homepage Welcome to WebmasterWorld Guest from 54.197.94.241
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Site files compromised, need advice
some .js files were edited to print .ru urls in my sites
adrianTNT




msg:4182170
 12:25 am on Aug 5, 2010 (gmt 0)

Hello.

I noticed that 2-3 sites on one of my sites were compromised, a .ru url appeared in the footer of the site.

I was able to fix it by sorting my remote files by date modified and replace them with the copy from my local computer.

The only thing I noticed changed were some common/known .js files like swfobject.js it had a document.write in it to print the malware links in my pages.

My question is: what causes these things in general? Is it more likely that my local computer had a virus/worm that modified my files (maybe through adobe Dreamweaver)? Or is it more likely that server was compromised directly ?

In the same day as file modified date (3 August) I got an email that appeared to be from Vimeo, I clicked the link in it, after that I seen browser errors that said some exe was not found, computer acted suspiciously so I had to do a system restore.

Do you think I should be safe now? Avast didn't find anything locally but it also didn't warn me about that email or virus or what that was.

Ok, I just checked, another site on different server has same malware, so this means it was made thrugh my computer, right? Server was not targeted directly?! Any advices?

 

BillyS




msg:4182187
 1:57 am on Aug 5, 2010 (gmt 0)

Some ideas on this one...

1 - Curse the hacker
2 - Remove all files, start changing all passwords.
3 - Check permissions on files and folders
4 - Reload site from last backup.
5 - Check for information specific to your hack type.
6 - Contact host, tell them what happened
7 - Cross fingers
8 - Say a prayer
9 - Monitor site very closely for a week

Best of luck, been there, hate it.

rocknbil




msg:4182669
 6:33 pm on Aug 5, 2010 (gmt 0)

Was it similar to this [webmasterworld.com]? Do you run WordPress?

I ask because I'm seeing a lot of sites with these, the one thing they have in common is WordPress and tiny_mce (but may have poorly protected webmasters too as below.) Seems like it hits all files named index, whether php or .html, and lots of Javascript files.

Another theory is the end user inadvertently visits a malicious site, and it installs a malware that somehow monitors the user's FTP. Webmaster logs in to a site, and it sends the modified files along with it. It could be either an outright theft of the FTP login or piggy backing on the current connection, don't know. So it's entirely possible you are the source, but not definite.

I've been successful cleansing them with deep searches in all files, eliminating the code, then before uploading, change all passwords - Domain manager control panel, FTP accounts, WordPRess logins, CMS logins, everything. Doesn't seem to come back after that, which may lend credibility to #2.

adrianTNT




msg:4182687
 7:00 pm on Aug 5, 2010 (gmt 0)

It appears to be the same malware with that link and an unique identifier after it. But I don't have wordpress on affected sites.
I will continue conversation on that thread (above), it seems to have more details and it might help other users.

joelgreen




msg:4182776
 9:18 pm on Aug 5, 2010 (gmt 0)

Similar here [webmasterworld.com...] but iframe tag instead of script tag.

[edited by: phranque at 6:26 am (utc) on Aug 6, 2010]
[edit reason] fix link [/edit]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved