Websites VideographyPhotography

DOMAIN NAMES

Get your own domain name!


Get your domain name search box

PORTFOLIO

ARTICLES

ARCHIVES

SEARCH MY SITE

Follow me on Facebook! Follow me on Twitter!

Trojan Attack: JS:Illredir-B [Trj]

December 30th, 2009

It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.

A few days ago, one of my website clients complained that the blog I setup for them on their server using Wordpress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the Wordpress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other Wordpress blogs on our own hosted servers; and they all had the same problem.

I thought that Wordpress was probably having  a Christmas party and caused all Wordpress blogs to fail. I didn’t have time to check if all other Wordpress users had the same problem, but since it was solved easily enough by upgrading the installation.

Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.

http://www.prelovac.com/vladimir/warning-website-virus-attack

http://forum.avast.com/index.php?topic=52476.0

About the Trojan

What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.

I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.

Protect Yourself

I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.

http://www.avast.com/

How Do We Tell Which Websites Are Under Attack?

Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.

I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.

Here is how you can find out whether the website has been attacked:

  1. Website seems to be loading slower than usual.
  2. When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
  3. The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.

Trojan attack

How to view the page source:

  • Internet Explorer: View menu > Source
  • Firefox: View menu > Page Source
  • Google Chrome: Right-click anywhere on the page > View page source
  • Opera: View menu > Page Source
  • Safari: Right-click anywhere on the page > View Source OR View menu > View source

Fixing The Websites

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:

  • Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
  • Files named home or have the word home in them. E.g. home.html, homepage.htm
  • Files named main or have the word main in them. E.g. main.html, main_page.htm
  • Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
  • Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
  • All javascript files with the .js extension. E.g. javascript.js, functions.js

All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.

While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.

I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.

If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.

One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.

Tags: , ,
Posted in Red Alert | 78 Comments »

TROJAN ALERT! Illredir-B/Illredir-C/Illredir-D

January 19th, 2010

WARNING, PEOPLE!!! The trojans are mutating faster than we can keep up with. In one of my recent postings, I warned everyone about the Illredir-B trojan, to which Mike kindly provided a script to help us remove the trojan from our websites. In less than 2 weeks, we have been alerted that it has mutated into Illredir-C. Mike quickly modified to script to eliminate both trojans.

Today, a friend asked me to take a look at her website and Avast has detected it as Illredir-D, and when I tested Mike’s script, it wasn’t able to remove the trojan, which means it has mutated into a pattern different from the earlier two; so a further modification of the script will be needed to wipe this out.

It sounds almost like biological warfare with virus mutation.

My hat off to Avast for its quick detection, even though it is free for personal use. My AVG Free did not detect it. I’m so disappointed in it, having believed in it and recommending it to friends for the past few years.

I have also tried a few online website virus scans which were not able to detect this trojan. This is quite a worrying thought, that few antivirus programs are able to keep up with the new trojans, viruses and malware that are mushrooming more quickly than ever.

The good news is that Google is able to detect the malware, and if it has been submitted to Google webmaster, it will block access to the website upon detection of these malwares. You may come across a screenshot like the following:

Snapshot of Google blocking a website

Snapshot of Google blocking a website. I have blurred the website URL for privacy

DO NOT IGNORE THE WARNING!

To ensure your own protection, please please please get a good antivirus software!! I highly recommend Avast because even though I’m using the free licence, it is able to detect and block the trojan. Another one that is able to detect this virus (or so I’m told) is Kaspersky, but it’s not available for free download.

[Note: I hope this post will not be ripped off like the earlier post. If you wish to repost this blog entry, please include the original link to this entry which is http://www.zyenweb.com/2010/01/19/trojan-alert-illredir-billredir-cillredir-d/. Thank you.]

Tags: , ,
Posted in Red Alert | 27 Comments »

Website Template Change (Again)

January 13th, 2010

Hello there!

I’ve made a major change to my website template because after staring at my website for a while, I felt that the black background was rather hard to read and the text was kind of all over the place…

So I’ve made a change to this in the hope that my posts will be a lot easier to read.

I hope my hopes are not in vain! :) Feel free to give me feedback so I can work on it.

Posted in Zyenweb Updates | No Comments »

Plagiarism on the Internet

January 7th, 2010

With the Internet booming the way it is, everything is now accessible and copy-and-pasteable. I suppose it would come to this soon enough, but it’s disheartening when it happens anyway.

My last blog post on the trojan attack was one that I wrote with a lot of thought, and with the intention of getting the word out to help people who have suffered… and I’m glad that my post did, with a lot of thanks to Mike who provided us with a very useful script to remove the trojan from our infected websites. (Thanks, Mike! You’re a life-saver!!!!)

But I didn’t realise that some people wanted to claim credit for the post that was written. Instead of providing a link to my post, someone copied the entire text word for word, and pasted it on a public forum, without giving any credit whatsoever. Not even a link to my website, or a thank-you! And the image on the forum is linked directly from my website, so I’m losing traffic bandwidth to that forum post, too. And unfortunately I forgot to watermark that image, so no one knows it was taken from my site.

This amount to plagiarism, and of course the Internet being accessible the way it is, it happens. A lot of people plagiarise other people’s work, especially students who are supposed to do research.

I’m just expressing my disappointment that someone who claims to be  a webmaster can rip off another person’s work like this. Makes you wonder about all his other posts, and his work too. I’m guessing this won’t be my last plagiarised post, as I do intend to keep writing about anything I’ve found out to help everyone else out there.

Original post: http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj
Plagiarised post: http://www.wjunction.com/showthread.php?p=194510#post194510

I reported it to the forum moderators who were very quick to add the credits and they moved the image to another location so that my traffic bandwidth isn’t stolen. Kudos to WJunction for their quick response… but nevertheless I am still disappointed with the person who ripped my blog post off.

