It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.

A few days ago, one of my website clients complained that the blog I setup for them on their server using WordPress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the WordPress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other WordPress blogs on our own hosted servers; and they all had the same problem.

I thought that WordPress was probably having  a Christmas party and caused all WordPress blogs to fail. I didn’t have time to check if all other WordPress users had the same problem, but it was solved easily enough by upgrading the installation.

Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.

http://www.prelovac.com/vladimir/warning-website-virus-attack

http://forum.avast.com/index.php?topic=52476.0

About the Trojan

What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.

I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.

Protect Yourself

I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.

http://www.avast.com/

How Do We Tell Which Websites Are Under Attack?

Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.

I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.

Here is how you can find out whether the website has been attacked:

  1. Website seems to be loading slower than usual.
  2. When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
  3. The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.

trojan.gif

How to view the page source:

  • Internet Explorer: View menu > Source
  • Firefox: View menu > Page Source
  • Google Chrome: Right-click anywhere on the page > View page source
  • Opera: View menu > Page Source
  • Safari: Right-click anywhere on the page > View Source OR View menu > View source

Fixing The Websites

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:

  • Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
  • Files named home or have the word home in them. E.g. home.html, homepage.htm
  • Files named main or have the word main in them. E.g. main.html, main_page.htm
  • Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
  • Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
  • All javascript files with the .js extension. E.g. javascript.js, functions.js

All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.

While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.

I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.

If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.

One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.