Malware Related > Compromised Servers

Very Frustrated...Websites Compromised

<< < (2/6) > >>

MysteryFCM:
Shells allow the attacker to compromise the site, even after the passwords are changed, as they can then do whatever they want via an HTTP interface. You can identify these by going through the files on the server, and deleting any that shouldn't be there (you can identify what shouldn't be there by checking your backups)

You can use your usual machine again, once you're sure it's clean. Without knowing which programs you've already tried, I can only suggest programs to use;

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

ClamWin
www.clamwin.com

Kaspersky
www.kaspersky.com


--- Quote ---the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.
--- End quote ---

If you've not changed the FTP password yet, it won't matter how many times you replace the files, especially if this is how they got in - it will keep happening until the FTP password is changed (this should've been the first thing to have been done)

MysteryFCM:
As an aside, if you would like help verifying your machine is clean, please see the following;

http://temerc.com/forums/viewtopic.php?f=12&t=18

#41baby:
Hello,

Thanks.

I will get my changed passwords hopefully on Monday.

I will then go through everything you have suggested.

I appreciate the help and will post again if it comes up again.

DN

MysteryFCM:
No problem ..... if you require further help, please do not hesitate to pop back :)

#41baby:
Hello,

I do have one more question.  I have noticed during my investigations on these viruses that it could be the PHP code of forms.  I have also noticed that one "under construction" site I have, the virus acted different.  That site got nailed with the virus but does NOT have the PHP form code, the virus is there in the code but does not activate.

Below is the code for my FLASH/PHP form.

I was wondering if there might be something that could be improved.

Thanks,

DN

---


--- Code: ---<?php
$contact_name = $_POST['name'];
$contact_email = $_POST['email'];
$contact_subject = $_POST['subject'];
$contact_message = $_POST['message'];

if( $contact_name == true )
{
$sender = $contact_email;
$receiver = "MY EMAIL ADDRESS";
$client_ip = $_SERVER['REMOTE_ADDR'];
$email_body = "Name: $contact_name \nEmail: $sender \nSubject: $contact_subject \nMessage: $contact_message \nIP: $client_ip";
$extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion();

if( mail( $receiver, "Flash Contact Form - $subject", $email_body, $extra ) ) 
{
echo "success=yes";
}
else
{
echo "success=no";
}
}
?>
--- End code ---

MysteryFCM: Embedded code in BBCode tags

Navigation

[0] Message Index

[#] Next page

[*] Previous page