Nasty code injection attack

rageh · January 23, 2010, 10:19pm

Hello everybody,

My website has suffered very nasty a javascript code injection attack. That means that most of the files in my webserver, including the php, html and javascript files were all injected with pieces of javaScript that took control of the website.

Also google and Firefox reported my website as an attack site. I was baffled as to how a virus got into my server. I very much suspect the infection coming from the webhosting company’s servers, which I am now contacting.

I have got a php script that cleans all files of the virus(the javaScript code) but my site is still black listed by firefox and google as being an attack site. Even after I removed the offending code. What do I need to do?

Any idea? Have you been a victim of this lately? Any known solutions?

This is typical of the insertions

/*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = ...;document.body.appendChild(X08yhffhg7xkxf);}} catch(e) {}

Sometimes it starts with document.write(…) or eval() function in some php scripts

Thanks for reading this

Dan_Grossman · January 23, 2010, 11:03pm

Log in to Google Webmaster Tools and submit a Malware Review Request to have the warning about your site removed after it’s clean.

Have you looked through your access logs, line by line, to rule out someone exploiting a vulnerability in one of your scripts?

UseShots · January 24, 2010, 3:12pm

Hi,

This is a well-known attack that uses stolen FTP credentials. You can read about it here: http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/

In addition to removing the malicious code from server files, you should

scan your local computer for malware
change all site passwords and keep them secure (don’t save them in FTP programs)
as it was correctly mentioned above, request a malware review in Google Webmaster Tools

rageh · January 25, 2010, 12:09am

I have not found anything suspicious in the access logs. It is trojan in my computer which stole my ftp details that were saved in the FTP client. And sent these details to someone somewhere. Then they were able to run scripts that injected code in my scripts. My scripts are secure but if someone gains access to your FTP account, then there is no security.

It is a new attack form which is more dangerous. And difficult to get to the bottom of.

rageh · January 25, 2010, 10:41pm

Thank you UseShots,

I read the link you passed. It mainly deals with inframe injection attack which is part of the code injection attacks. The attack my site suffered was mainly javaScript and PHP code injections. Inspecting my home directory, I found the offending script. It was a php script whose main purpose was to inject encoded code into my scripts. The only explanation about how the script got its way into my home directory is through FTP. I must have had my FTP details stolen from the FTP client where it was saved.

Anyway, I cleaned all my scripts of the virus and got rid my ftp software and got in its place a more secure one. I am slowly but surely getting rid of this awful virus.

UseShots · January 26, 2010, 8:45am

Inspecting my home directory, I found the offending script.

Did you save that script? I would like to take a look at it. Could you send it to me? (Either PM or using this contact form on my site.)

BTW, if that script injected malicious code into your files, what permissions do they have?

rageh · January 29, 2010, 5:42pm

I am afraid the script got deleted in the course of the clean-up. It was called something like mailphp or phpmail. I did not check its permission either.

But I have set up my own custom-made logger trying to see who has been sniffing my webiste. Again and again, websites operated from Russia were found to be visiting my site long after I got rid of the virus and changed not only my ftp client software but also my login details.