Thanks to Darragh

Same thing happened my PC at work.
There is a particularly bad virus going round since before Chirstmas.
Apparently it can enbed itself in such a way that it just can't be removed without physically removing the hard drive from the PC and putting it in as a secondary hard drive on another computer and scanning it then.

A real pain!

I see that boards.ie and UKAI were also hit.

PhilipLardner wrote:

Hi Darragh,

Any idea of how the IFAS site (and which bits) got infected? How did you track down and remove the infection? I'm running a Joomla site www.ihpa.ie and am wondering if it has the same vulnerability. I use an automatic backup module JoomlaPack 2.1 to back up the entire site monthly. I guess I could always roll back to the last clean instance and suffer the losses in the forum threads.

Any advice appreciated,

Phil.[/quote]

Phil,

Just make sure to tie down file permissions on your joomla so that very few if any files can be written to.
The Trojan horse only affects file, not the database where all the threads are kept.
It is best to do nightly backups of the database which I do, but I wasn't backing up the Joomla files

Darragh

Frank,
Download AVG, it stopped the infection in its tracks for me, I had it already installed, dont know if it'll install on an already infected machine.

Hi Dave
I would also recommend AVG, it’s really excellent. Just update your AVG database from the internet and you’re PC is well protected. Thanks to Darragh indeed, IFAS website is essential for the Irish astronomical community, glad to see it back in action again.

Best wishes and clear skies
Mike

well done to Darragh and team for fixing the problem,

klear skysB)

Just got another avg alert when I came to this site.

It reads as follows:

Avg Alert
Accessed File is infected
Threat was blocked
File name: ask-com.ya.ru.nu-nl.cobalttrueblue.ru:8080/index.php?sc
Threat name: Exploit Javascript Obfuscation (type 894)