Trojan Horse found on rockman-exe.com

[Hardcore Hecxz]

I'm reporting it straight to Ryo and the admins

My avast! Virus scanner is reporting it's showing a Trojan Horse on rockman-exe.com. How it got there i'm not sure, most likely a hacker. Here's the info my program is gathering.

Avast! Virus scanner
File name: http://www.rockman-exe.com/
Malware name: JS:lllredir-R [Trj]
Malware type: Trojan Horse
VPS version: 100218-1, 02/18/2010

hopefully this can help in this trojans' removal.

Other words, be careful guys and try avoid this getting onto your computer.
--------------------------------

I've figured i'll post some info in regards to notify those who are unaware also for Ryo in efforts of stopping it. I've pick this up from ZYENWEB

About the Trojan

What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.

I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.

Protect Yourself

I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.

http://www.avast.com/

How Do We Tell Which Websites Are Under Attack?

Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.

I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.

Here is how you can find out whether the website has been attacked:

1. Website seems to be loading slower than usual.
2. When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
3. The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.

Trojan attack

How to view the page source:

* Internet Explorer: View menu > Source
* Firefox: View menu > Page Source
* Google Chrome: Right-click anywhere on the page > View page source
* Opera: View menu > Page Source
* Safari: Right-click anywhere on the page > View Source OR View menu > View source

Fixing The Websites

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:

* Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
* Files named home or have the word home in them. E.g. home.html, homepage.htm
* Files named main or have the word main in them. E.g. main.html, main_page.htm
* Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
* Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
* All javascript files with the .js extension. E.g. javascript.js, functions.js

All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.

While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.

I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.

If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.

One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.

-----------------------
Good luck in fixing this
_________________
-Follow me on Twitch.tv-
http://www.twitch.tv/hchecxz

[Ryouko]

This should have been fixed last night. It's not neccessarily a hack, more like random traveling code that fits itself into javascripts, I think.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Ryouko]

This should have been fixed last night. It's not neccessarily a hack, more like random traveling code that fits itself into javascripts, I think.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Unknown Neo]

I got it as well since I have the same problem but I could do anything to alert any mod about it. Glad it's fixed though.

[ShadowEXE]

i've found also some strange programs running on my computer while i didn't realize it. My avast is somewhat didn't detect any malicious processes there. I've also found a process called "runover.exe" while i was visited the site. but it suddenly disappeared when i stopped the connection. Maybe we should check our TASKMGR more often if our AVs didn't found any problems. For somebody who knows more about viruses shall found it immediatelly...

[Ozone]

avast warned me too today, same trojan of the first tpic
_________________
Sardinia is not Italy!
MMBN✕Android figures commissions are now CLOSED

[Ryouko]

>_> My hoster was supposed to have fixed this.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Ryouko]

>_> My hoster was supposed to have fixed this.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Dingo]

Yeah, still getting picked up.
_________________

[Mona Risa]

So far, my PC hasn't warned me of anything. But maybe because I am not on here for long each day and I have Norton (powerhouse anti-virus like woah). But I guess that's a good thing? ^^;
_________________


Warning! Charlie Airstar and Dingo fangirl. All helicopter pilots and Native Americans WILL be glomped!

[Hardcore Hecxz]

Still picking it up on my Avast! Virus Scanner.

The Malware is classified as JS:Illredir-S [Trj] and it's a Trojan Horse.
_________________
-Follow me on Twitch.tv-
http://www.twitch.tv/hchecxz

[Ozone]

Maybe a LART can resolve it.
http://catb.org/jargon/html/L/LART.html
Of course, Ryouko-sama should use it on the host-guys
_________________
Sardinia is not Italy!
MMBN✕Android figures commissions are now CLOSED

[Ryouko]

I'll open another ticket with my hoster. Thanks for the info, Hecxz.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Ryouko]

I'll open another ticket with my hoster. Thanks for the info, Hecxz.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Hardcore Hecxz]

It's what I do Ryo
_________________
-Follow me on Twitch.tv-
http://www.twitch.tv/hchecxz

[Ryouko]

Let me know if you get it again, my hoster supposedly cleaned it out.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Ryouko]

Let me know if you get it again, my hoster supposedly cleaned it out.
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Unknown Neo]

When did the site go back up? It was down the whole week of E3 recently wasn't it?

[Ryouko]

No, we've always been functional. o.o
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Ryouko]

No, we've always been functional. o.o
_________________
"Cats are interesting. They're kind of like girls. When they come talk to you, it's great. When you go talk to them, it doesn't go so well." - Miyamoto

[Unknown Neo]

Sorry. when it was three days and I got a virus alert, I stopped coming. Then E3 distracted me. Heh.