POWWEB Anti-Virus Questions

LarryG · 8-1-12, 02:13 AM

Had a few of my patrons over the past 2-3 days report they were experiencing a TROJAN when visiting my website.

One reported they were using AVG, but my McAfee software did not pick up on what AVG reported as Exploit_c.VHO. Ironically, I could not find any mention of that instance of Exploit_c nor any mention of that trojan family on the McAfee or Norton websites. Seems like only AVG is flagging it.

Would hope and expect POWWEB uses some pretty good AV software on their servers, so am curious if anyone knows where in the OPS panel you can locate the results of such nightly virus scans, especially if your site is infected. Would go along way to helping webmasters track down problems.

About the only information I could find on the Exploit trojan was associated with SWF files, of which I have about four on the website as banner advertisements. A couple were definitely not matching up to original files so deleted and replaced them with original files. Have asked the users who reported the problem to retest and let me know what they find. Also ran a compare to all the other files on the website, but found nothing out of the ordinary for other non-SWF files.

Would be grateful if any of the moderators or users in the Community have any words of wisdom on the subject, as well as know what POWWEB uses for AV software and if customer can get those nightly reports on the health of their directories and files.

Thanks,
LarryG

rainbore · 8-1-12, 09:57 AM

It's extremely unlikely that the source of the problem is Powweb's servers. You should assume that there is a security issue with your site and that it wasn't fixed by simply replacing the infected files you found. There's a good article on removing malware on unmaskparasites.com that will tell you what you should do. Good luck!

LarryG · 8-1-12, 10:15 AM

Thanks Rick. No disagreement there. Did use Google Malware check on the website and it came up negative but will research the link you provided and see if that will help.

My comment/question about POWWEB servers was that I would expect POWWEB to run AV and Malware software the same as my pesonal machine. And as a result of that, should be able to view a report that identifies when problems are detected.

LarryG

entrecon · 8-1-12, 02:10 PM

Since it is a hosted solution and your site is one of hundreds on any given server, I doubt that PowWeb would display results to the end user. It would be different if you had a dedicated or semi-dedicated solution. To that end, my understand as just another customer, and hanging out on these forums, is that PowWeb has several tools in place to look for various viruses and attacks, but they are looking at the big picture. Due to the nature of a hack like this, it is hard to decipher custom code you have written and an exploit. Even if they did run full scans it would take FOREVER!

A staff member from PowWeb would probably be able to give a little bit more detail, but they are usually pretty tight lipped on their measures to avoid showing where their process my have vulnarabilities.

shrupa · 8-6-12, 03:48 AM

one more thing wen site is infected wit trojan or any virus then the actual site may not contain any viruses but rather will contain a redirect it which will redirect end user to download those. So, a malware or antivirus scan in servers may not detect anything. the tool at http://sitecheck.sucuri.net/scanner/ may be useful

**Jim M** · 8-8-12, 07:12 PM

I can say that we do run anti-virus scans, and will notify customers when these scans show up malware. However, because of the huge number of sites which need to be scanned, it's entirely possible that visitors will spot an issue before your site is scanned on our end, especially if it's a new virus (and given the lack of info you found, and that only AVG detected it, that may well be the case).

Replacing files with a clean copy should remove the current infection, but it's important to note that if there is a vulnerability in an application (the most likely route), this will still be present. You also need to make sure any applications in your account are completely up-to-date as far as versions, security patches, etc. are concerned. This applies not just to the core application, but also plugins, themes, modules, etc. ** If this is not done, your account will remain vulnerable to future attacks of this kind. **

