Hi,
Im new to building websites and I found out yesterday that my business one ive been running for about 6 months has 2 viruses on it:
Trojan.moo & Backdoor.nibu.j.
How did they get there? How do I stop it from happening again? Is it my fault or the servers fault?
I have the latest Norton protection on my pc including firewalls etc all up and running but unfortunatly some of my custmers dont and the d***less f****t that put the viruses on my site have cost me business (I apologise for the language but Im boiling mad about this).
Any help in this matter would be really, really appreciated.

Latigotig

Just an afternote for you wonderful hackers out there that do things like this...its the small guy like me who doesnt really make a profit from working damn hard that you hurt not big business.

I did it 'cause it seemed like fun, then I sobered up.....

Hello!

Don’t worry! If it is your server you can fix it easily. Give us a link to your site or link where you find virus and we can help your bettet.

Read it http://securityresponse.symantec.com/avcenter/venc/data/trojan.moo.html . It means that somebody uses Hacktool.JPEGDownload to infect JPEG file on your hosting.

Read http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.j.html . Somebody uses your host to infect your customers. It can be somebody who has access to your hosting. Maybe it is your web-developer or somebody from your stuff.

Hi Denys,

I have wiped the website to ensure nobody else catches these viruses so they no longer exist.
I am my own web developer and the pc I used to upload the sites from has not got these viruses, also? I uploaded them about 3 months ago and the virus only showed up about a week ago (in this time I have not updated or even linked to the website).
The link to the website was www.westcountryprint.com before I deleted everything. If the site has been hacked into how do I ensure this won't happen again when I upload the new pages?
I went to the symantec sites and read the definitions but I don't understand how anyone could have hacked into the site from a remote location. Do they have my password and username? If so how can I prevent this from happening again? I have changed the passwords and usernames but how often do i have to do this to ensure im protected in the future?
If this virus came from my pc in the first place why would it take approx 3 months to activate itself?
I know I have alot of questions but each day I keep my site down we could be losing business but I'd much prefer to lose business than infect a clients computer.
Thanks alot for the links and the help!

I did it 'cause it seemed like fun, then I sobered up.....

latigotig,

I'm assuming from your posts that you don't own the hosting server. If I'm incorrect in this, please clarify. If it is the case that you are not in control of your hosting server directly, then I think you would need to communicate with your hosting provider. Hacking into your site doesn't require any special knowledge on the part of the attacker, and it doesn't mean that they "knew" or "guessed" your password, there are many ways around passwords. In the case of the Trojan.moo, that would simply be infecting your jpg files. Someone apparently hacked your site and uploaded infected JPG's. The fix for you is simply to delete the files (though it doesn't prevent future infection). In the case of the Backdoor one, it looks to me from Symantec that the only way for it to infect your clients is to be running on the host server (something which you wouldn't have control over if you don't own the server) and to communicate itself over port 9125. Maybe somebody could verify that, but that's what I've found. Second, the Backdoor contains a keylogger, which could mean that the host server was infected before you created your site and the keylogger sent admin information back to the hacker. With these info/passwords, it's possible the hacker never had or needed your password, he simply logged into the host as the root admin.
To protect yourself from the JPEG virus, you could try using a longer password. The longer the password, the higher your security. I personally use passwords around 20+ characters long, though that's a real pain, I know! However, if the server is infected with Backdoor, then the hacker may have complete control over the server and it wouldn't matter what your password is/how long your password is.
All in all, I think you need to call your hosting company. Again, none of this really does you good if you own the server. Clarify if I'm incorrect in assuming you don't and I might have some suggestions there. Viruses are bad, but so is the common cold: sometimes we just have to learn to deal with it. Good luck and I'm sure you can get around this.

Stephen

"Live long and PROGRAM......or at least do _something_ with all that time...!"

Hey Stephen,

Thanks alot for the info. I don't use my own server, you are correct. I'm hosting with Pickaweb at the moment although I did attempt to tell them it was more than likely them that must have the virus they denied it and attributed it to me uploading infected files.
I have changed all of my passwords as advised to a jumbled mass of letters and numbers.
I will be uploading a new site in the next 2 weeks and as you said its all trial and error with the infections but hopefully the site has passed its amusement phase for people dumping viruses in it and I guess ive learnt a lesson along the way I should have learnt years ago.
Change all passwords regularly and make them complete jibberish
(theres a reason why they tell you that!).

Thanks again for the advice/info/help

Latigotig

I did it 'cause it seemed like fun, then I sobered up.....

Latigotig,

Good to hear you haven't given up hope: it certainly is a tough battle sometimes though. I could see your host coming after you for uploading infected JPG's, but the other virus (Backdoor) doesn't spread that way. It is a process that must be running on the machine the way I understand. As soon as you get your site back up, make sure to keep checking it daily for hacker activity. If you suspect more virus infections, you might consider changing hosts. Sometimes hackers find a certain set of servers that are easy to hack for one reason or another.
Of course, there is the possibility that they guessed your password, though perhaps unlikely. At least you should have that taken care of now, it sounds like you've done about all any of us can do!
Good luck and keep us posted.

Stephen

"Live long and PROGRAM......or at least do _something_ with all that time...!"

This post has been v. helpful, but how can I work out on my website which JPEG file is the culprit?