Posted in General Posts | No Comments »

Enabling the Acer Aspire 5000 series radio hardware

December 3rd, 2009

My sister’s laptop (which is the Acer Aspire 5003WLMi) had a severe virus attack recently which prevented her from being able to login to her Windows. She was quite upset about it because there were a lot of personal files which she hadn’t backed up; and we couldn’t even login to Safe Mode.

I managed to extract and back her data up, and then I proceeded to do a complete reformat and OS installation. I will go into the way I managed to back her data up in another post, as I would like to talk about a different issue in this post.

It came pre-installed with XP Home, but I wanted to give her a different OS so first I tried to install XP Pro. Everything was fine… except that her wireless wouldn’t come on. I tried Googling and read up threads in many forums which all suggested downloading the latest driver from the Acer website. I tried that, but it kept saying that the radio was disabled.

I was boggled because when I tried to look up the settings, the radio was enabled. So I decided to try restoring the laptop to factory settings… only, the recovery buttons don’t work. I found the recovery CDs and tried reinstalling them, but for some very strange reason, the recovery CDs don’t work. There were a total of four CDs (one system disc and three recovery discs), and after the laptop backs up from the third recovery disc, it requests for the system disc but when I put it in, it restarts the entire recover process. There seemed to be no way to restore it to the factory settings.

In the end I decided to install TinyXP on the laptop (I will discuss this in a future post), but the radio still seemed to be disabled. And then after I Googled for more help, I found the gem of an answer which solved this simple issue:

http://answers.yahoo.com/question/index?qid=20070126230653AACSPMa

It’s so infuriating that there is such a simple answer for such a simple problem! Even Acer doesn’t seem to have these kind of help files.

Anyway, the solution is as simple as this: there is a radio switch at the front of the laptop. It doesn’t look like a switch because its design makes it look like a status light instead. To switch on the radio, all I had to do was press it.

Here’s where the button is:

Radio hardware control switch on the Acer Aspire 5003WLMi

Radio hardware control switch on the Acer Aspire 5003WLMi

They should have just said so in the error message!

Tags:
Posted in Technical Support | 2 Comments »

Fixing Basic Computer Issues

December 2nd, 2009

I admit that I’m not a computer expert, although I work with computers better than the average person. I’ve learnt a lot of things about computers from friends as well as through constant Googling; and I’m able to fix a lot of basic (and some not-so-basic) computer problems. I don’t believe in sending computers to computer repair technicians when they don’t know very much more than I do.

I first learnt how to fix basic computer problems when my father bought our first home computer when I was a teenager (computers were not as common as they are now); whenever we had problems, we had to call the computer technician over. Whenever they come over, I would sit next to them and watch what they do; and I learnt to meddle with the computers by following what they did.

I remember the first time I discovered that the technicians didn’t know very much themselves. We had a problem with the computer (I can’t remember what it is now) and I had done my best to use my basic knowledge to fix it but couldn’t manage it; so I called the technician, only to find that he did the exact same things I had already done and nothing more! I remember being so disgusted that we were paying these people per visit to do nothing very much.

I learnt so much more by asking my friends who were computer experts themselves, and through a lot of trial and error. I think I must have crashed our one and only computer a lot back then.

In today’s Internet age, it’s so much easier to get help. Try Googling the keywords related to your issue, and chances are you’ll find hundreds of listings with solutions. If you can’t find the solution, just post your question on any related forum, and someone will provide you the answer. Sometimes I can feel like a complete noob, but when I read the forums, it’s relieving to know I’m not the only one who face such problems, and also that there are plenty of people out there who are willing to help.

I’ve decided to put up my own small contribution here by posting any solutions to issues I have personally experienced in the hope that it can help others. Trust me, I know what it’s like to have difficulties finding answers!

If any of you readers happen to have other solutions to the same problems I’ve had, feel free to share and comment!

Posted in Technical Support | No Comments »

Website Completed!

November 19th, 2009

My website has finally been completed! At least, all the important links are here.

There are still a few tweaks that must be done, but I will work on them as I go along.

Thanks for visiting!

Posted in Zyenweb Updates | No Comments »

Website in progress

November 17th, 2009

My website is still in progress, so some of the links are not clickable. This isn’t how I would usually present my work; I would make sure EVERYTHING is in place before I make the website live, but given my current to-do list, I’ll have 15 grandchildren before that will happen, and I’m not even married yet.

So I’m doing my best to speed this up but in the meantime, I’m providing as much info here as possible that will be helpful.

If you need to contact me, I can be reached at zyenweb[at]gmail[dot]com or +6012-238 1444.

Posted in Zyenweb Updates | No Comments »

The Dance Habitat

November 13th, 2009

One of my ongoing projects, this is a temporary page for The Dance Habitat. The actual website is currently under construction, and we hope to get it completed… soon. No tentative date for actual launch yet.

Screenshot of www.thedancehabitat.com

Screenshot of www.thedancehabitat.com

Tags:
Posted in Website Updates | No Comments »

Welcome to Zyen Web!

September 27th, 2009

Hey everyone.

Yes, yes, the website is still under construction. Hence the really plain layout with obviously-no-effort-put-into-it look. I really would like to make the website better looking and easier to navigate, plus I’d like to more interactive, hence the addition of this blog. However, I’m up to my gills with a lot of work, and I’m afraid the update of my website will have to take a backseat for now.

In the meantime, I will try to update my blog once in a while (shouldn’t take more than a few minutes per post… I hope). This isn’t a personal blog; this is more for updates on my work, as well as any technical information that I would like to share.

If you have any feedback or suggestions, feel free to leave a comment!

Posted in Zyenweb Updates | No Comments »