Malware Related > Compromised Servers

It instals it's self in my index.htm file on my website

<< < (3/6) > >>

kris:
Yes I did request but now this "thing" is there again if you go to www.krissviconte.com/index.htm and www.krissviconte.com/main.htm it's there on the last line before the last 2 tags and it has eaten up the last few lines of my text.I wonder will that change if I change the host server?It happened before on that server that -they say - it was attacked by hackers and my website content was erased completely- just dissapeared. I don't want to write this code here because i don't know if I'll transfer it to you that way. it starts with  <iframe src="http    ....etc  and finnishes with </iframe>

kris:

--- Quote from: CM_MWR on June 14, 2009, 03:47:14 am ---It also appears cleaned from here as well, most curious what they did other than change passwords?

--- End quote ---

Hi Steven now this "thing" is again there -if you have time you can see and tell me how to "kill " it www.krissviconte.com/index.htm and also on www.krissviconte.com/main.htm
will that come again if I change the  host server and clean everything before that.From the server they're writing me this :"Hi,

Nobody can access your account to make changes to your site without the correct password. If you suspect someone has gained access to your password, you may need to log in at http://www.budgethostingweb.com and change it.

We're sorry we can't find this link or text on the pages you mention. This doesn't happen when we view the pages so it is probably something on your local computer. You may need to check your antivirus software to see if there is a problem there."

and also this " Hi,

Unfortunately it is possible for spyware on your local computer to steal passwords or manipulate files. We're sorry we don't know if this is the cause or source of your problem, however there have been no unauthorized accesses to our system or your account. We run ironclad security to prevent unauthorized access.

If there is a problem with your site or pages, it has been caused by an upload from a source outside our system, perhaps your local computer.

We're sorry we can't help with problems outside our system. If Firefox is blocking your page, you may need to follow the instructions at:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US
&site=http://www.krissviconte.com/"
I'm really confused what to do.I depend on my site so much for my work.

kris:
Now I found one file in my base directory that shouldn't be there ( i think) it's called Lware.class and deleted it I also deleted the "<iframe " thing from both pages - let's see if this was the problem...

MysteryFCM:
I've checked your site again using several different user agents, on the off chance it was trying to hide itself based on that, and I'm afraid I still cannot see anything malicious there.

Have you changed your FTP password already? (prior to it's appearing again)

Did you check ALL of the files on your sites FTP server, to ensure all files are those you recognize?

If you answered yes to the above, chances are you've got a keylogger on your machine that keeps sending the attacker the new password and/or the attacker has placed a shell on your site, that you've missed, that will allow them to re-attack your site (these are typically .pl, .asp or .php files).

MysteryFCM:
It should also be noted, the infection that was present on your site, leads to exploits (PDF etc). As such, if you are doing any of this from the machine you used to load the site - STOP!. Use a clean machine (i.e. one that has not accessed your site since these issues began). Passwords and files etc, should be changed from there.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version