Potential virus attacking FTP
Results 1 to 12 of 12

Thread: Potential virus attacking FTP

  1. #1
    Join Date
    Feb 2011
    Posts
    23

    Potential virus attacking FTP

    Hi,

    I have noticed that a lot of the sites that I access through my FTP client (Filezilla) have been infected with files. These files are of two types: .php files (with titles like kocyqsx.php), and .txt files (with titles like .f181630-346222.txt).

    The content of the .php files is code containing text which looks like spamware.

    Since all these sites are on my FTP list, I assume it's not a coincidence, and that my computer contains some kind of virus which has gained access to Filezilla's list. I've run an online virus scan, with no results. Does anyone have any ideas?

    Thanks,
    G

  2. #2
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    I am moving this thread, at least temporarily, to a forum where others can offer suggestions as to what the problem may be and ask more questions if necessary. Then if it's determined your computer may be infected we can move it back to the intensive care forum.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  3. #3
    Join Date
    Apr 2000
    Location
    Sheboygan, WI
    Posts
    53,392
    Which online av did you run?
    Which AV program do you have installed?

  4. #4
    Join Date
    Feb 2011
    Posts
    23
    Thanks for moving the thread, Fink.

    Train: I used this TrendMicro online av: http://www.trendmicro.co.uk/infograp...ile/index.html

    I don't have an AV installed (I know!)

    G

  5. #5
    Join Date
    Apr 2000
    Location
    Sheboygan, WI
    Posts
    53,392
    Then I suggest eSET online also.
    http://www.eset.com/us/online-scanner/

    Post the log please.

  6. #6
    Join Date
    Feb 2011
    Posts
    23
    Thanks -- I ran that scan, it didn't show me a log, but said no threats were found.

    G

  7. #7
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    this ftp folder appears empty to me..

    ftp://ftp.kernel.org/pub/dist/knoppi...torial/bilder/

    What do you see?

    Also try navigating to an ftp site on which you do see the php file with another ftp client, even your web browser, and see what shows up.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  8. #8
    Join Date
    Feb 2011
    Posts
    23
    Yes, I see an empty ftp folder when I click your link.

    I also opened up one of the sites I know has a dodgy .php file in it, this time in some online ftp software, and the dodgy file is visible there as well as in Filezilla.

    The thing is, these are even appearing on sites which are static (i.e. no php or MySQL), so I don't see how they could be accessed except through my computer.

    Thanks for your help so far...

  9. #9
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    I assume that these FTP sites require a password for access. Do you have read/write/change/delete control of the files? If so, what happens if you delete the suspect files - do they reappear at a later date?

  10. #10
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    Can you check one of those sites/folders with a different computer? If it's clean then that would pretty much point at your computer as being the problem in which case we'll do some scans to try and eliminate the infection.

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  11. #11
    Join Date
    Feb 2011
    Posts
    23
    jdc2000: I am able to delete the .php and .txt files. On a couple of sites that I've deleted all these files from, sometimes new .php files (with different titles, again just random letters) have appeared later, but not the same files again immediately.

    I don't have another computer to test this on unfortunately.

  12. #12
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    How long does it take for the suspect files to reappear after the previous ones are deleted? if the interval is not too long, you could try deleting the suspect files, and then immediately sign off the ftp site and shut down your computer and unplug the network cable or turn off your router if using wireless, then wait as long as needed for the test before powering up everything again and checking the ftp site again. If the files are back, then either someone else already has access from another computer to put the files there, ot the ftp server itself is infected.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •