Virus issue has been resolved! Here is the latest news!

[wwobn]

Dan,

Your website is fine. The exploit targeted the server and only inserted the malicious iFrame into your website, normally in the header.

If you still feel nervous about your site's security then for a peace of mind you might want to change your site and database passwords. We did.

Hat’s off to HG Engineers and everyone else who helped figure this out.

Brad

Previous system scan and cleaning on 8/31/06

First scan after reading the word virus 9/23/06 10:24:56AM est
AVG7.1.4 - win2000/sp4
May be infected by unknown virus Exploit.WMF
Virus identified Java/ByteVerify
Trojan horse Downloader.Generic2.EEK
Trojan horse PSW.Generic.YRD
Trojan horse PSW.Generic.YRD
Trojan horse Downloader.Generic2.EEK
Trojan horse PSW.Generic.YRD
Trojan horse PSW.Generic.YRD
Trojan horse PSW.Generic.YRD
Trojan horse Downloader.Generic2.GXM
Trojan horse Downloader.Agent.FJQ
Trojan horse Downloader.Generic2.EEK

AVG7.1.4 - winXP/sp2
clean... amazing

These anti-spyware scanners are all over the place.
Todays problems keep reappearing.

ewido4.0 - win2000/sp4
499 medium risk and 2 high risk
Trojan.ClassLoader.Dummy.c
Trojan.Nocheat

ewido4.0 - xp/sp2
397 medium risk and 1 high risk
Trojan.Imiserv.c

I appreciate the input effort of the online community or maybe everyone’s just trying to recover like me.

[TakeThat!]

Whoa, that's alot junk!

Also, did you disable system restore before scanning and cleaning with Ewido?

If you have a problem getting rid of those pests in spite of the above, perhaps see if anyone on http://www.dslreports.com/forum/security can help you.

[JohnBoy]

Hi,

AVG says all ok, but Kaspersky free online scan showed 1 virus with 2 incidences (trojan-Spy-HTML).

How do I clean up?

Cheers,

john

[Serra]

Install Karspersky and run it. Karspersky is the best and if you can't afford it, try the 30 day trail version. Same as the full version for 30 days.

[skeletincrew]

Quote:

Originally Posted by TakeThat!

Whoa, that's alot junk!
Also, did you disable system restore before scanning and cleaning with Ewido?

No I did not disable it, I have avoided working on the bloated XP systems in my office, NT works just fine for production. But, thank you very much, that's exactly what I needed to know so that I don't spend the rest of my life dealing with what I have been very good at avoiding until Friday... thanks again.

The scariest thing here is that these jerks appear to be on the bleeding edge, that makes it much harder and you must on your best game. Back to work.

[skeletincrew]

Quote:

Originally Posted by Serra

Install Karspersky and run it. Karspersky is the best and if you can't afford it, try the 30 day trail version. Same as the full version for 30 days.

Thanks Serra, that is what I will do and hopefully that will be my last scan!

[Serra]

Quote:

Originally Posted by skeletincrew

Thanks Serra, that is what I will do and hopefully that will be my last scan!

If there is something it doesn't find, I'd expect in the next couple of days there will be an update to cover new items. If you don't 'see' a problem, don't worry about it for now. Let the scanners catch up and they will find everything fairly shortly.

[c-tech]

Seems another forum is updated faster than HG forums:

Cpanel root exploit not really patched. READ
http://www.webhostingtalk.com/showthread.php?t=549708

Hostgator - Exploited by Hackers
http://www.webhostingtalk.com/showthread.php?t=549291

Major security issue with Cpanel. Watch for updates
http://www.webhostingtalk.com/showthread.php?t=549458

[TakeThat!]

I was wondering if Cpanel actually patching the problem was to good to be true.

It's a shame for Hostgator and their customers as well as tons of hostings companies out there. CPanel really needs to have a competent 3rd party do a security audit before they release their product!!

Quote:

Originally Posted by skeletincrew

thank you very much, that's exactly what I needed to know so that I don't spend the rest of my life dealing with what I have been very good at avoiding until Friday... thanks again.

Np, let me know how it works out.

[wwobn]

Until Cpanel gets their ducks in a row and actually releases a patch that fully protects these issues and Microsoft releases the XP patch to block the IE vulnerability I'd only use FireFox to view your sites. I'd suggest that you tell your website viewers to do so also.

[phatchopolis]

I do as well. I do nearly all my stuff from Opera. But FF is a decent alternative too.

It's a shame that oversights by MS and Cpanel can cause so many problems for companies and Hostgator and their customers.

Do you think that there is anything at all Hostgator can do to stop this till CPanel gets off their butt so to speak?

[wwobn]

I'm not sure if this will help any of you but you might want to take action to protect your website's viewers until Microsoft & Cpanel get their patches out.

On our site CityBity.com I'm detecting all Internet Explorer users and redirecting them to a page explaining the situation and telling them to download Mozilla FireFox to view our website.

Here's the code:

Code:

<script>
var browser_type=navigator.appName
var browser_version=parseInt(navigator.appVersion)
if (browser_type=="Microsoft Internet Explorer"&&browser_version>=4)
window.location.replace("http://www.citybity.com/home/firefox.html")
</script>

Just insert the code between your <head> </head> portion of your site's header.

