Vrius inInfected web pages

N

noswal

Executive Member
Joined
Jun 26, 2004
Messages
6,172
Reaction score
9
Location
Stranded, on Earth
I had someone write to me to complain that my site had a virus on it, which I didn't believe, but sure enough on every single htm and html page (even test and redundant pages) was the js/psyme code, placed at the bottom.

Now a google search tells end users how to get rid of it, and for me all I had to do was delete the script, BUT - how did it get into my site?

I have a couple of other websites with the same hosting company and none of those were affected.
 
Are you using a CMS on that site?
 
Content Management System such as Drupal, Mambo, Joomla . . .

What has your host said about the incident?
 
noswal said:
I had someone write to me to complain that my site had a virus on it, which I didn't believe, but sure enough on every single htm and html page (even test and redundant pages) was the js/psyme code, placed at the bottom.
Click to expand...
What was the code that was placed?

I'm having a similar problem with my site, and cannot locate the offending code in my pages.
 
blerry pesky virus writers :mad:

hope you guys get your web pages sorted out - must be embarrassing because your customers thinks your computers are infected and you have low standards...
 
Injecting code nowadays is pretty easy of a LOT of web sites. Its pretty difficult guessing how it was done without doing some forensics on the box.

A few pointers:
What backend are you running - iis/apache. Any sql/mysql involved? php? On the latest versions? Hosted web site - any other sites effected? Is the server fully patched - especially if its windows. Any weak passwords on the system? Was the code written with security in mind - is it open to xss, sql infection attacks, buffer overflows?
 
On my site, it's plain old HTM files that are triggering the download... Nothing fancy, just Dreamweaver generated pages... No CSS in use, no PHP in play on the pages.

Linux server, not Windows... Beyond that, I'm not sure what else to answer.

Is there a service out there that will hunt down and cure these issues for me?

I've been at this for months, and am at my wits end. :(
 
You could run something like nessus which will look for common security holes but if your site keeps getting hacked you will need to look at everything from the ground up. There's is something vulnerable on the server that the attackers are making use of.

You will need to check log files, program versions, code etc etc. You might need to get someone with some expertise to look at your server to try and pin point the problem.
 
Hi Noswal,

You could run something like nessus which will look for common security holes
Click to expand...

I would not recommend this, as the (I assume shared server) would block your IP address pretty quickly and it would seem a fiasco getting your IP address unblocked.

Most of these incidents occur when clients run poorly secured / written upload scripts that enable malicious files to be uploaded and then executed.

If the host is insecure themselves, then it might have occured that a different client other than you has had this happen and due to poor base_opendir protection it has now affected you as well.

If you want, you can PM me your site's URL and I can check it out (if I find any spare time) ;)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X