I fought and successfully removed this same virus from several of the sites I host today but they all occurred on the same web host. Yet, not all of my sites on that host’s server were affected. Ths suggests to me that either my admin password for this server got hacked or my host (hostgator) has a vulnerability to whatever attack vector was used to install this script. I found that on one site it had modified the index.php file, on another site it had modified and installed itself in BOTH the index.htm and index.html files, and on a third site it had ALSO modified one of my locally installed javascript (.js) files. Whatever installed the hack ALSO changed the linux attributes AND dates on the files it modified from 644 (rw-r–r–) to 755 (rwxr-xr-x)
This virus (if in fact it IS a virus) seems able to infect “.htm” and “.html” files, plus “.php” and “.js” files. If you look carefully at the AVG error message you receive, you should be able to figure out which of those files it actually changed on your site and remember it may have changed more than one of your files. Sort the file list in your FTP utility by date modified and you should be able to spot the files that got modded as they would have occurred at roughly the same time and on the same date. At least that’s the pattern I found.
Can I ask which webhoste you are using?
Thanks!
For the record, I’m NOT using wordpress on any of my sites. Yet, I have this thing on my virtual server too.
I stand corrected. This thing actually reached much deepter into my sites than I originally thought. It also touched most (if not all) of my index.php files and it added a program to lots of directories named mailcheck.php. It also touched all index.pl files and planted a file named “chat.pl” in every cgi-bin directory in my web space and it modified some (but not all) index.cgi files, virtually every index.html file, plus default.html files, index.htm and default.htm as well.
Look carefully at the last modification date and time of any files you find that were modified and then search for other files modified during the same time period on that day. Scan each of those files carefully at the beginning and end of the files for where it did its dirty work. It looks to me like it tries to plant its foul seed in any file that a user might happen to execute by default when visiting the site… including some of the *.js files.
The worst part is I can find no documentation at all on the web OR at the AVG site (which allegedly detects and blocks the js/Tweet virus when it executes about what js/Tweet is, where it comes from or what it does to the server and systems that are exposed to it.
What I CAN say is that it’s vicious, pervasive and aggressive even though nobody seems to know what its purpose and objective are or how it gets into a server to begin with.
Can anyone else make a contribution of behaviors, information or how to battle this thing?
Thanks!
Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
