A Trojan Invades The Website

It started earlier this evening when I got an email message from a friend, a meteorologist at a competing station.

Hi Geoff,

My antivirus software says there is a Trojan on your website… perhaps something in an ad??

Just wanted to let you know!

Like all newly infected webmasters I was skeptical. I gave him some advice on checking his computer.

I went to the homepage and was alerted almost immediately about a Trojan. We have Norton AntiVirus here at (deleted).

I went to the site again to double-check and I got the alert again. It seemed to be loading something (according to the bottom bar of IE). I couldn’t see what it said. You are much more savvy with web stuff than I am, so maybe you can diagnose it.

I just checked.. it did it again… here’s the most I got out of Symantec… I don’t think it tells you much though.. this was all I could find.

Scan type: Auto-Protect Scan

Event: Threat Found!

Threat: Download.Trojan

File: C:\Documents and Settings\argigha\Local Settings\Temporary Internet

Location: C:\Documents and Settings\argigha\Local Settings\Temporary Internet

Computer: (deleted)

User: argigha

Action taken: Delete succeeded : Access denied

Date found: Thursday, December 15, 2005 5:54:20 PM

I called up my webpage and took a look. Everything was as it should be. And then, another email from someone else.

I just went to your blog and the page come up white and my anti-virus detected ” download trojan “. I refreshed the page and it looked normal , but the anti-virus detected this trojan again. I refreshed the page several more times ( glutton for punishment ) and every time it popped-up with the same virus detection .

Thought you may be interested as someone my be hacking you.

By the way my virus scan fixed the problem every time.


Uh oh. This isn’t good.

Recently I had installed some mapping capability. I removed that. Nope, that wasn’t it.

I went to the source code for the website. This is what your browser sees and translates into the formatted page. There below some normal text was a long string of garbage. It was a javascript link.

Oh no – I’m sunk.

The templates used to marry my blog entries to the format of the page were fine. Where was the code coming from?

As it turns out, I get little bits of content from a few other sites. For instance, on the right side of this page are little weather tidbits. The Trojan had snuck in with one of those. It was coming from a friend’s site.

I called him and he quickly got in to action. Actually, he tried to get into action – but to no avail. Whatever had ‘pranged’ his site had also changed his passwords and modified his Apache webserver.

At this hours everything seems to be back to normal. This attack on my friend’s server could have just as easily happened on mine! And, if you were surfing this site earlier today it’s possible you were touched too. I use Firefox, which I think gives me a little protection, and my home computers are totally up-to-date on Microsoft’s patches.

It’s always something.