*help my website got infect yesterday with gifimg.php

hello morning,

i am running more than 10 websites and my whole webhosting is infected. there is a file called "gifimg.php" in every images folder, and all db*.php functions*.php index.* is infected with this code:

and all .js files are infected with this code.

i cleaned every files and changed all the root and ftp passwords, but today i got infect again =(

i really need a help to get rid my all websites will get penalized.

my root domain name is www.pakistani.pk

thanks in advance.

 

you have ssh access to the server? then its fixed quickly

 

yes i have ssh access, what should i do?

 

Was your hosting rooted or what? How did the file get there?

 

First of all you should figure out how your site got infected in the first place, before trying to clear out the infection from your files, because if the initial hole isn't patched up then it's useless to clear out the infection since the files will get re-infected trough the same initial hole.

Good luck with this.

 

This is typically the result of a virus on a PC with FTP access to the infected website. The virus looks for the plain text files that programs like FileZilla or CuteFTP use to store the saved passwords in, reads them and sends the contents to a server which then logs in through FTP and infects the website(s).

The virus also sniffs the FTP traffic and since FTP transmits all data, including username and password in plain text, it's easy for the virus to see and steal the login credentials.

The first scenario is dealt with by using a different FTP program. I use WS_FTP because it encrypts the passwords saved.

The second scenario can be prevented by using either SFTP or FTPS.

The virus knows how to evade detection of the currently installed anti-virus program so you may have to use something different. Many have had good success using one of these: Avast, F-Prot or Kaspersky.

Immediately change all FTP passwords.

Then scan all PCs with a different anti-virus program.

Then scan all .php files for a string that contains:

eval(base64_decode

Code (markup):

That is typically used by the hackers to remotely re-infect websites after the FTP issues have been rectified.

Post back here if you have any further questions.

 

God the exact same situation with me too. Just couple of days back same thing happened to me. I have instructed the host and got my whole account deleated and new one created but now I am dam scared to upload the back up.

Does this effect the database too?? Can I use the database backup atleast?? And the worst part is that I was using the latest version of wordpress.

 

It's not always a Wordpress exploit.

More often than not, it's a virus on a PC with FTP access to your website.

 

i ahve scanned my pc with kaspersky 2010 with latest database and found 13 trojans and viruses definations, and my pc is cleaned now. i have also scanned it via mcafee.

and changed the ftp software now using WS_FTP, but i have cleaned all php's several times and and ftp passwords. but server is still infected and images are shown like they got shake and some are not showing.

 

Did you scan for the base64_decode string?

 

Hello,

1) How do you scan for the base64_decode string?
2) I have WS-FTP Home 2006. Do you know if that program encrypts the passwords that are stored in the FTP program?

Thanks.