My website has suffered very nasty a javascript code injection attack. That means that most of the files in my webserver, including the php, html and javascript files were all injected with pieces of javaScript that took control of the website.
Also google and Firefox reported my website as an attack site. I was baffled as to how a virus got into my server. I very much suspect the infection coming from the webhosting company’s servers, which I am now contacting.
I have got a php script that cleans all files of the virus(the javaScript code) but my site is still black listed by firefox and google as being an attack site. Even after I removed the offending code. What do I need to do?
Any idea? Have you been a victim of this lately? Any known solutions?
I have not found anything suspicious in the access logs. It is trojan in my computer which stole my ftp details that were saved in the FTP client. And sent these details to someone somewhere. Then they were able to run scripts that injected code in my scripts. My scripts are secure but if someone gains access to your FTP account, then there is no security.
It is a new attack form which is more dangerous. And difficult to get to the bottom of.
I read the link you passed. It mainly deals with inframe injection attack which is part of the code injection attacks. The attack my site suffered was mainly javaScript and PHP code injections. Inspecting my home directory, I found the offending script. It was a php script whose main purpose was to inject encoded code into my scripts. The only explanation about how the script got its way into my home directory is through FTP. I must have had my FTP details stolen from the FTP client where it was saved.
Anyway, I cleaned all my scripts of the virus and got rid my ftp software and got in its place a more secure one. I am slowly but surely getting rid of this awful virus.
I am afraid the script got deleted in the course of the clean-up. It was called something like mailphp or phpmail. I did not check its permission either.
But I have set up my own custom-made logger trying to see who has been sniffing my webiste. Again and again, websites operated from Russia were found to be visiting my site long after I got rid of the virus and changed not only my ftp client software but also my login details.