GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   IFrame Virus/Trojan experiences & question.. Please share yours (https://gfy.com/showthread.php?t=911631)

Ecchi22 06-20-2009 01:42 AM
IFrame Virus/Trojan experiences & question.. Please share yours
 
Few months ago, I had to deal with this problem..

Some weird piece of code affected almost all my sites on a shared hosting, but it happened on my dedicated too.

Somehow it injects code in .html and .php pages, usually ones with "index" and "home" names. Some antiviruses detects them, some aren't, but google stamps "warning" at your site which, you have to admit is pretty bad and decreases the traffic a lot (in my case, 6 times less traffic).

I tried to clean this code and update almost every CMS software I had on my host, but the problem was still occurring.
Contacted hosting support too, and they told me to change all my passwords (cpanel & ftp accounts). I've done that and everything seemed to be fine. Forgot to mention that I spent lots of time using google webmasters tools to request review after the cleanup.

Yesterday, I noticed this code being injected again. I cleaned it up, but I'm getting a bit worried now, so I'd like to stop it once forever (ok, at least for some time).

In order to isolate my side in this problem, I worked 2 months on newly installed linux machine with all new passwords for host, but some sites still got infected.

What's your experience about this and similar thingies? Is it hosting issue or something else? Any prevention tips? :helpme

klinton 06-20-2009 02:08 AM
Clean your PC, trust me... !

I had the same situation

it gets your ftp pass and then reupload infected files

k0nr4d 06-20-2009 02:45 AM
I've had a few clients have a problem like this. It's a computer virus that sniffs out ftp info and either sends it off to another machine which in turn injects this code onto index.html/index.php files, or it causes your own machine to ftp in.

Run Virus scanner, Change all your ftp passwords afterwards

Ecchi22 06-20-2009 03:11 AM
Thanks for your answers.. I might left over some ftp accounts, going to change their passwords too.

Anyway I'll recheck my own security too. Thanks! :)

redwhiteandblue 06-20-2009 04:21 AM
Quote:
Originally Posted by klinton (Post 15980633)
Clean your PC, trust me... !

I had the same situation

it gets your ftp pass and then reupload infected files

Yep, I'm pretty sure I had the same. It was happening on two different servers even after changing the passwords but after I scanned my PC with Kaspersky a couple of times it stopped.

bigalownz 06-20-2009 09:49 PM
change your ftp passwords asap and then change them evey week or so

Robo 06-20-2009 10:13 PM
...and if you want to resolve the problem for some time, chmod your index.html or index.php to 444 (no writing possible, but also for the owner).
When you'll update your index files you'll need to delete them first (or chmod again), but also any virus will not have way to come to to index files.
If your site is updated automatic, it can be a problem.

harvey 06-20-2009 10:37 PM
I posted the solution here, check it out. We cleaned 3 PC and everybody that asked for help could clean it with no problem and the fucking thing never got back. Lots of steps, but well, you gotta do it


All times are GMT -7. The time now is 06:39 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc