Techniques to remove malware from your domain!

Starfleet Officer Image by Sam Howzit via Flickr

Websites and domains!

I recently had to help my favorite club remove some malware off their website.   My club, Starfleet-command Quadrant One website, was one of those sites that didn’t see this coming.   As a website owner, I’ve seen many of things come and go but experience has taught me that it will always come back.  I will be watching for this again in the near future but hopefully it won’t come back!

The back story was something that I have to at least talk about because this is how the site got infected.

One reason that this site got infected was by being hosted with the same hosting server.  They were both using the Goddady shared hosting account to display their webpages or forums on the internet.   Thus Godaddy, with their infinite wisdom tried to explain it away as that.    I don’t know if I buy that reason or if there was something else that might of been the culprit but I do know this website had urls redirects and such to malware sites.  I much rather keep with Hostgator, then have Godaddy anyways.

Another Reason is that it was probably some kind of key logger, or something that was sending back the important password information to a Command and control server and thus the website owner was infected or someone in the organization that had access to the account was unintentionally allowing a hacker to gain access to the website.

Removing the Malware off your Site!

Nothing in the world is ever going to be easy, but it is necessary to get into the guts of the website.   Your probably thinking, websites don’t have guts.   You’d be wrong, when I thought about having to go through each part of the code and remove the html malware redirects that is what I mean by guts.      Many people will come to understand that as a programming language but I like to think of it as a doctor who does surgery to remove an infectedc limb or something like that.

So I’m going to give you a few areas to look at if your having this problem with Malware being on your site or domain.   It won’t always be the same place for the same infection but it will at least help you find it and remove it.

.htaccess — This is one place where they will first make changes to redirect traffic to the domain that they want your visitor to. If you have had much experience with what it does.   It is a good time to learn what they do and how to use them.

 

index.php or index.html— This is something that the hackers have learned to use but most often is over looked.   This is something that I haven’t seen before until now.   Certain browser will display the virus or malware warnings and others will not even see it or have any problems!   See example for more information, because I couldn’t do a better job then them!

 

Check Subdomains and subdirectories —   This is something that is also needs to be looked at.   even if they aren’t showing the signs of being being infected it is always a good idea to at least make sure they stay uninfected.   Check them for the .htaccess and index code and remove what you need or change it to where it should be going to in the first place.   I found the .htaccess redirect code all in subdomains and sub directories on the one that I helped to remove the infection from.

 

Change ALL passwords — This is a MUST, if you’ve been infected then your passwords are at risk of being the source of the infections.   Change your FTP Password, your log in information password, and anything associated with the site in question and possibility the subdomains passwords.

 

Limit the number of people with the new passwords — if your like me, you don’t want to many people to have the ftp password and thus you should consider only allowing a select number of people having it.   Like the organization I have, they have people left and right who use it to upload files and stuff that is needed.   It also might be required to just have a server that is used for nothing else but to upload files for publications and other things like that.

 

Disclaimer

Nothing in the article is a must do or will get rid of your site being blocked by Google and other such search engines but it will at least give you a place to start looking to find culprit and maybe get your site running again quicker.   I will not make any guarantees that this will fix the problem or that it will solve your problem 100% but this is to be used as a tutorial on where to look and what you should do to prevent re-infections with malware.

 Paul Sylvester

SUPERAntiSpyware, with over 20 million users worldwide, is the most thorough scanner on the market. SUPERAntiSpyware

 

 

 

 

 

Enhanced by Zemanta

And the Oscar goes to . . . Not these guys!

Sans Internet Storm is reporting on Anti-virus Scareware tactic. I’ll quote from them:

[ad#ad2-right]

ISC reader Gary wrote in to let us know that searching for “oscar presenters” and “oscar winners” with Google brings up a prominently ranked result on a web server in Poland, on a subdomain of “beepl”, which – surprise, surprise – includes a malicious JavaScript. The end result currently seems to reside on stabilitytracewebcom, and is yet another incarnation of the “Fake Anti-Virus Program” malware that we have covered repeatedly. Watch out, the EXE has a meager 6/39 on Virustotal.
[Via Sans]

I did my own research and it is true they are at least 3 sites with the .pl Domain that are used to send you to these fake sites. You should consider checking your system for possible viruses if you been to these sites and are worried. You should also report any site like this to Phishtank to fight this type of scare tactics. Please remember if you are worried about your system this is the best time to install software to prevent these types of scare tactics. Remember you don’t always have to buy software to be safe. There are free anti-virus and Firewall solutions at your fingertips, use them well. It is also a good idea to make sure you have the latest updates from Microsoft while your at it.