Posted 11 October 2007 - 03:03 PM
I was infected(and still might be) with the storm worm about 2 weeks back. It wouldn't let me open my email, my ISP was calling telling me I had a virus(though they offer no assistance). After 2 days of running scan after scan & using various programs I thought it was all cleaned.
Fast forward to today...I had uploaded some new files last night to my web server. I visit the site today that I had uploaded the files to and low and behold it tells me it has a virus!
I looked at the FTP dates & the last I had uploaded files was yesterday(10/10) yet it was showing a few files as being modified today(10/11). I downloaded the files & saw that attached to the bottom was a line of code, an iframe to be exact, with a URL to a site that was trying to download the infected files.
This URL as far as I know is part of the storm virus (do not try to go there) y x b e g a n d o t c o m
I talked with my web host & they said that it had to be on my end since the server can't get infected...because its a Linux server.
So my question then is how did the file get modified? Since I'm 99% sure the file was modified AFTER I uploaded it then how can that happen? I doubt the server was hacked in order to add it to a few random files.
The files on my end did not have the code before I uploaded them...the only 'new' thing I uploaded besides PHP files was wordpress...is that known to have any holes when it comes to the storm worm?
I'm just confused and would like to pinpoint how this happened so I can prevent it from happening in the future. Unless it wasn't the storm virus at all.
Any information would help,