Disinfect your Website from HTML/Iframe.B.Gen virus

You probably have heard about this strange virus/trojan, which goes by the name "HTML/Iframe.B.Gen virus" as detected by Eset and Kaspersky. To tell you the truth we got hit by it on 5/10/2009, there after google.com and other partner sites started blocking us suspecting malwares, just like the snippet we have provided here below.


Warning: Visiting this site may harm your computer!

The website at www.todleho.com appears to host malware software that can hurt your computer or otherwise operate without your consent. Just visiting a site that hosts malware can infect your computer.

--------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------

Yada Yada .... blah blah blah....

We panicked and ran like mad men from one end of our office to the other, cursing every colleague we met on our way. After cooling down, we summoned our best security analysts and told them to combat this situation ASAP. So after a few meetings and hair pulling, we ran our preliminary tests on various pages and codes only to be overwhelmed by the above mentioned virus, which quite delicately inserted a hidden tag on most of our html and php files. Initially we thought our server was compromised and we wrote a letter to our hosting provider. But they told us that we had security loop holes or vulnerabilities on our website. So we further delved into this matter and unearth the miscreant site, which seemingly pointing to internetcountercheck.com. We then fired up our trusty Search & Replace program and ran a search and replace operation on each files and replaced it with a NULL string. Then hours of painstaking work and after carefully diagnosing every bit of our digital bytes, we were able to get rid of them once and for all. As we googled for this specific problem which was hunting us, we realized that our FTP account was compromised. So we changed all our domain credentials along with our beloved FTP client software to put a stop on this. Moreover we switched to SFTP for all our file transfer needs.

The virus inflicted codes are (Don't worry ! it is just a screenshot )

After our Search and Destroy (Oops! Search and Replace) operation was over, we had to request a review from Google Webmasters, Stopbadware.org, siteadvisor.com (McAfee SiteAdvisor). And you know what, next day onwards those nasty Malware Detected warnings started to go away. We breathed a sigh of relief..


Synopsis:

Bad Antivirus / AntiSpyware for Desktop: Get the best antivirus/antispyware/firewall for your desktop computer, as compromising on this can cause digital mayhem.

Insecure FTP Access : Always insist on Secure FTP, as vanilla FTP is known to get intercepted occasionally by Trojans and Viruses, so to steer clear from them use SFTP or FTPS with SSL/TLS.

FTP Client Vulnerability: We used FileZilla (a free FTP client) without SFTP, which is numero uno reason for this mishap. So we bid farewell to FileZilla and embraced WinSCP (another free alternative but with much better security)

Lazy attitude towards password Safekeeping: We did learn from our mistakes, never ever would we save passwords for our crucial sites, and make it a rule to change all of our domain & server admin passwords every month.

Web Diagnostic Services :

http://www.unmaskparasites.com/security-report/

http://www.stopbadware.org/home/reportsearch

https://www.google.com/webmasters/tools

http://www.mywot.com/en/scorecard

http://user.siteadvisor.com/

Rejoice now, the beast is gone for good!


Please post your comments and feedback on this blog, I would really appreciate a "Thank You" note if you find it interesting and useful, you can share your own experience in taming this shrew with us.Thanks

Tags: Virus HTML PHP Exploit Vulnerablity Infection Disinfection Security Website Malware

Comments

No comments yet.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working