Virus on our Website

Status
Not open for further replies.
S

Simpleton

New member
Mar 31, 2008
6
0
0
We have a virus on our website that keeps coming back. We've uploaded clean files, manually deleted the virus code off of all pages and have searched for a solution all over the place. The virus keeps coming back and is causing our bounce rate to increase drastically and more than likely is infecting most of our site visitors.

Any ideas? Solutions - places to go for help

Thanks in advance
 


sounds like you either have a hole in your site script or your server may have been hacked...

lemme guess... it's an iframe that gets inserted on your pages... the iframe tries to load an install... right?

if it's a server issue, moving to a competent hosting company will solve it...

if it's a script issue, then it's your fault for not securing your shit...
 
You tell your hosting company, or (if that's you) you get pro help asap if you're feeling out of your depth.
 
I'm looking for pro help ASAP - bluehost is not helping at all (no surprise). I'll secure everything just don't really no how or where to start other than getting our own server.

I don't think it's an iframe - newhomessection dot com is the site address and the code is on all .index pages.

Where can I seek pro help?
 
Simpleton said:
Where can I seek pro help?
Click to expand...

elance, scriptlance, rentacoder


Are you using any php-based open source software? (wordpress, joomla, phpbb, etc)

If you're on shared hosting it could be coming from another account on that server. If the "virus" is creating new files, and there are a lot of them, and they are all created within a second or two (check the modified/created timestamps), that would be my first guess.

How is the "virus" infecting your site? Does it modify existing files or does it create files and use something like a .htaccess redirect?

If it doesn't create or modify your files, you probably have an XSS vulnerability in one or more of your pages/scripts.
 
The virus puts a code at the bottom of our index pages next to the footer. Yes, we have a WP blog (2.5) on our site.

The code reappears after a few minutes on some pages and after a few hours on other pages; it's modifying existing files.

My developer thinks that it's coming from the server but I've had them check several times and they say that they are clean. I'll switch hosts but don't want to carry the virus over and run into the same problem.

Thanks for the resources above - I'll see what they turn up
 
Yes, we're using a WP blog (2.5) and we are on a shared host. They've said that they checked a few times and that their server is clean.

The virus modifying existing sites and is putting a script at the bottom of every .index.php page

Thanks for the resources above -
 
Simpleton said:
I'm looking for pro help ASAP - bluehost is not helping at all (no surprise). I'll secure everything just don't really no how or where to start other than getting our own server.

I don't think it's an iframe - newhomessection dot com is the site address and the code is on all .index pages.

Where can I seek pro help?
Click to expand...
Send me a PM with more details and I can give you a quote on analyzing the source code and fixing the problem.

Jason
 
I've had that stuff happen with Russian pharmacists using my site and a client's for link juice. In my case, they sniffed the FTP password off my network - so look out for local spyware on your computer, check it even if you have the safest system and best browsing practices. After cleaning out my computer and changing all my passwords, the defacements stopped.
 
Sorry to hear about that happening. The recommendation to find someone on rentacoder is a good one.
 
It sounds like it's on the shared host. You can't trust tech support at these webhosts anymore, most of them are clueless and wouldn't know what to look for anyway.

Create a web-accessible folder on the site with a random name like /ghtf5rt/ and put a blank index.php file in it.

If it gets infected, you have someone on your shared server running a script that places the code in any index.php file that it finds.

It could be a vulnerability in Wordpress too, hard to tell and it wouldn't surprise me.

Also, make sure you don't have any files or folders with world-write permissions (chmod 0777 or chmod rwxrwxrwx). chmod your php files to 644, if that causes an error, try 744, if 744 doesn't work use 755. Your non-script files should all work at 644.

Change all of your passwords too
 
you've got a JS/Psyme trojan on your site...

Simpleton said:
My developer thinks that it's coming from the server but I've had them check several times and they say that they are clean.
Click to expand...

I would have to agree with your developer... my advice... move to a new host... one that has better support staff...

also, change all your passwords immediately, ftp, wp, etc...
 
zany zoroaster said:
I've had that stuff happen with Russian pharmacists using my site and a client's for link juice. In my case, they sniffed the FTP password off my network - so look out for local spyware on your computer, check it even if you have the safest system and best browsing practices. After cleaning out my computer and changing all my passwords, the defacements stopped.
Click to expand...

Same here. Pharmaceuticals and porn.
 
Status
Not open for further replies.
Top Bottom