8-1-12, 02:13 AM	#1
LarryG Join Date: Jan 2002 Location: St. Louis MO Posts: 88 Reputation: 30	POWWEB Anti-Virus Questions Had a few of my patrons over the past 2-3 days report they were experiencing a TROJAN when visiting my website. One reported they were using AVG, but my McAfee software did not pick up on what AVG reported as Exploit_c.VHO. Ironically, I could not find any mention of that instance of Exploit_c nor any mention of that trojan family on the McAfee or Norton websites. Seems like only AVG is flagging it. Would hope and expect POWWEB uses some pretty good AV software on their servers, so am curious if anyone knows where in the OPS panel you can locate the results of such nightly virus scans, especially if your site is infected. Would go along way to helping webmasters track down problems. About the only information I could find on the Exploit trojan was associated with SWF files, of which I have about four on the website as banner advertisements. A couple were definitely not matching up to original files so deleted and replaced them with original files. Have asked the users who reported the problem to retest and let me know what they find. Also ran a compare to all the other files on the website, but found nothing out of the ordinary for other non-SWF files. Would be grateful if any of the moderators or users in the Community have any words of wisdom on the subject, as well as know what POWWEB uses for AV software and if customer can get those nightly reports on the health of their directories and files. Thanks, LarryG

8-1-12, 09:57 AM	#2
rainbore Rick Join Date: May 2002 Location: Minneapolis, MN Posts: 1,695 Reputation: 280	It's extremely unlikely that the source of the problem is Powweb's servers. You should assume that there is a security issue with your site and that it wasn't fixed by simply replacing the infected files you found. There's a good article on removing malware on unmaskparasites.com that will tell you what you should do. Good luck! __________________ Rick Trethewey

8-1-12, 10:15 AM	#3
LarryG Join Date: Jan 2002 Location: St. Louis MO Posts: 88 Reputation: 30	Thanks Rainbore Thanks Rick. No disagreement there. Did use Google Malware check on the website and it came up negative but will research the link you provided and see if that will help. My comment/question about POWWEB servers was that I would expect POWWEB to run AV and Malware software the same as my pesonal machine. And as a result of that, should be able to view a report that identifies when problems are detected. LarryG

8-1-12, 02:10 PM	#4
entrecon Custom User Title Join Date: Aug 2006 Location: Michigan Posts: 2,669 Reputation: 337	Since it is a hosted solution and your site is one of hundreds on any given server, I doubt that PowWeb would display results to the end user. It would be different if you had a dedicated or semi-dedicated solution. To that end, my understand as just another customer, and hanging out on these forums, is that PowWeb has several tools in place to look for various viruses and attacks, but they are looking at the big picture. Due to the nature of a hack like this, it is hard to decipher custom code you have written and an exploit. Even if they did run full scans it would take FOREVER! A staff member from PowWeb would probably be able to give a little bit more detail, but they are usually pretty tight lipped on their measures to avoid showing where their process my have vulnarabilities. __________________ ________________________________ Find me on twitter: @entrecon

8-6-12, 03:48 AM	#5
shrupa Join Date: Feb 2009 Location: India Posts: 165 Reputation: 32	one more thing wen site is infected wit trojan or any virus then the actual site may not contain any viruses but rather will contain a redirect it which will redirect end user to download those. So, a malware or antivirus scan in servers may not detect anything. the tool at http://sitecheck.sucuri.net/scanner/ may be useful __________________

8-8-12, 07:12 PM	#6
Jim M PowWeb Staff Join Date: Sep 2011 Location: Phoenix, AZ Posts: 93 Reputation: 76	I can say that we do run anti-virus scans, and will notify customers when these scans show up malware. However, because of the huge number of sites which need to be scanned, it's entirely possible that visitors will spot an issue before your site is scanned on our end, especially if it's a new virus (and given the lack of info you found, and that only AVG detected it, that may well be the case). Replacing files with a clean copy should remove the current infection, but it's important to note that if there is a vulnerability in an application (the most likely route), this will still be present. You also need to make sure any applications in your account are completely up-to-date as far as versions, security patches, etc. are concerned. This applies not just to the core application, but also plugins, themes, modules, etc. If this is not done, your account will remain vulnerable to future attacks of this kind.