Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

malicious javascript keeps showing up in files on website

I have a site on a server that has been hacked. At first i thought it was a permissions error on the directory, but I went through and looked at all of the file permissions.

This is a server that was setup by someone else and the site was migrated to the server. I'm working in expressionengine and I tried to update the expressionengine version and thought I had gone through every file and whamo it started showing up again.

I will say however that when upgrading I switched the "system" files to be hidden below the root and that does not look to be infected after this second wave of files.

I can ssh into the server and I have FTP access, user logs in the control panel looked normal and there were no abnormal logins to the site or the control panel.

Where should I start? what should i search for?
0
adrake9
Asked:
adrake9
3 Solutions
 
adrake9Author Commented:
it seems to be going after the following files. all html files and javascript files above the root and dropping them in to the files most of the time at the end.
0
 
Dave BaldwinFixer of ProblemsCommented:
Change all logins and passwords and change them all at the same time so no one can sneak in one after you change the others.  If they have the user logins then there wouldn't be anything odd in the logs.
0
 
COBOLdinosaurCommented:
Sounds like an inside job.  You might have to timestamp logins, and log all file changes to find the culprit. What kind of damage is the scripting doing?

Cd&
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Uwe DegenhardtIT-ManagerCommented:
Try to get a malware scanner additionally and scan every single file.
Google after: maldet (it is extremely useful)

Also try to see, if you have rootkits on board which you don't see yet. Try rkhunter and/or chkrootkit (go and search again on the net for the exact URLs to download them).

If you can't stop it after all these measures, go and re-install the whole engine.
0
 
adrake9Author Commented:
Was able to rollback the server and then change the passwords immediately. Lost some content, but nothing that wasn't available somewhere else.
0
 
Dave BaldwinFixer of ProblemsCommented:
Good, thanks for the points.  Make a big note and make sure you always have a backup copy of your site.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now