Site files compromised, need advice - Webmaster General forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Site files compromised, need advice

some .js files were edited to print .ru urls in my sites

adrianTNT

12:25 am on Aug 5, 2010 (gmt 0)

10+ Year Member

Top Contributors Of The Month

Hello.

I noticed that 2-3 sites on one of my sites were compromised, a .ru url appeared in the footer of the site.

I was able to fix it by sorting my remote files by date modified and replace them with the copy from my local computer.

The only thing I noticed changed were some common/known .js files like swfobject.js it had a document.write in it to print the malware links in my pages.

My question is: what causes these things in general? Is it more likely that my local computer had a virus/worm that modified my files (maybe through adobe Dreamweaver)? Or is it more likely that server was compromised directly ?

In the same day as file modified date (3 August) I got an email that appeared to be from Vimeo, I clicked the link in it, after that I seen browser errors that said some exe was not found, computer acted suspiciously so I had to do a system restore.

Do you think I should be safe now? Avast didn't find anything locally but it also didn't warn me about that email or virus or what that was.

Ok, I just checked, another site on different server has same malware, so this means it was made thrugh my computer, right? Server was not targeted directly?! Any advices?

BillyS

1:57 am on Aug 5, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Some ideas on this one...

1 - Curse the hacker
2 - Remove all files, start changing all passwords.
3 - Check permissions on files and folders
4 - Reload site from last backup.
5 - Check for information specific to your hack type.
6 - Contact host, tell them what happened
7 - Cross fingers
8 - Say a prayer
9 - Monitor site very closely for a week

Best of luck, been there, hate it.

rocknbil

6:33 pm on Aug 5, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Was it similar to this [webmasterworld.com]? Do you run WordPress?

I ask because I'm seeing a lot of sites with these, the one thing they have in common is WordPress and tiny_mce (but may have poorly protected webmasters too as below.) Seems like it hits all files named index, whether php or .html, and lots of Javascript files.

Another theory is the end user inadvertently visits a malicious site, and it installs a malware that somehow monitors the user's FTP. Webmaster logs in to a site, and it sends the modified files along with it. It could be either an outright theft of the FTP login or piggy backing on the current connection, don't know. So it's entirely possible you are the source, but not definite.

I've been successful cleansing them with deep searches in all files, eliminating the code, then before uploading, change all passwords - Domain manager control panel, FTP accounts, WordPRess logins, CMS logins, everything. Doesn't seem to come back after that, which may lend credibility to #2.

adrianTNT

7:00 pm on Aug 5, 2010 (gmt 0)

10+ Year Member

Top Contributors Of The Month

It appears to be the same malware with that link and an unique identifier after it. But I don't have wordpress on affected sites.
I will continue conversation on that thread (above), it seems to have more details and it might help other users.

joelgreen

9:18 pm on Aug 5, 2010 (gmt 0)

10+ Year Member

Similar here [webmasterworld.com...] but iframe tag instead of script tag.

[edited by: phranque at 6:26 am (utc) on Aug 6, 2010]
[edit reason] fix link [/edit]