Trojan Removal In Progress - Possible Downtime?

[GTiR-Aholic]

yeah google and other search engine spiders will find the site as malicious because they scan for viruses/trojans to offer a better & safer browsing experience for their viewers.. so if gtiroc was appearing on first page results for any terms like "nissan pulsar owners club".. it won't be first page any more or they'll put a warning against the link so users know it's potentially harmful to their computers/network.

Should go back to normal once the trojan is removed completely and Google is satisfied again with the performance.

 

[antgtir]

I tried to login at home again yesterday but was given a warning about the virus, that was using the www.gtiroc.com/forums link.

I am able to get straight on using my works computer with no issues (that i know of) popping up, why would this be?

I know its a big job to do but when do you think the site will be "clean" again?

Ant.

 

[GTiR-Aholic]

I haven't been able to touch it in the last 2 days unfortunately as work has picked up quite a bit..
The forum pages shouldn't be infected again, however they are still marked down as malicious by Google/Firefox and will be like that for a few weeks probably until they mark it as trustworthy again.. until then you may still get warnings/alerts from the browser but your AV shouldn't play up.

The homepage (www.gtiroc.com) and few other parts of the portal are still infected.. but because it's been infected so long it grows by the day.. taking forever to do but definitely seeing progress

 

[fubar andy]

taking forever to do but definitely seeing progress

Good work, Mr Whizzkid :thumb:

 

[Fast Guy]

Would updating the forum software to the latest version overwrite any infected files and clean them?

 

[GTiR-Aholic]

nah, that would update files like showthread.php but I have cleaned all these files. A lot of the site's user content is built on php pages like the links pages, guides etc.. those are heavily infected and are linked to on the homepage so when you try access the homepage.. it attempts to get data from the link which of course is infected so brings up the alert.

 

[GTiR-Aholic]

Good work, Mr Whizzkid :thumb:

Oh it's nothing.. :roll: lol

 

[GTiR-Aholic]

Okay... deleted quite a lot. Can I get some feedback on the homepage and other parts of the site.. which parts of the site are triggering your AV's?

 

[jjs]

hi can log on at home ok , but logged on at work yestaerday, first time i have managed to log on at work for ages, but got a pop up alert about the trojan virus ? Jim .

 

[GTiR-Aholic]

hi can log on at home ok , but logged on at work yestaerday, first time i have managed to log on at work for ages, but got a pop up alert about the trojan virus ? Jim .

Cheers, what page gives the popup about the trojan virus?

 

[campbellju]

The "portal" page is still consistently throwing up errors.

 

[darkyGTI-R]

Same here mate i can't use firefox anymore have to use internet explorer errors and warnings all the time

 

[johnsy]

this has totally screwd with my lap top

 

[GTiR-Aholic]

The portal page will continue to throw errors up because it's linked to so many other pages which have errors.. it will take time to get that clean. But pretty much all of the forum is clean of the virus... however.. it will STILL throw errors in firefox because it's still marked as a "Malicious" site.

Your browsers will still show errors on ALL the pages but your AV's should be ok with the forum pages now.. portal/homepage will still be infected.

Haven't had time to touch it this weekend, on the ramp removing my engine from my R but will get back to it soon.

 

[antgtir]

Not adding any pressure, but how are things going with the removal of this pesky virus?

Im able to get on at work but not at home due to warnings etc.

Keep up the good work by the way.

Ant.

 

[GTiR-Aholic]

Sorry mate I haven't had a chance this week at all. I'm really just doing it between jobs because I run a hosting company and a 3 others but when I do get a chance I login and do as much as I can.

To be honest, there's just so much of this trojan.. whether the author of the trojan has been login in daily or something and updating it and integrating it deeper.. or whether the trojan does this itself I don't know but a lot of the pages are still calling the trojan which makes those infected pages run slow.

Until the site is completely clean, Google & Firefox will continue to consider the site as being malicious and throw warnings through your browsers.

I'll try get on today and quickly skim through it to see how much is left and give you all an idea of turn around.

 

[GTiR-Aholic]

The ftp passwords have been changed so the author can't login anymore and any pages that I am cleaning.. seem to be staying clean so it's definitely getting better!

 

[Fast Guy]

The ftp passwords have been changed so the author can't login anymore

I don't know if you saw this in the other thread.

Gumblar: A Botnet of Compromised Websites

As we mentioned last week:

...site owners who have had their sites compromised by Gumblar should keep in mind that while stolen FTP credentials appear to be the initial means of access, once that access is gained it appears the attackers are 'backdooring' the sites. This means that simply changing the FTP password won't be enough. Site owners will want to check their logs carefully for changes that may have been made post-intrusion. This includes checking things like htaccess, php_includes, and other configuration settings, as well as ensuring directory permissions are set appropriately.
​

Thanks to these 'backdoors', what we're really looking at here can only be described as a botnet of compromised websites. And a growing one at that. Even with the dip in traffic that occurs over the weekend, Gumblar compromised sites still grew another 10% since last Friday, now up a total of 246% from when we first began tracking the increase just over a week ago.

 

[GTiR-Aholic]

Yeah I've checked the ftp logs and accounts which are created for ftp.. I can't really see any suspicious activity and the pages that I've cleaned have not gotten re-infected so fingers crossed we're secure at the moment.. I'll double check that though

 

[nex]

If you need a hand let me know, have coded php and forums for years and would only take me a short while to go through the entire source.