Malware infected website?

Discussion in 'Security' started by rubencouto, Nov 6, 2012.

  1. #1
    Hello!My website siteretriever.com keeps showing in it's source code scripts like this: script src="http://koft66ende.rr.nu/nl.php?p=d" at the bottom of the page. The domain name (koft66ende) changes but the rest is the same.I've looked into the index.php, other php files, into all the template files and I can't find this bit if injected code. I'm using CrawlTrack to try to prevent such code injections but it doesn't seem to be working. I've even deleted intirely the website and installed it again using a different script (from Astanda to phpLD!) and the problem remains.A curious thing: at work (using Windows NT and IE) the malicious code shows up in the source code. At home: (using Ubuntu and Firefox) the malicious code doesn't show up in the source code...When I use an online malware site scanner, it identifies the code as beeing malicious java.I have no idea about how to remove this code and protect my site.Any ideias (that don't require payment)?
     
    rubencouto, Nov 6, 2012 IP
  2. SolidShellSecurity

    SolidShellSecurity Banned

    Messages:
    262
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    45
    #2
    Hacked server? Ask your host? Check for script vulnerabilities? When we get people switching over to us we typically do fresh/clean installs and clean out even databases and change passwords. You may also wish to look at access_logs for ideas.
     
    SolidShellSecurity, Nov 6, 2012 IP
  3. BigTim3

    BigTim3 Guest

    Messages:
    266
    Likes Received:
    1
    Best Answers:
    2
    Trophy Points:
    0
    #3
    that is why you guys rock!? right?! lol
     
    BigTim3, Nov 6, 2012 IP
  4. dvduval

    dvduval Notable Member

    Messages:
    3,372
    Likes Received:
    356
    Best Answers:
    1
    Trophy Points:
    260
    #4
    If you are a phpLD license holder, make a support ticket. We may be able to help you!
     
    dvduval, Nov 9, 2012 IP
  5. rubencouto

    rubencouto Member

    Messages:
    85
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    40
    #5
    Thanks for everyone that gave some feedback.
    I followed these steps http://devilsworkshop.org/tutorial/...e-grep-sed-commands-files-linux-server/55587/ and got my site clean! It turns out there was a little php file that was infecting every site of mine (addon domains in subdomains of the same account). After using SSH to run the commands indicated in the tutorial, I changed my FTP password, increased the level of security of the folder world permissions and I'm currently running CloudFlare, CrawlProtect, CrawlTrack, Website Defender and Stop The Hacker! Hope it stays clean!! :)
     
    rubencouto, Nov 15, 2012 IP
  6. wetbupa

    wetbupa Peon

    Messages:
    119
    Likes Received:
    2
    Best Answers:
    1
    Trophy Points:
    0
    #6

    We can advise you to perform the following steps in order to protect all your files & whole server from further attacks :

    - check your local computer for Trojan/Viruses - and install reliable AntiVirus to your computer in case it wasn't installed . Your computer could be infected by some malicious software that use your cached passwords in order to attack scripts/accounts in the internet;
    - check up all your sites, erase and update weak passwords to more strong ;
    - you can use online scanners also . The following ones can be used :

    http://www.windowsecurity.com/trojanscan/

    http://www.bitdefender.com/scanner/online/free.html

    http://www.kaspersky.com/virusscanner

    http://home.mcafee.com/Downloads/FreeScan.aspx

    http://www.virustotal.com/

    http://security.symantec.com/sscv6/WelcomePage.asp

    http://www.eset.com/onlinescan/run_scanner.php

    We would like to pay your attention to such attacks in future and take the necessary actions from your side. We would like to advise you to check up all your sites, update forums, all installed scripts from time to time.

    Additionally, we kindly ask you to make your own backups for security reasons, along with our server backups.
    Do not keep same passwords for too long, change them at least once in a month.
     
    wetbupa, Nov 16, 2012 IP
  7. passme

    passme Member

    Messages:
    28
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #7
    hi
    anyone hack my d.p account next time when i am open my account it ban by d.p moderators what can i do...

    this is my 3rd acount...:(
     
    passme, Nov 23, 2012 IP