Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Confused As To Storm Worm On Web Server...


  • Please log in to reply
4 replies to this topic

#1 andream

andream

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 11 October 2007 - 03:03 PM

I was infected(and still might be) with the storm worm about 2 weeks back. It wouldn't let me open my email, my ISP was calling telling me I had a virus(though they offer no assistance). After 2 days of running scan after scan & using various programs I thought it was all cleaned.

Fast forward to today...I had uploaded some new files last night to my web server. I visit the site today that I had uploaded the files to and low and behold it tells me it has a virus!

I looked at the FTP dates & the last I had uploaded files was yesterday(10/10) yet it was showing a few files as being modified today(10/11). I downloaded the files & saw that attached to the bottom was a line of code, an iframe to be exact, with a URL to a site that was trying to download the infected files.

This URL as far as I know is part of the storm virus (do not try to go there) y x b e g a n d o t c o m

I talked with my web host & they said that it had to be on my end since the server can't get infected...because its a Linux server.

So my question then is how did the file get modified? Since I'm 99% sure the file was modified AFTER I uploaded it then how can that happen? I doubt the server was hacked in order to add it to a few random files.

The files on my end did not have the code before I uploaded them...the only 'new' thing I uploaded besides PHP files was wordpress...is that known to have any holes when it comes to the storm worm?

I'm just confused and would like to pinpoint how this happened so I can prevent it from happening in the future. Unless it wasn't the storm virus at all.

Any information would help,

Thanks!

BC AdBot (Login to Remove)

 


#2 andream

andream
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 12 October 2007 - 03:37 PM

Shamelss bump...it happened again today...

I'm going to go ahead and guess that possibly passwords were stolen & now being used to hack into the website & modify the files - its a stretch but seems like the most realistic answer right now.

Any better suggestions let me know, I'm just going to go ahead and update all passwords see if that doesn't fix it.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 12 October 2007 - 05:42 PM

W32.Storm.Worm
Storm.Worm
Storm Worm DDoS Attack
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 andream

andream
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 15 October 2007 - 12:55 PM

I'll read over all this, thanks. I changed the FTP password and its seemed fine ever since.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 15 October 2007 - 01:00 PM

Glad to hear the problem has been resolved. :thumbsup:

Thanks for posting back and letting us know.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users