SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Nasty code injection attack

    Hello everybody,

    My website has suffered very nasty a javascript code injection attack. That means that most of the files in my webserver, including the php, html and javascript files were all injected with pieces of javaScript that took control of the website.

    Also google and Firefox reported my website as an attack site. I was baffled as to how a virus got into my server. I very much suspect the infection coming from the webhosting company's servers, which I am now contacting.

    I have got a php script that cleans all files of the virus(the javaScript code) but my site is still black listed by firefox and google as being an attack site. Even after I removed the offending code. What do I need to do?

    Any idea? Have you been a victim of this lately? Any known solutions?

    This is typical of the insertions

    Code JavaScript:
    /*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = ...;document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}

    Sometimes it starts with document.write(....) or eval() function in some php scripts

    Thanks for reading this
    ------------------

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Log in to Google Webmaster Tools and submit a Malware Review Request to have the warning about your site removed after it's clean.

    Have you looked through your access logs, line by line, to rule out someone exploiting a vulnerability in one of your scripts?

  3. #3
    SitePoint Member
    Join Date
    May 2008
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    This is a well-known attack that uses stolen FTP credentials. You can read about it here: http://blog.unmaskparasites.com/2009...cated-scripts/

    In addition to removing the malicious code from server files, you should
    • scan your local computer for malware
    • change all site passwords and keep them secure (don't save them in FTP programs)
    • as it was correctly mentioned above, request a malware review in Google Webmaster Tools
    Thousands of sites have been hacked recently.
    Unmask Parasites: Check if your site is still yours.

  4. #4
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    Have you looked through your access logs, line by line, to rule out someone exploiting a vulnerability in one of your scripts?
    I have not found anything suspicious in the access logs. It is trojan in my computer which stole my ftp details that were saved in the FTP client. And sent these details to someone somewhere. Then they were able to run scripts that injected code in my scripts. My scripts are secure but if someone gains access to your FTP account, then there is no security.

    It is a new attack form which is more dangerous. And difficult to get to the bottom of.
    ------------------

  5. #5
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by UseShots View Post
    Hi,

    This is a well-known attack that uses stolen FTP credentials. You can read about it here: http://blog.unmaskparasites.com/2009...cated-scripts/

    In addition to removing the malicious code from server files, you should
    • scan your local computer for malware
    • change all site passwords and keep them secure (don't save them in FTP programs)
    • as it was correctly mentioned above, request a malware review in Google Webmaster Tools

    Thank you UseShots,

    I read the link you passed. It mainly deals with inframe injection attack which is part of the code injection attacks. The attack my site suffered was mainly javaScript and PHP code injections. Inspecting my home directory, I found the offending script. It was a php script whose main purpose was to inject encoded code into my scripts. The only explanation about how the script got its way into my home directory is through FTP. I must have had my FTP details stolen from the FTP client where it was saved.

    Anyway, I cleaned all my scripts of the virus and got rid my ftp software and got in its place a more secure one. I am slowly but surely getting rid of this awful virus.
    ------------------

  6. #6
    SitePoint Member
    Join Date
    May 2008
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Inspecting my home directory, I found the offending script.
    Did you save that script? I would like to take a look at it. Could you send it to me? (Either PM or using this contact form on my site.)

    BTW, if that script injected malicious code into your files, what permissions do they have?
    Thousands of sites have been hacked recently.
    Unmask Parasites: Check if your site is still yours.

  7. #7
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by UseShots View Post
    Did you save that script? I would like to take a look at it. Could you send it to me? (Either PM or using this contact form on my site.)

    BTW, if that script injected malicious code into your files, what permissions do they have?
    I am afraid the script got deleted in the course of the clean-up. It was called something like mailphp or phpmail. I did not check its permission either.

    But I have set up my own custom-made logger trying to see who has been sniffing my webiste. Again and again, websites operated from Russia were found to be visiting my site long after I got rid of the virus and changed not only my ftp client software but also my login details.
    ------------------


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •