homepage Welcome to WebmasterWorld Guest from 54.196.63.93
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Virus on my hosting
glennk

5+ Year Member



 
Msg#: 4332557 posted 3:20 pm on Jun 29, 2011 (gmt 0)

As the title describes, I have a virus/hijack code on my hosting (Servage).

I think it was placed there by an ftp hack, although I am not entirely certain of this. I would really appreciate some help in sorting the problem.

There are roughly 20 domains on my hosting. All are now locked to one single ftp account for which I have changed the password.

The problem mainifests itself by changing the htaccess files of all domains running php websites (Mostly wordpress installations).

The htaccess files are injected with code which hijacks peoples browsers and redirects them to virus and scareware sites.

The problem is rectified by me cleaning the htaccess files on each domain and removing the injected code.

However, after several days the problem reoccurs and all the htaccess files are reinjected with the php code. Also the top level root file also gets a hataccess file placed in it which redirects all the domains to the scareware sites.

Im guessing that the way forward is to clean every domain on the hosting. This wont be too difficult as Im pretty familiar with cleaning wordpress installations. My main concern/ question is - How is this problem able to place a htaccces in the root folder, do you think the ftp is still comprimised ? also If I clean each domain one at a time, is it possible for another domain to reinfect the cleaned one ?

If the moderators move this to another board could you please let me know so that I know where to look on my return.

 

bwnbwn

WebmasterWorld Senior Member bwnbwn us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4332557 posted 9:39 pm on Jun 29, 2011 (gmt 0)

Sounds like your wordpress is the problem have u cleaned the server up and updated to the newest version?

SteveWh

5+ Year Member



 
Msg#: 4332557 posted 1:38 am on Jun 30, 2011 (gmt 0)

There are roughly 20 domains on my hosting. All are now locked to one single ftp account for which I have changed the password.

Everyone who uses that FTP account should do thorough antivirus scans (on their personal computers, not on the compromised server). Then change the password again.

Im guessing that the way forward is to clean every domain on the hosting.

Yes, clean, and upgrade all CMS and their plugins to latest versions.

How is this problem able to place a htaccces in the root folder, do you think the ftp is still comprimised?

Yes, or else there is a backdoor PHP script hidden somewhere in one of the sites. The hacker calls the PHP script with their browser. The web page gives them a user interface, and the PHP code translates their commands to server actions, giving them the ability to download/upload/edit files on the server without having to know any passwords. Sort of like CKEditor or TinyMCE, except without any requirement to log in first.

Also If I clean each domain one at a time, is it possible for another domain to reinfect the cleaned one?

Yes, especially if the server runs PHP as an Apache module rather than as CGI/suPHP.

If SSH is enabled, turn it off.

Since this is a recurring problem, the hacking activity might be getting thoroughly logged in one or more of your server logs.

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4332557 posted 4:54 pm on Jun 30, 2011 (gmt 0)

Yeah it's entirely likely

1 - the malware was injected into WordPress

2 - you collected the malware via browsing/working with your sites

3 - you are the one re-infecting the sites unknowingly.

Also note this important thread [webmasterworld.com] if you use FileZilla. By default it stores the FTP passwords on your computer as plain text in an XML file.

glennk

5+ Year Member



 
Msg#: 4332557 posted 11:26 am on Jul 4, 2011 (gmt 0)

So what steps do I need to take to get cleaned up ? There are 20 domains. Where should I start ?

SteveWh

5+ Year Member



 
Msg#: 4332557 posted 2:01 pm on Jul 5, 2011 (gmt 0)

Are all 20 domains yours and under your control, or are you a hosting reseller?

Have all admins done AV scans with an AV program different from the one they were using at the time of the compromise?

Was malware found on any of the PCs?

glennk

5+ Year Member



 
Msg#: 4332557 posted 3:21 pm on Jul 6, 2011 (gmt 0)

Hi Steve.

Currently all 20 domains are mine and under my control through 1ftp and 1 controll panel.

I have done system rootkit scan. System av scan and system malware scan. All is clean.

Yesterday I thouroughly cleaned 1 domain. Removing all files and folders in that domain and relacing with a clean install of wordpress. Today the htaccess of that domain was hacked again and a redirect set up through that hack.

Looking at the files through ftp. The htaccess file is the only file changed. All the other files appear untouched since I cleaned them yesterday.

Am I right in assuming that 1 of the following 3 options is the case ?

1. The ftp is still compromised.
2. The control panel is comprimised.
3. One of the other domains is compromised and the are able to get in there and alter htaccess in all the other domains ?

How should I proceed from here ?

Many thanks for your help so far.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved