RxRick
Trekkie
 Offline
Posts: 11
|
 |
« on: June 18, 2010, 08:35:26 PM » |
|
I am a very small time software developer, I offer a few windows programs for download on my web site.
All of the *.exe files in all directories on my web site have recently become infected with a Trojan horse downloader generic9.caxd.
Norton 360 does not detect it, but AVG does.
I've changed my site admin password and reloaded all of the files.
I double checked and they are not infected now. But, how do I stop this from happening again.
I understand how someone could hijack my password, but how could they infect every single exe in every directory on my web site? File sizes and dates are unchanged.
|
|
|
|
|
Logged
|
|
|
|
|
MrPhil
|
 |
« Reply #1 on: June 19, 2010, 07:41:43 AM » |
|
You're absolutely sure that the exe files aren't being infected on your PC before you upload them? You've done a complete virus/spyware scan on all PCs that handle your exe files? If the files are definitely being uploaded to your site "clean", and getting corrupted there, then that's a puzzler. It's possible to fudge the file date, but I don't know how a hacker would keep the size from changing (unless they're going through all the trouble of removing an equal amount of old data, to keep the size constant). As for passwords, a hacker may have gotten your FTP password (FTP clients send it in the clear). A spyware scan on your PC(s) may show a password sniffer or keystroke logger that's giving the hacker your passwords as soon as you type them in. Finally, are you running a firewall on your PC? Doing so would keep malware from talking to a hacker's computer "under the radar".
|
|
|
|
|
Logged
|
|
|
|
RxRick
Trekkie
Offline
Posts: 11
|
|
« Reply #2 on: June 20, 2010, 07:36:56 AM » |
|
I'm 99% sure my main pc is not infected, can you ever be 100% sure of anything? I have Norton 360 on my main PC.
I discovered all this via my netbook when I downloaded a file from my web site. The netbook has AVG which said the file was infected with a Trojan.
Several of these infected files have been on the web site for 3 years. I uploaded them 3 years ago, never had a problem.
So I checked every file in the download directory from my netbook, and they were all infected, except for two which I had uploaded within the past 2 days.
Then I re-uploaded the files from my main pc, then re-downloaded to my netbook, and they were no longer infected.
Yes, my guess is someone got my password through my FTP client. Okay, I'll admit it, I sometimes bit torrent movies, so I'm guessing that's how they got my password.
Hovering the mouse over the infected files it says "Black Internet".
The real puzzler is the file size and dates are identical.
|
|
|
|
|
Logged
|
|
|
|
|
MrPhil
|
|
« Reply #3 on: June 20, 2010, 09:57:23 AM » |
|
Perhaps you should (temporarily) install another Antivirus/Antispyware on your PC and see if it agrees that your PC is clean. I trust that you know how to regularly update your Norton with new malware definitions, and aren't coasting along with definitions that are literally years out of date. Also be aware that some AV programs give false positives on perfectly legitimate code. If up-to-date Norton says the files are clean, and AVG says they're hacked, you may want to try a third and even fourth AV/ASW to break the tie.
As I said, it's not hard to fudge the date on the files. It would require having command line access to the server so that the Linux "date" command can be run to set the "last modified" timestamp to what it was before. It's also possible (but a lot of work) to remove an equal number of bytes from a file as one adds in a hack, so that the file size doesn't change. Hopefully your entire server hasn't been compromised, and at worst, someone has your account signon and password (have you changed that password?). When you say they have the same date and size, you're also referring to the files on your PC, not just those on the server?
Have you compared the files that AVG says were infected, with the fresh ones from your PC? Were they in fact different? I would presume that if AVG says the freshly-uploaded files are clean, that they are different. So the question is whether they were infected on your PC before upload, or were replaced with infected versions on your server account due to someone having your password. Have you generated fresh copies of your exe files from source? Any timestamps inside them will be different, so they won't compare exactly, but should still be the same size (if you use the same compiler and library as before).
Anyway, lots of things to check. Most likely someone got hold of your account and/or FTP passwords somehow (probably spyware on your PC, or possibly someone snooping on your insecure FTP or browser connection). Keep an eye open, and report to LP anything that looks like someone has compromised the whole server. Of course they will be doubtful, and you'll have to show all the steps you took to rule out an attack on just your PC or server account. Good luck!
|
|
|
|
|
Logged
|
|
|
|
RxRick
Trekkie
Offline
Posts: 11
|
|
« Reply #4 on: June 21, 2010, 03:20:05 AM » |
|
I checked file sizes and dates when I was re-uploading the files.
Yes, it all seems a little far fetched, I can't imagine every single exe file on my web site infected, without a change in file size and date.
I was going to do just that, compare the supposedly infected files with the originals. Then I ran a complete AVG scan on the netbook which reported this trojan had infected 2 files, smss.exe and services.exe, found in the 'system volume information' folder. AVG could not clean them, and I could not end the processes or delete the files in safe mode. So, I installed 'PlopLinux' on a thumb drive, booted it, then deleted the infected files from the linux command line.
I wonder if the true scenario was, the netbook which reported the virus was infecting the files as it was downloading? Is that a more logical scenario?
|
|
|
|
|
Logged
|
|
|
|
|
