7 replies to this topic

[Tirus]

I have AWStats installed for my website and upon updating it a few days ago, I saw a huge surge in the number of visitors. I discovered that a lot of the hits on the site were coming from a file in my main folder called Tim-Fotos.exe. I have never heard of, seen or uploaded this file to my website, nor do I have any other .exe files on my site. I searched google for any hits and did not really come up with anything concrete, just some hits on I think a spanish site and the word malware may have come up once or twice. Anyways, I went on my old computer and clicked on the file, Spysweeper immediately blocked the installation of malware.

Anyways, I deleted the file and thought that was it. A few hours later, I checked my site folder again via ftp and the file was back. I deleted it again and it has just reappeared. I thought it may be possible that malicious code can be put into your site pages(I've read about it) so I figured I would re-upload the files in my main folder. I am currently waiting to see if the file will reappear, which I unfortunately think it will.

Has anyone ever experienced this? A sudden surge in website hits or visits, coming from an unknown .exe file that seems to reappear after being deleted?

Any and all help would be appreciated.

Tirus

Edited by Tirus, 22 September 2007 - 10:25 PM.

[Donna]

Tirus contact your host something on your server is insecure, check your ftp make sure your the only one allowed to upload then change all site passwords.

[Hayden]

Yes, what Donna said. There is possibly some PHP exploit or something else that is allowing somebody to upload the file. Nothing necessarily with your scripts but possibly something that needs to be changed or upgraded on the hosts server.

[U1]

Its Malware, you need to get the server admin to sort out the server because its probably been back doored and it might not have been your site that was exploited but the server itself or another site and the file may be symlinked to another few, it will keep reappearing until the main files are deleted most likely in temp or if there more experienced more likely in etc, your traffic may be hits on that file from peoples infected computers. lol

Regards

PS what host are you with btw?

Edited by Unknown1, 23 September 2007 - 03:34 PM.

[Tirus]

Following my first post, where I said I was waiting to see what would happen after removing and re-uploading the files in my main folder, (and forgot to mention that I also changed the FTP password), the file never reappeared. See bottom of post

I will however still contact my hosting company (which is Netfirms) and let them know about it, since I am the only one who should have access to the ftp, as well as that my passwords are secure and not shared with anyone.

I guess it's just too bad for "experimental" and curiosity's sake that I both replaced the files and changed the password at the same time, as I won't know which one was causing the problem. (either one of my files (the majority being .php, .html, i think 2 jpg and 1 .rar) had something in it or something actually had my ftp info and kept reuploading it.)

Creative Insanity, on Sep 23 2007, 05:09 PM, said:

What about using a .htaccess file denying access to that file, or add a denial in the httpd.conf file to the file.
Secondly I would be looking at the raw logs and then doing a route trace and see where the tunnel ends.

Oh and another thing, why have you not got the htttpd.conf denying access to these types of files?

I have my development server deny placement of:
.exe
.bat
.batch
.xls
.doc
.pp

and anything that can be either executed or run a macro.

Would htttpd.conf be part of the .htaccess file? With regards to the raw files, are u talking about the awstats logs? If so, what would I be looking for?

EDIT: Just connected via FTP to view the raw log files and guess which file is back!!!! I guess reuploading the files AND changing the password did not work....contacting the hosting company ASAP, will let you guys know what happens. What would be the quickest/simplest way of denying the file to be accessed?

Edit 2: Here is part of my log file, it is the first time .exe appears:

189.15.98.160 - - [19/Sep/2007:13:46:53 -0400] "GET /VideoMensagem.exe HTTP/1.1" 200 24064 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"

Later, I have:
189.15.69.0 - - [20/Sep/2007:01:34:16 -0400] "GET /Foto-Mensagem.exe HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"

And:

189.15.69.0 - - [20/Sep/2007:01:38:13 -0400] "GET /Tim-Fotos.exe HTTP/1.1" 200 24064 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"


What really worries me is that I cannot see the first 2 .exe files in my directory...so does that mean they are hidden?? If so, how is that possible?

Also, I did a SmartWhoIs trace on a few of them and they all seem to be coming from Brazil...what is going on?!?!?!

(I've contacted my hosting company, sent them the log file and the ip search results. I guess this will be a good test for them as I have to renew my hosting with them by November, so I'll see how efficient and professional they are at resolving this issue.)

Edited by Tirus, 26 September 2007 - 07:40 PM.

[Hayden]

Part of me would redirect the site somewhere else and remove the scripts from your site to see if it continues. If it doesn't happen anymore then they're probably exploiting some script you have otherwise it's definitely something on the host side.

[U1]

You need root access to be able to remove it, it doesn't matter what you do it will popup and regenerate again and again, i could give you something to remove that within minutes but then again you need root access.

Best thing to do is......move to 1and1 lool