homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

Does an infected web site get their html or js files modified?

 2:32 pm on Feb 24, 2012 (gmt 0)

hi all,

i visited a web site yesterday while looking for answers to database design where almost every link on it was blocked by my antivirus program saying it is due to the them due to the js:Redirector-NK [Trj] infection. Obviously this site is infected.

My question is...

1. Has the sites' hosting service been hacked and infected or have the web site itself been modified and infected?

2. what types of site files are most likely infected?




 2:48 pm on Feb 24, 2012 (gmt 0)

It depends greatly on the technology being used on the site. Or indeed the host for that matter. A badly designed script can leave weaknesses that enable access to the bad guys.

Some web hosting companies really need to get a grip with their security. I wont shame the company but I used to have a host where I could access another sites docroot simply using system file paths :) I hope they fixed that.

In these cases it can be a few things. The site owner may be involved, they may be innocent, but their security has let them down or it could be a deeper breach at host level.

It would be a good idea to email the site and let them know.



 4:49 pm on Feb 24, 2012 (gmt 0)

Actually, i did email the site owner about the problem. He responded with a thanks and asked if i knew of another hosting service. He is in the London, England.

It looks like his site is mostly html and javascript. I assume that the error message displayed by my antivirus app indicates a Javasscript modification infection?


 5:29 pm on Feb 24, 2012 (gmt 0)

The (most common) ways it works is via cross site scripting, server breach, OR some user's computer that has contracted a worm, then by FTPing to the site, infects their own files. An automated program injects Javascript code into many files. Most often (the ones I've seen) it will inject the .js into every index file - index.php, index.html, and many Javascript files. Just yesterday I saw one that affected the footer.php of a Wordpress site.

The javascript leads to a **compromised server** where the virus is deployed.

So your contact will probably not benefit by finding another host*, as his site is not really "infected." It's the server the Javascript leads to that is infected. His best course would be to cleanse all files and his database, update all software, then actually read and apply the best security practices of the software vendor - this indeed makes a big difference (going on a guess this is a Wordpress site.)

Though Wordpress is the most common target for it, I've seen it on other CMS/carts, such as modX.

* In some shared environments and on some servers using poor passwords, another account may be able to infect an unrelated site, in which case finding another host is a very good idea. Take an example. Some script kiddie "roots" a box (gains root access) and executes his program. With root access, this means that every site on this server - sometimes thousands - will be hacked with the malicious code.

Another way that can happen is a brute force attack on passwords. If your FTP account password is domain (without the .com or .net) you can imagine how a dictionary attack on the FTP account wouldn't take too long to hack. So "some other user" in a shared hosting environment can be the point of entry to YOUR site.

A third: You will often see requests for files that you know don't exist on your server in error logs. This is a bot looking for specific versions of software with known vulnerabilities. If found, those versions can be abused to deploy these types of attacks.

There are many more, and even more I've never even heard of. :-)


 9:36 am on Mar 3, 2012 (gmt 0)

Another thing to realize when you log into you site via a public hotspot you have to be careful. If your login is not https then you password is sent plain text over the wire. Same goes for FTP (ie. Use SFTP)

Or avoid public hotspots altogether when updating your site.


 10:44 am on Mar 3, 2012 (gmt 0)

I have seen some change sin JavaScript, some auto generated code appears there.


 3:30 pm on Mar 3, 2012 (gmt 0)

thanks, very helpful.


 9:34 am on Mar 5, 2012 (gmt 0)

An automated program injects Javascript code into many files. Most often (the ones I've seen) it will inject the .js into every index file

Happened to me (lovely firewall response, lets the infection in and then tells me the machine is compromised), the code was not saved in my copy of the source so I was able to over-write the infected files easily enough and changed the FTP password once the machine was rebuilt.


 1:18 pm on Mar 5, 2012 (gmt 0)

changed the FTP password

piatkow, are you sure they log on via FTP? I had it with a plain html site (no forms, no scripts, very stron PW) and there was no trace of how they got in.
Any advice on how to strengten a 'normal' or WP site are much appreciated.


 2:06 pm on Mar 5, 2012 (gmt 0)

are you sure they log on via FTP?

The problem hit all the index files in all my sites which are at two different hosts. The passwords had been saved in my FTP software.

No proof that it was FTP but getting a virus on my PC and all the sites listed in my FTP software then getting infected at the same time seems a bit of a coincidence.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved