Archive for December, 2009

Trojan Attack: JS:Illredir-B [Trj]

Wednesday, December 30th, 2009

It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.

A few days ago, one of my website clients complained that the blog I setup for them on their server using Wordpress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the Wordpress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other Wordpress blogs on our own hosted servers; and they all had the same problem.

I thought that Wordpress was probably havingĀ  a Christmas party and caused all Wordpress blogs to fail. I didn’t have time to check if all other Wordpress users had the same problem, but since it was solved easily enough by upgrading the installation.

Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.

http://www.prelovac.com/vladimir/warning-website-virus-attack

http://forum.avast.com/index.php?topic=52476.0

About the Trojan

What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.

I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.

Protect Yourself

I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.

http://www.avast.com/

How Do We Tell Which Websites Are Under Attack?

Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.

I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.

Here is how you can find out whether the website has been attacked:

  1. Website seems to be loading slower than usual.
  2. When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
  3. The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.

Trojan attack

How to view the page source:

  • Internet Explorer: View menu > Source
  • Firefox: View menu > Page Source
  • Google Chrome: Right-click anywhere on the page > View page source
  • Opera: View menu > Page Source
  • Safari: Right-click anywhere on the page > View Source OR View menu > View source

Fixing The Websites

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:

  • Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
  • Files named home or have the word home in them. E.g. home.html, homepage.htm
  • Files named main or have the word main in them. E.g. main.html, main_page.htm
  • Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
  • Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
  • All javascript files with the .js extension. E.g. javascript.js, functions.js

All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.

While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.

I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.

If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.

One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.

Tags: , ,
Posted in Red Alert | 94 Comments »

Enabling the Acer Aspire 5000 series radio hardware

Thursday, December 3rd, 2009

My sister’s laptop (which is the Acer Aspire 5003WLMi) had a severe virus attack recently which prevented her from being able to login to her Windows. She was quite upset about it because there were a lot of personal files which she hadn’t backed up; and we couldn’t even login to Safe Mode.

I managed to extract and back her data up, and then I proceeded to do a complete reformat and OS installation. I will go into the way I managed to back her data up in another post, as I would like to talk about a different issue in this post.

It came pre-installed with XP Home, but I wanted to give her a different OS so first I tried to install XP Pro. Everything was fine… except that her wireless wouldn’t come on. I tried Googling and read up threads in many forums which all suggested downloading the latest driver from the Acer website. I tried that, but it kept saying that the radio was disabled.

I was boggled because when I tried to look up the settings, the radio was enabled. So I decided to try restoring the laptop to factory settings… only, the recovery buttons don’t work. I found the recovery CDs and tried reinstalling them, but for some very strange reason, the recovery CDs don’t work. There were a total of four CDs (one system disc and three recovery discs), and after the laptop backs up from the third recovery disc, it requests for the system disc but when I put it in, it restarts the entire recover process. There seemed to be no way to restore it to the factory settings.

In the end I decided to install TinyXP on the laptop (I will discuss this in a future post), but the radio still seemed to be disabled. And then after I Googled for more help, I found the gem of an answer which solved this simple issue:

http://answers.yahoo.com/question/index?qid=20070126230653AACSPMa

It’s so infuriating that there is such a simple answer for such a simple problem! Even Acer doesn’t seem to have these kind of help files.

Anyway, the solution is as simple as this: there is a radio switch at the front of the laptop. It doesn’t look like a switch because its design makes it look like a status light instead. To switch on the radio, all I had to do was press it.

Here’s where the button is:

Radio hardware control switch on the Acer Aspire 5003WLMi

Radio hardware control switch on the Acer Aspire 5003WLMi

They should have just said so in the error message!

Tags:
Posted in Technical Support | 2 Comments »

Fixing Basic Computer Issues

Wednesday, December 2nd, 2009

I admit that I’m not a computer expert, although I work with computers better than the average person. I’ve learnt a lot of things about computers from friends as well as through constant Googling; and I’m able to fix a lot of basic (and some not-so-basic) computer problems. I don’t believe in sending computers to computer repair technicians when they don’t know very much more than I do.

I first learnt how to fix basic computer problems when my father bought our first home computer when I was a teenager (computers were not as common as they are now); whenever we had problems, we had to call the computer technician over. Whenever they come over, I would sit next to them and watch what they do; and I learnt to meddle with the computers by following what they did.

I remember the first time I discovered that the technicians didn’t know very much themselves. We had a problem with the computer (I can’t remember what it is now) and I had done my best to use my basic knowledge to fix it but couldn’t manage it; so I called the technician, only to find that he did the exact same things I had already done and nothing more! I remember being so disgusted that we were paying these people per visit to do nothing very much.

I learnt so much more by asking my friends who were computer experts themselves, and through a lot of trial and error. I think I must have crashed our one and only computer a lot back then.

In today’s Internet age, it’s so much easier to get help. Try Googling the keywords related to your issue, and chances are you’ll find hundreds of listings with solutions. If you can’t find the solution, just post your question on any related forum, and someone will provide you the answer. Sometimes I can feel like a complete noob, but when I read the forums, it’s relieving to know I’m not the only one who face such problems, and also that there are plenty of people out there who are willing to help.

I’ve decided to put up my own small contribution here by posting any solutions to issues I have personally experienced in the hope that it can help others. Trust me, I know what it’s like to have difficulties finding answers!

If any of you readers happen to have other solutions to the same problems I’ve had, feel free to share and comment!

Posted in Technical Support | No Comments »