Welcome to WebmasterWorld Guest from 54.147.44.13

Forum Moderators: phranque

Message Too Old, No Replies

My Site was Hijacked

Hijackers added sniplet of encoded java code and took over

     
11:01 pm on Feb 9, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 4, 2005
posts:1161
votes: 0


Despite what I was told by my host, a very popular, reputable company, I don't see how it could have been a password issue. The password is kept 100% secure and changed often.

The site is(well, was-it's dead now) interactive so members can upload their own content. People can leave comments. etc.

Anyway, what happened is a .com site, broke into my server and added an encrypted java script code to the footer of every page.

But de-coded it looks like this:
document.write('<ifra><iframe>'); -- Well, WebmasterWorld won't let me enter the code, but it's a one pixel by one pixel iframe that tries to re-direct people to an external size.

You can't search your files for it because it's encrypted! The above gibberish is taken from the encrypted code opened in notepad, so hopefully it can be found by doing an exact search. Any help with this would be appreciated. I'm more of a publisher than a techie but did manage to find out this much.

[edited by: phranque at 1:10 pm (utc) on Feb 11, 2010]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

11:09 pm on Feb 9, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0


There has been a lot of these reported lately, and 90% of the time it was because a computer you store passwords or use passwords from was compromised.

You should also look at the server's access file that does 404 and 500 error redirects to custom error page... you may find that they are now redirecting to the offending site as well.

Unplug all your personal/work computers from the network to avoid them doing more damage and scan them. Then from a confirmed uninfected computer change your server passwords.

Check this recent thread on the same issue for good info on how to proceed.

[webmasterworld.com...]
11:18 pm on Feb 9, 2010 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


Well, WebmasterWorld won't let me enter the code

Ask yourself why ..
12:34 am on Feb 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 4, 2005
posts:1161
votes: 0


Thanks. Yeah, good reason I couldn't enter the code here.

I'm reading through the other topics about this now.
1:57 am on Feb 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Also look through the posts on XSS and mySQL injection, another point of entry.
2:42 am on Feb 10, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6137
votes: 280


Sadly, these days, it appears that more website infections/hijacks are from programmer computers. NEVER use the same computer you develope/update a website with to do personal or company web surfing.

That simple.