Hi all, like topic i got problem when suddenly my antivirus give me report and denied to access my forum at forum.evoptc.com it said its infected with iframe virus, the question is, how can the virus is in my site ? as i still can browse www.evoptc.com only forum.evoptc.com cant access because blocked by my antivirus. its very new forum, where the possibility i got that virus from ? and how can i prevent them in the future ? and how can i remove that virus from my site ?? thank you in advance for your help
Your account was probably compromised. You probably have a virus or trojan running on your local computer or a computer that you use to access and administrate your account. Do you use FTP to access your account to upload new files? Do you store your username and password for your account in that FTP application? Chances are that something is running on your computer (or any computer that you administrate your website from) that is checking for username and passwords stored on your computer and then sending that information to hacker groups. You need to be sure that your computer is virus free and does not have any spyware or trojans runnning on it.
thank you for your answer, now it seem i can understand how i can get infected. yes, i'm using ftp account once as its my new site. and i access my admin panel in other computer once too. maybe that computer infected it. now, how can i get rid of them (virus) and how can i prevent it ? is it not because of my hosting ? but, if you said my computer maybe got virus, its should be infected to evoptc.com too ? but its only infected at forum.evoptc.com so evoptc.com and evoptc.com/forum still safe . is it possible i install antivirus in my hosting ? how much that cost me. thanks again for you answer. i'm appreciate it.
There's really not a way to answer all of those questions. My assumption may not even be correct, you may have been compromised in some other way. If my assumption is correct, then the process of infection would look something like: 1. Your computer or a computer you use to administrate your website gets infected with a virus or trojan. 2. That virus or trojan runs a process on the computer searching FTP applications and their databases for username and password combinations or just looking for username and passwords in files on the computer. 3. When a username and password is found, that information is e-mailed, or somehow sent to an individual or a group of individuals. 4. That individual or group of individuals then have access to your account login information. They proceed to connect to your account via FTP using the hostname, username, and password that the trojan/virus provided for them. 5. Once connected to FTP on your account, they download your index page, edit that index page, place a malicious piece of javascript code or iframe code into the index page, then reupload it to your account. 6. Your website is now infected with malicious javascript or iframe code, which can then be used to infect or track other visitors of your website. Step 5 is probably accomplished by an automated program. Your computer being infected with a virus is not a direct result of your website being infected with a virus, or vice-versa. It is because of the type of virus or trojan that is installed on your computer, that your login information was compromised. This compromised data is what led to your website being infected. How you got infected (Step 1) is completely up in the air. Perhaps you downloaded a program that was infected. Perhaps you received an e-mail that caused the infection. Perhaps you visited a website that caused the infection. There's really no way to be absolutely certain of how this infection initially took place. The best thing you can do is preventive measures. Keep your anti-virus software up-to-date. Make sure the memory resident of the virus scanner stays running. Do routine virus scans on your computer just to be sure. Use anti-spyware software to keep tabs on possible trojans or key loggers that might be installed on your computer. Practice overall safe web-browsing. I recommend using only Firefox for your web browser and installing the NoScript Firefox addon to help prevent any malicious javascript from running in your browser. All of this assumes that your account credentials were compromised due to a local virus or trojan. That may not be the case. I would bet that your credentials have been compromised in some way, but even that is not a given. Other ways for your credentials to be compromised is if you leave your username and password written down near your desk at work or at a coffee shop, if you leave it in plain view, someone else may be able to read that information and then your information is compromised. There's really no way to know exactly how the information was compromised. It's also possible that there was no credential compromise at all. You may have an outdated script installed on your account or on your web server that allowed malicious users to gain access to your account and inject material into your website. You should always make sure that you are running the latest version of any scripts or applications you have on your website to prevent something like this from happening. Hope this helps.
ok, thanks again for your explanation, so from what i read, i get conclusion to get rid that virus is upload again my index.php ? because that file already infected by virus ? is it really that simple ? so my hosting pc still not infected anything ? dont need install antivirus ? i got virus name iframe
The thing to keep in mind is that if your account has been compromised, how do you know the index file was all that was replaced? How do you know the malicious users did not upload something else to your website, a backdoor for example? If you are sure that the index file was all that was tampered with, then you can reupload a clean copy to your website and that should resolve the issue. However, you will want to change the password of your account and any FTP accounts on your account, so that the malicious users cannot access the account again. If your local computer is infected with a virus, trojan, or key logger then you will ultimately want to get that resolved. If you have a trojan installed on your computer, and you change the password of your account and reupload you index file, then that trojan may be able to find the new password, send it to the individuals that are defacing your website, and you start this process all over again. This is why, ultimately, if your computer is infected with something, you need to get it cleaned.
errr, honestly i dont sure if my index file is infected. i just take conclusion from all explanation you give me, maybe i got missunderstood you. i thinking about my computer is infected then it send data to hacker group, then that hacker group login to my admin area and injected my index file with harm script so if any person who access my site will got infected. is it that you mean ? if that is your mean, thats why i asking again about if i reupload my index file, then it will be over ? btw, i already scan all my computer and its clean, i used kapersky and i dont know why, suddenly my forum can be access again and nothing change. no virus found. weird
After reading what you posted, I think the problem it's a server malware infection, something that you can't prevent as a client due to lack of permissions. Possibly a malicious user/script kiddie got into your account or other account hosted on the same server and using local escalation exploit put malware on all .html or .php files. Contact the hosting company to check the logs and especially cron activity.