|Does an infected web site get their html or js files modified?|
i visited a web site yesterday while looking for answers to database design where almost every link on it was blocked by my antivirus program saying it is due to the them due to the js:Redirector-NK [Trj] infection. Obviously this site is infected.
My question is...
1. Has the sites' hosting service been hacked and infected or have the web site itself been modified and infected?
2. what types of site files are most likely infected?
It depends greatly on the technology being used on the site. Or indeed the host for that matter. A badly designed script can leave weaknesses that enable access to the bad guys.
Some web hosting companies really need to get a grip with their security. I wont shame the company but I used to have a host where I could access another sites docroot simply using system file paths :) I hope they fixed that.
In these cases it can be a few things. The site owner may be involved, they may be innocent, but their security has let them down or it could be a deeper breach at host level.
It would be a good idea to email the site and let them know.
Actually, i did email the site owner about the problem. He responded with a thanks and asked if i knew of another hosting service. He is in the London, England.
Though Wordpress is the most common target for it, I've seen it on other CMS/carts, such as modX.
* In some shared environments and on some servers using poor passwords, another account may be able to infect an unrelated site, in which case finding another host is a very good idea. Take an example. Some script kiddie "roots" a box (gains root access) and executes his program. With root access, this means that every site on this server - sometimes thousands - will be hacked with the malicious code.
Another way that can happen is a brute force attack on passwords. If your FTP account password is domain (without the .com or .net) you can imagine how a dictionary attack on the FTP account wouldn't take too long to hack. So "some other user" in a shared hosting environment can be the point of entry to YOUR site.
A third: You will often see requests for files that you know don't exist on your server in error logs. This is a bot looking for specific versions of software with known vulnerabilities. If found, those versions can be abused to deploy these types of attacks.
There are many more, and even more I've never even heard of. :-)
Another thing to realize when you log into you site via a public hotspot you have to be careful. If your login is not https then you password is sent plain text over the wire. Same goes for FTP (ie. Use SFTP)
Or avoid public hotspots altogether when updating your site.
thanks, very helpful.
Happened to me (lovely firewall response, lets the infection in and then tells me the machine is compromised), the code was not saved in my copy of the source so I was able to over-write the infected files easily enough and changed the FTP password once the machine was rebuilt.
piatkow, are you sure they log on via FTP? I had it with a plain html site (no forms, no scripts, very stron PW) and there was no trace of how they got in.
Any advice on how to strengten a 'normal' or WP site are much appreciated.
are you sure they log on via FTP?
The problem hit all the index files in all my sites which are at two different hosts. The passwords had been saved in my FTP software.
No proof that it was FTP but getting a virus on my PC and all the sites listed in my FTP software then getting infected at the same time seems a bit of a coincidence.