objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path), RecursiveIteratorIterator::SELF_FIRST);
    foreach($files as $file) {

        if(is_file($file) && filesize($file) < 2*1024*1024) {

            $regex = "/\/\*GNU GPL\*\/(.*)/";
            $replace = "<!-- REPLACED THE SCRIPT -->\n\r";

            $content = file_get_contents($file);

            if(preg_match($regex, $content)) {
                echo  $file." : Infected \n\r";

                $new = preg_replace($regex, $replace, $content);

                if($content != $new) {
                    $h = fopen($file, "w");
                    fwrite($h, $new);
                    fclose($h);


                }
            }
        }
     }
}



?>

my server was a new VPS with websites i created so i was sure there was no code starting with "GNU GPL". although you can filter filenames starting with "index" and "home", i checked all files smaller than 2MB to be sure. hope it helps.

give the path you want to check as a parameter.

 

[gemlik]

Dear mettyn,

Thank you for your shares.

"$files = $objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path), RecursiveIteratorIterator::SELF_FIRST);
foreach($files as $file) {"

This line is giving error below php 5.0.
My server is below php 5.0. too.
Is there any way to solution this problem ?

Thanks again...

-gemlik