Example: Try viewing http://www.citybity.com with Internet Explorer, it will redirect you to http://www.citybity.com/home/firefox.html.

It's a big step to encourage your viewers to use/not use Internet Explorer and huge for FireFox but I think they'll understand considering the
circumstances. They should even be happy that you're taking evasive steps to protect them.

[TakeThat!]

Thanks for the suggestion! And yes, I was the "unregistered" who posted above as I forgot to log back in.

While my own site is fairly low traffic and doesn't seem to have been affected by this, I am still somewhat scared of the whole thing. I'll think about using your idea as I don't want anyone to run a risk of being infected.



Thanks again and thanks to everyone at Hostgator who was been trying to get this problem fixed!

cPanel just release upgrade instructions.

http://forums.cpanel.net/showthread.php?t=58135

[chemaster]

Not so fast with the upgrade.

quote:
Some peoplpe have reported a problem with seeing new dbs in phpmyadmin. Its currently being investigated.Some peoplpe have reported a problem with seeing new dbs in phpmyadmin. Its currently being investigated.

http://forums.cpanel.net/showthread.php?t=58090&page=14

[skeletincrew]

Latest scan:
Kaspersky winXP/sp2
Finish time: 9/24/2006 8:52:56 PM
Detected: 22
Trojan program Trojan-Dropper.Win32.Small.qw Temporary Internet Files\Content.IE5\ENIDAH4R\dsktrf_abi_new[1].exe/data0004
Trojan program Trojan-Downloader.Win32.Agent.tf File: C:\Program Files\asys\stb.exe
Trojan program Trojan-Downloader.Win32.Agent.tf File: C:\Program Files\CMAPP\cmappstub.exe
Trojan program Trojan-Dropper.Win32.Small.qw File: C:\WINDOWS\Temp\II22.exe/data0004
Trojan program Trojan-Dropper.Win32.Small.qw File: C:\WINDOWS\Temp\II22.exe
Trojan program Trojan.Win32.Revop.c housecall6.6\Quarantine\\in4bdlA.dll
The last Trogen was cleaned by TrendMicro online

This sys was clean earlier today, Only online use was FF browser use to visit this forum! XP Sys restore off.

currently scanning my NT system with Kaspersky

This has crippled my abillity to do anything, anyone else going through this?

[wwobn]

You'll be seeing this for the next few days until net cache is updated properly.

[boa]

A big Thanks to the super support from HG and friends!

[Darth Unrivaled]

OK I have a question here. A few days ago one of my folder was disable to 000. I was told by hostgator support a system admin did it because it was getting to much traffic and almost cause the server to crash. Then today my mysql went down and for at least 10 Min's of it being down or not being able to access it under server status it show that it was up.

Support got it back up. Then I notice that a few of my key tables in most of my databases have been disabled or more so say "in use". So I once again contact support. (both times using live chat)

They told me that a total of 13 of them where disable by a system admin. In order for me to get them turn back on would be to email support. So I did, to sum up what I said how I was very unpleasant about how things have been going for me as it appears that no my site is to much for hostgator servers. I simple asked for these tables to be turn back on as it has totally cause my site to go offline. HG replies telling me to read this topic.

So from what I read that there is a problem with cpanel getting a virus or something and that my computer could have it. I scan my computer all the time. I have no virus or spyware, etc. I never use IE for browsing. I use it a few days ago (like a week and a half ago) just to look at my site to make sure it works for my IE users. (I hate IE, btw).

So what I gather it was not my forums causing my site to use up high memory but that there is a problem with cpanel. Why on earth didn't support just tell me this to being with. I mean you sent me all around with little answers on what was going on and still my problem has not been resolved. My site is still down because most of my key tables are disable.

Are they going to be turn back on or what?

My Ticket #QDB-891184

[itayab]

i have many popups in the IE for "winantivirus 2006 pro", and i try to scan the computer with many antivirus & softwares.. but with no luck. it's definitely the virus i got from the HG/IE issue..

any help?

[Kelmas]

Quote:

Originally Posted by itayab

i have many popups in the IE for "winantivirus 2006 pro", and i try to scan the computer with many antivirus & softwares.. but with no luck. it's definitely the virus i got from the HG/IE issue..

any help?

You get pop-ups when you visit any web site?

Try ewido, might help.

And for everyone never do your daily tasks logged in as an administrator. Limited user doesn't have full access to system files, therefore reduces risk to get infected.

I found the quickest way to get rid of the "winantivirus 2006 pro" popup in IE was to do a system restore using the inbuilt Windows XP tools. Once you have restored the system then run Anti virus again and all should be ok. It worked for me.

[Boinng]

There seem to be a lot of mixed messages here and elsewhere (I'm thinking of the webhostingtalk board, slashdot etc) on just exactly what if anything has been fixed, and how vulnerable we all still are to attack. I've not brought my site back online since the problems first appeared on Friday, and thankfully I don't think either myself of my users have contracted anything nasty as a result, but I'm very nervous about reopening while there are still these question marks in the air. I've decided I want to give Hostgator another go because I realise this is a generic Cpanel issue that could have struck at anyone of a thousand hosts, but I really want some more reassurance first that I'm not just going to be putting people at risk... anyone?