Comments on: How to clean JS/TrojanDownloader.Iframe.NHU trojan http://www.digit-8.com/security-tips/how-to-clean-jstrojandownloader-iframe-nhu-trojan/ About Tips and tricks used to make money online. It's not just about money, business, forex, loans though, there are a lot of different topics that are discussed: entertainment, games, sports, cars, videos and more Mon, 06 Feb 2012 10:51:08 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Thomas J. Raef http://www.digit-8.com/security-tips/how-to-clean-jstrojandownloader-iframe-nhu-trojan/#comment-2645 Thomas J. Raef Mon, 10 May 2010 17:05:43 +0000 http://www.digit-8.com/?p=1642#comment-2645 You did an excellent job of cleaning and explaining what you did. However, often times, websites are re-infected after the clean-up because people never find out how their site was infected in the first place. Quite often we find that sites are infected by stolen FTP passwords. These passwords are stolen by a virus on a PC that uses FTP to access the infected website. The virus works in a variety of ways. First, if you're using a free FTP program like FileZilla, know that these programs store the saved login credentials in a plain text file. Look in C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml The virus looks for these files, reads the data and sends it to a server which infects the website using valid FTP credentials. Second, the virus sniffs outgoing FTP traffic and since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the data this way. I've created a YouTube video here that shows this: youtube.com/watch?v=oYI1kssrrbc These viruses know how to avoid detection by the anti-virus software that's installed when they first infect the PC, so you'll have to use a different anti-virus program than what's currently installed. Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you're already using one of these, then install one of the other two - it has to be different. Then change all FTP passwords - immediately. I recommend setting up different passwords for eash user and activating FTP logging. That way, if you get infected again (your website), you'll know exactly who's password has been stolen by looking in the logs. By only using one or two different FTP accounts, you have no way of knowing who's password has been stolen. I've done this many times for clients and been able to pinpoint the infected PC every time. If you're looking for a good software to help remove malscripts, I recommend using grepWin. It's free and provides regular expression searching. That's my two cents worth. Again, nice catch and clean. I just thought I'd add some information on what your readers can do if their sites get infected. You did an excellent job of cleaning and explaining what you did.

However, often times, websites are re-infected after the clean-up because people never find out how their site was infected in the first place.

Quite often we find that sites are infected by stolen FTP passwords. These passwords are stolen by a virus on a PC that uses FTP to access the infected website.

The virus works in a variety of ways. First, if you’re using a free FTP program like FileZilla, know that these programs store the saved login credentials in a plain text file.

Look in C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml

The virus looks for these files, reads the data and sends it to a server which infects the website using valid FTP credentials.

Second, the virus sniffs outgoing FTP traffic and since FTP transmits all data, including username and password, in plain text, it’s easy for the virus to see and steal the data this way. I’ve created a YouTube video here that shows this:

youtube.com/watch?v=oYI1kssrrbc

These viruses know how to avoid detection by the anti-virus software that’s installed when they first infect the PC, so you’ll have to use a different anti-virus program than what’s currently installed. Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then install one of the other two – it has to be different.

Then change all FTP passwords – immediately.

I recommend setting up different passwords for eash user and activating FTP logging. That way, if you get infected again (your website), you’ll know exactly who’s password has been stolen by looking in the logs.

By only using one or two different FTP accounts, you have no way of knowing who’s password has been stolen.

I’ve done this many times for clients and been able to pinpoint the infected PC every time.

If you’re looking for a good software to help remove malscripts, I recommend using grepWin. It’s free and provides regular expression searching.

That’s my two cents worth. Again, nice catch and clean. I just thought I’d add some information on what your readers can do if their sites get infected.

]]>